Edit tour

Windows Analysis Report
5yTEUojIn0.exe

Overview

General Information

Sample name:	5yTEUojIn0.exe renamed because original name is a hash value
Original sample name:	562d1237cff600c083ccafa09d3ce40d.exe
Analysis ID:	1553459
MD5:	562d1237cff600c083ccafa09d3ce40d
SHA1:	45cd37f39fe3f906f593a7cc2ba9d55e0d33a04e
SHA256:	1b1ef9723eb894aae6e3759a352eff67be3057d6619dabc32e4914ca658ac85a
Tags:	exeuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Machine Learning detection for sample

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

5yTEUojIn0.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\5yTEUojIn0.exe" MD5: 562D1237CFF600C083CCAFA09D3CE40D)

WerFault.exe (PID: 7840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1020:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.1370478954.0000000002D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 5yTEUojIn0.exe PID: 7408	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 5yTEUojIn0.exe PID: 7408	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.5yTEUojIn0.exe.2d00e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.5yTEUojIn0.exe.2d00e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.5yTEUojIn0.exe.2d40000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.5yTEUojIn0.exe.2d40000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.5yTEUojIn0.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.5yTEUojIn0.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T09:01:18.387196+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.8	49707	TCP
2024-11-11T09:01:55.787415+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.8	49714	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.83.175.91/r	Avira URL Cloud: Label: malware
Source: http://77.83.175.91/X	Avira URL Cloud: Label: malware
Source: http://77.83.175.91/o	Avira URL Cloud: Label: malware
Source: http://77.83.175.91/7	Avira URL Cloud: Label: malware
Source: http://77.83.175.91	Avira URL Cloud: Label: malware
Source: http://77.83.175.91/	Avira URL Cloud: Label: malware
Source: http://77.83.175.91/C	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 5yTEUojIn0.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 5yTEUojIn0.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_00404C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	0_2_00404C50
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_004060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	0_2_004060D0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_004240B0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_004240B0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_00407750 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407750
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_00409B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B20
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_00409B80 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409B80
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D04EB7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	0_2_02D04EB7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D16BC7 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	0_2_02D16BC7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D24317 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02D24317
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D06337 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	0_2_02D06337
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0EC97 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	0_2_02D0EC97
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D16DE0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	0_2_02D16DE0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D09DE7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_02D09DE7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D09D87 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_02D09D87
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D079B7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_02D079B7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Unpacked PE file: 0.2.5yTEUojIn0.exe.400000.0.unpack

Source: 5yTEUojIn0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1CE47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D1CE47
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0DE00 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D0DE00
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1D797 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D1D797
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1DF97 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	0_2_02D1DF97
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D13B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D13B77
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D11B07 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D11B07
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D114D0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D114D0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D114B7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D114B7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1E477 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D1E477
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0DDE7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D0DDE7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D14D90 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_02D14D90
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D14D77 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D14D77
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D01907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D01907
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D01920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_02D01920

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 77.83.175.91Connection: Keep-AliveCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49714
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49707

Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.91
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.91
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.91
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.91
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.91

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00406C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,

0_2_00406C40

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 77.83.175.91Connection: Keep-AliveCache-Control: no-cache

Source: 5yTEUojIn0.exe, 00000000.00000002.1651941962.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp, 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/7
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/C
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/X
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/o
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91/r
Source: 5yTEUojIn0.exe, 00000000.00000002.1651941962.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.91=-
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00409770 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00409770

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_02D24B17

0_2_02D24B17

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: String function: 00404A60 appears 317 times

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1304

Source: 5yTEUojIn0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: 5yTEUojIn0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_004246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

0_2_004246A0

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_02D1CD47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_02D1CD47

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7408

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2898db87-0e25-4359-b326-48c5dc1cf284

Jump to behavior

Source: 5yTEUojIn0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5yTEUojIn0.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\5yTEUojIn0.exe "C:\Users\user\Desktop\5yTEUojIn0.exe"
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1304

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Unpacked PE file: 0.2.5yTEUojIn0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.wizave:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Unpacked PE file: 0.2.5yTEUojIn0.exe.400000.0.unpack

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_004266E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004266E0

Source: 5yTEUojIn0.exe

Static PE information: section name: .wizave

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_0040E281 push 8BFFFFFFh; ret	0_2_0040E286
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D27AFC push ecx; ret	0_2_02D27B0F
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02DFCE8B pushad ; iretd	0_2_02DFCE8C
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02DFAD88 push ebx; ret	0_2_02DFAE06
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02DFBDA4 push 00000032h; retf	0_2_02DFBDA6

Source: 5yTEUojIn0.exe

Static PE information: section name: .text entropy: 7.105156439121909

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

0_2_004266E0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-29736

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

API coverage: 3.0 %

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1CE47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D1CE47
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0DE00 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D0DE00
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1D797 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D1D797
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1DF97 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	0_2_02D1DF97
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D13B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D13B77
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D11B07 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D11B07
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D114D0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D114D0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D114B7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D114B7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D1E477 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D1E477
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0DDE7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D0DDE7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D14D90 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_02D14D90
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D14D77 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_02D14D77
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D01907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_02D01907
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D01920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_02D01920

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00421BF0 EntryPoint,GetSystemInfo,GetUserDefaultLangID,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,OpenEventA,CreateEventA,

0_2_00421BF0

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E6D000.00000004.00000020.00020000.00000000.sdmp, 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareIm
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	API call chain: ExitProcess graph end node	graph_0-30911
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	API call chain: ExitProcess graph end node	graph_0-30919
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	API call chain: ExitProcess graph end node	graph_0-30932

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_02D27E01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_02D27E01

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00404A60 VirtualProtect 00000000,00000004,00000100,?

0_2_00404A60

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

0_2_004266E0

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_00426390 mov eax, dword ptr fs:[00000030h]	0_2_00426390
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D265F7 mov eax, dword ptr fs:[00000030h]	0_2_02D265F7
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D00D90 mov eax, dword ptr fs:[00000030h]	0_2_02D00D90
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D0092B mov eax, dword ptr fs:[00000030h]	0_2_02D0092B
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02DF992B push dword ptr fs:[00000030h]	0_2_02DF992B

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00405640 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,memcpy,InternetReadFile,KiUserExceptionDispatcher,InternetCloseHandle,InternetCloseHandle,

0_2_00405640

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D27E01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02D27E01
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D2781F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02D2781F
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D299E0 SetUnhandledExceptionFilter,	0_2_02D299E0

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 5yTEUojIn0.exe PID: 7408, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_004246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	0_2_004246A0
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D24877 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	0_2_02D24877
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Code function: 0_2_02D24907 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	0_2_02D24907

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_02D22FC7

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\5yTEUojIn0.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00423E70 lstrcpy,lstrcpy,GetSystemTime,

0_2_00423E70

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_00422A40 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00422A40

Source: C:\Users\user\Desktop\5yTEUojIn0.exe

Code function: 0_2_02D22E77 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_02D22E77

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.5yTEUojIn0.exe.2d00e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.2d00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.5yTEUojIn0.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.5yTEUojIn0.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1370478954.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5yTEUojIn0.exe PID: 7408, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.5yTEUojIn0.exe.2d00e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.2d00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.5yTEUojIn0.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.5yTEUojIn0.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5yTEUojIn0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1370478954.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5yTEUojIn0.exe PID: 7408, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Create Account	11 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5yTEUojIn0.exe	61%	ReversingLabs	Win32.Spyware.Stealc
5yTEUojIn0.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://77.83.175.91=-	0%	Avira URL Cloud	safe
http://77.83.175.91/r	100%	Avira URL Cloud	malware
http://77.83.175.91/X	100%	Avira URL Cloud	malware
http://77.83.175.91/o	100%	Avira URL Cloud	malware
http://77.83.175.91/7	100%	Avira URL Cloud	malware
http://77.83.175.91	100%	Avira URL Cloud	malware
http://77.83.175.91/	100%	Avira URL Cloud	malware
http://77.83.175.91/C	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://77.83.175.91/	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.83.175.91/o	5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.83.175.91=-	5yTEUojIn0.exe, 00000000.00000002.1651941962.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://77.83.175.91	5yTEUojIn0.exe, 00000000.00000002.1651941962.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.83.175.91/X	5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.83.175.91/7	5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.83.175.91/r	5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.83.175.91/C	5yTEUojIn0.exe, 00000000.00000002.1652011112.0000000002E59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.83.175.91	unknown	Ukraine		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553459
Start date and time:	2024-11-11 09:00:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5yTEUojIn0.exe renamed because original name is a hash value
Original Sample Name:	562d1237cff600c083ccafa09d3ce40d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 24 Number of non-executed functions: 174
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 5yTEUojIn0.exe

Simulations

Behavior and APIs

Time	Type	Description
03:01:29	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.83.175.91	Vl9Yz1UB1a.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.91/69d96d770568584a.php
	PtGMWtcZF0.exe	Get hash	malicious	Stealc	Browse	77.83.175.91/69d96d770568584a.php
	yjNy22UmmY.exe	Get hash	malicious	Stealc	Browse	77.83.175.91/69d96d770568584a.php
	g8Z5OO8o6p.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.91/69d96d770568584a.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	DihoyYp8ie.exe	Get hash	malicious	Stealc, Vidar	Browse	45.88.76.207
	Vl9Yz1UB1a.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.91
	PtGMWtcZF0.exe	Get hash	malicious	Stealc	Browse	77.83.175.91
	yjNy22UmmY.exe	Get hash	malicious	Stealc	Browse	77.83.175.91
	g8Z5OO8o6p.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.91
	pUxjpMo3jy.exe	Get hash	malicious	Stealc	Browse	77.220.212.32
	hmCj47OtqK.exe	Get hash	malicious	Stealc	Browse	77.220.212.32
	G5SNsomm2h.exe	Get hash	malicious	Stealc	Browse	77.220.212.32
	uXLmpbLJnV.exe	Get hash	malicious	Stealc	Browse	77.220.212.32
	HrxOpVxK5d.exe	Get hash	malicious	Stealc, Vidar	Browse	77.220.212.32

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5yTEUojIn0.exe_218059f64b8ee559322c2d8a673d01e4d47cb61_b3b022df_521023f3-7559-411f-8d6c-0ec1fbcda460\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9633354511054021
Encrypted:	false
SSDEEP:	192:Co115QZ0+l1jjucZrP2izuiFJZ24IO8+:B115Q6+l1jjNFzuiFJY4IO8+
MD5:	5070DA895CFEE2B26746F5EE555B363E
SHA1:	8AB7AF9655F34E3AF0B111637B26CE2B5C807C88
SHA-256:	DB70A8F023C82693861396354234825B31301FC8B69B34A272F4A4671836CAA0
SHA-512:	9EFD04EA7C13666BA7E30EA242F1452AB7FB1ACCFEF31C3E761934F7C901069DB2815865EAA593349C789CDF26B96CDFEBA0CF6905941A125A53ED361A4D17D4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.8.4.6.0.5.7.3.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.7.8.5.6.8.5.1.0.5.7.3.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.1.0.2.3.f.3.-.7.5.5.9.-.4.1.1.f.-.8.d.6.c.-.0.e.c.1.f.b.c.d.a.4.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.e.2.d.6.9.7.-.c.9.0.e.-.4.8.6.1.-.a.0.0.e.-.2.8.2.9.c.b.e.5.6.8.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.y.T.E.U.o.j.I.n.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.0.-.0.0.0.1.-.0.0.1.4.-.9.5.a.1.-.8.c.d.8.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.5.0.0.2.b.5.b.6.6.7.7.e.7.2.3.f.e.b.3.f.b.9.f.5.6.7.0.5.6.b.5.0.0.0.0.5.6.0.2.!.0.0.0.0.4.5.c.d.3.7.f.3.9.f.e.3.f.9.0.6.f.5.9.3.a.7.c.c.2.b.a.9.d.5.5.e.0.d.3.3.a.0.4.e.!.5.y.T.E.U.o.j.I.n.0...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86CB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Nov 11 08:01:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	107074
Entropy (8bit):	1.7321864234327309
Encrypted:	false
SSDEEP:	384:FiCoxJTGKGMIEWJ07MoDPsXk8oogZOmbM7MBDDq5cytFpvP14FT6/:FUZGKGMIEWJ0fPWovOYM7aDDqFpWl6/
MD5:	4A8FAFCD8016308074545D3F751B0F61
SHA1:	1D0FB849643032EC0C617C16103B4A91AA7306C3
SHA-256:	2A32CCE9B750E3BB59E3F88D4C3A0E3AF03FDA8E94BEF729CE38D04830E7B2BE
SHA-512:	338FDE1D5E49C95774C7989DE5448B233E482C361BB4C9662D0B1535E3C267BCACE462DC158EE8AAAE94BB31DF2B03198695044CD1FA7462A3A1B6CBE0A55FF6
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........1g.........................................B..........T.......8...........T............2..jo..........D...........0 ..............................................................................eJ....... ......GenuineIntel............T.............1g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87C6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.69537542355749
Encrypted:	false
SSDEEP:	192:R6l7wVeJIG6VJT6YSiSU9DP8gmfjqpDM89b5zsfz/zm:R6lXJR6H6YHSU9DP8gmfju5YfzC
MD5:	0DF9389007B03CD11D7FA6FF1A62BA2F
SHA1:	49259141ED15BBC74A23A08EE146738BAF8EAB57
SHA-256:	6A1501E3098AA06FA82893ED6258048F7C32220C55DCFDD7BF0669DFC510A5A7
SHA-512:	E037F2672121B687F074A28701EF516B60BD1C5AFF114FC4DC306261FAF628932DF6218350EA13BA20FC7F65128391DD077EAD458145ABC9B64A9AA8FD40A33C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87F6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4585
Entropy (8bit):	4.46844242205174
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg77aI996WpW8VYqYm8M4JWb2KLeFdV+q8GKk61lA2Agd:uIjf5I7D77VmJDV41q1gd
MD5:	42642CB4D4D8C1832DA38D1064B69725
SHA1:	BDBBFEDE18D76FFDFCC0E24BB84583FBEFC48199
SHA-256:	D0A5AF7F9D0764F4314B6EF5595540565ABD5AC2841619A711161E40CD31CF23
SHA-512:	92DACB6AF556A8DF0E5C12FDED801FCF721E311939467D9AD94BA392C042EF8F5FD94CE7B914EC376DBA81DC03B094C1B42B843A2DB96269B37FB57AF40D08A1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583144" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372073344563047
Encrypted:	false
SSDEEP:	6144:lFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNsiL:DV1QyWWI/glMM6kF7aq
MD5:	885E05220F305D4D132F021F6EC42FE2
SHA1:	E0F84B9A8F3A7375BDE7B0B8D8F99A385D8F7E71
SHA-256:	AC42F4372311CCEC1AAA28D013F575C89B70B4645B3ECE9E22034647E73E62F9
SHA-512:	BABEDCF7EFD3C456EFA181C9B425A5E5413C8C55535CF93E4A9B68ADF979A5A01113AC2C8982A8C8F618DD9DD51B0C1C0396E078CCB63BFC3D1B38853B64BCDC
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..+..4...............................................................................................................................................................................................................................................................................................................................................x<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.62632670883963
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5yTEUojIn0.exe
File size:	392'704 bytes
MD5:	562d1237cff600c083ccafa09d3ce40d
SHA1:	45cd37f39fe3f906f593a7cc2ba9d55e0d33a04e
SHA256:	1b1ef9723eb894aae6e3759a352eff67be3057d6619dabc32e4914ca658ac85a
SHA512:	009a28408002d7003a0b481c6b2e2de383888ed15ed1313a08f23f6b9ed4c80cc7f900df8684a81e15ce1353ed570403ce2128fff27982abd046800b41c6d2d1
SSDEEP:	6144:EKGyx8r7ZVgqTE3DMcRYo0NCutNPYW5fW:Esmr7tAzg0utNPH
TLSH:	FB847C4266FD2FA2F6FF4A3D4E3FB2D8262FB5625D28725D1210161F09702E1D5A270B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........P...P...P...N.E.p...N.T.D...N.B.<...wh..Y...P...*...N.K.Q...N.U.Q...N.P.Q...RichP...........................PE..L...P%.d...

File Icon


Icon Hash:	738733b183a38be4

Static PE Info

General

Entrypoint:	0x40186e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64B72550 [Tue Jul 18 23:50:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9a11732a2e741d4d1a9f61b29552bab4

Entrypoint Preview

Instruction
call 00007F7664E64DCDh
jmp 00007F7664E60F0Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004378D0h], eax
mov dword ptr [004378CCh], ecx
mov dword ptr [004378C8h], edx
mov dword ptr [004378C4h], ebx
mov dword ptr [004378C0h], esi
mov dword ptr [004378BCh], edi
mov word ptr [004378E8h], ss
mov word ptr [004378DCh], cs
mov word ptr [004378B8h], ds
mov word ptr [004378B4h], es
mov word ptr [004378B0h], fs
mov word ptr [004378ACh], gs
pushfd
pop dword ptr [004378E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004378D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004378D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004378E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00437820h], 00010001h
mov eax, dword ptr [004378D8h]
mov dword ptr [004377D4h], eax
mov dword ptr [004377C8h], C0000409h
mov dword ptr [004377CCh], 00000001h
mov eax, dword ptr [00436008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0043600Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3496c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2747000	0x16848	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x275e000	0xa14	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x1b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31dcc	0x31e00	fa14f267fec25c984ba711f7a0151db1	False	0.7432546209273183	data	7.105156439121909	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0x2358	0x2400	ce343ef253f9aaf3c05f18a7927ef238	False	0.3684895833333333	data	5.513493888048459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x270f49c	0xea00	c6e095109377f7790d0b44296379891b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wizave	0x2746000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2747000	0x16848	0x16a00	fcc12cb74dec79a6c9fd3bd045313944	False	0.3881323377071823	data	4.7118462020383935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x275e000	0x5eb0	0x6000	f4fd100afa7c897fe6f68c9b0b846791	False	0.09488932291666667	data	1.1387041590142817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2747870	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Peru	0.32062899786780386
RT_ICON	0x2748718	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Peru	0.506768953068592
RT_ICON	0x2748fc0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Peru	0.5362903225806451
RT_ICON	0x2749688	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Peru	0.5802023121387283
RT_ICON	0x2749bf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Peru	0.4220954356846473
RT_ICON	0x274c198	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Peru	0.49836065573770494
RT_ICON	0x274cb20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Peru	0.5035460992907801
RT_ICON	0x274cff0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Peru	0.38326226012793174
RT_ICON	0x274de98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Peru	0.5302346570397112
RT_ICON	0x274e740	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Peru	0.6013824884792627
RT_ICON	0x274ee08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Peru	0.6307803468208093
RT_ICON	0x274f370	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Peru	0.38860225140712945
RT_ICON	0x2750418	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Peru	0.3823770491803279
RT_ICON	0x2750da0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Peru	0.42907801418439717
RT_ICON	0x2751270	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Peru	0.279317697228145
RT_ICON	0x2752118	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Peru	0.37364620938628157
RT_ICON	0x27529c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Peru	0.375
RT_ICON	0x2753088	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Peru	0.37283236994219654
RT_ICON	0x27535f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Peru	0.2587136929460581
RT_ICON	0x2755b98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Peru	0.2767354596622889
RT_ICON	0x2756c40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Peru	0.2872950819672131
RT_ICON	0x27575c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Peru	0.3280141843971631
RT_STRING	0x2757c68	0x408	data			0.47674418604651164
RT_STRING	0x2758070	0x57a	data			0.43865905848787445
RT_STRING	0x27585f0	0x45c	data			0.44265232974910396
RT_STRING	0x2758a50	0x760	data			0.4231991525423729
RT_STRING	0x27591b0	0x6a6	data			0.4236192714453584
RT_STRING	0x2759858	0x6e4	data			0.43197278911564624
RT_STRING	0x2759f40	0x818	data			0.4136100386100386
RT_STRING	0x275a758	0x726	data			0.4262295081967213
RT_STRING	0x275ae80	0x826	data			0.4204218600191755
RT_STRING	0x275b6a8	0x6ec	data			0.42945823927765236
RT_STRING	0x275bd98	0x6ce	data			0.42824339839265213
RT_STRING	0x275c468	0x796	data			0.4258496395468589
RT_STRING	0x275cc00	0x6de	data			0.4300341296928328
RT_STRING	0x275d2e0	0x46a	data			0.45132743362831856
RT_STRING	0x275d750	0xf2	data			0.5330578512396694
RT_ACCELERATOR	0x2757aa8	0x20	data			1.15625
RT_GROUP_ICON	0x274cf88	0x68	data	Spanish	Peru	0.7115384615384616
RT_GROUP_ICON	0x2757a30	0x76	data	Spanish	Peru	0.6779661016949152
RT_GROUP_ICON	0x2751208	0x68	data	Spanish	Peru	0.7115384615384616
RT_VERSION	0x2757ac8	0x1a0	data			0.5865384615384616

Imports

DLL	Import
KERNEL32.dll	SetDefaultCommConfigW, GetEnvironmentStringsW, InterlockedCompareExchange, GetModuleHandleW, GetTickCount, GetConsoleAliasesA, GlobalAlloc, LoadLibraryW, GetLocaleInfoW, GetSystemWindowsDirectoryA, GetConsoleAliasExesLengthW, GetStringTypeExW, GetTimeFormatW, GetConsoleAliasW, MulDiv, WriteConsoleW, GetConsoleFontSize, GetVolumePathNameA, GetStartupInfoW, DisconnectNamedPipe, InterlockedExchange, GetStdHandle, MoveFileExA, GetProcAddress, SetFileAttributesA, OpenWaitableTimerA, UnhandledExceptionFilter, MoveFileA, GetProfileStringA, SetThreadIdealProcessor, GlobalHandle, GetModuleFileNameA, GetProcessAffinityMask, BuildCommDCBA, GetShortPathNameW, FindAtomW, FileTimeToLocalFileTime, OpenFileMappingA, GlobalReAlloc, GetLogicalDriveStringsA, WriteConsoleOutputCharacterW, CreateFileA, SetStdHandle, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, GetLastError, WriteFile, DeleteCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, CloseHandle, WriteConsoleA, GetConsoleOutputCP, SetFilePointer, GetModuleHandleA
USER32.dll	GetClassLongW, GetMonitorInfoW
GDI32.dll	GetBoundsRect

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Peru

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T09:01:18.387196+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.8	49707	TCP
2024-11-11T09:01:55.787415+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.8	49714	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 09:01:03.315681934 CET	49706	80	192.168.2.8	77.83.175.91
Nov 11, 2024 09:01:03.320822001 CET	80	49706	77.83.175.91	192.168.2.8
Nov 11, 2024 09:01:03.320899963 CET	49706	80	192.168.2.8	77.83.175.91
Nov 11, 2024 09:01:03.321024895 CET	49706	80	192.168.2.8	77.83.175.91
Nov 11, 2024 09:01:03.326056957 CET	80	49706	77.83.175.91	192.168.2.8
Nov 11, 2024 09:01:11.660206079 CET	80	49706	77.83.175.91	192.168.2.8
Nov 11, 2024 09:01:11.660305023 CET	49706	80	192.168.2.8	77.83.175.91
Nov 11, 2024 09:01:11.662606001 CET	49706	80	192.168.2.8	77.83.175.91
Nov 11, 2024 09:01:11.667597055 CET	80	49706	77.83.175.91	192.168.2.8

HTTP Request Dependency Graph

77.83.175.91

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	77.83.175.91	80	7408	C:\Users\user\Desktop\5yTEUojIn0.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 09:01:03.321024895 CET	87	OUT	GET / HTTP/1.1 Host: 77.83.175.91 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	03:00:59
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\5yTEUojIn0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5yTEUojIn0.exe"
Imagebase:	0x400000
File size:	392'704 bytes
MD5 hash:	562D1237CFF600C083CCAFA09D3CE40D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1370478954.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1652011112.0000000002E17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:01:24
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1304
Imagebase:	0x950000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	2.2%
Signature Coverage:	15.9%
Total number of Nodes:	1273
Total number of Limit Nodes:	43

Executed Functions

Function 004266E0 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,02DF2860), ref: 004266F5
GetProcAddress.KERNEL32(75550000,02DF2580), ref: 0042670D
GetProcAddress.KERNEL32(75550000,02E17328), ref: 00426726
GetProcAddress.KERNEL32(75550000,02E17340), ref: 0042673E
GetProcAddress.KERNEL32(75550000,02E17388), ref: 00426756
GetProcAddress.KERNEL32(75550000,02E17310), ref: 0042676F
GetProcAddress.KERNEL32(75550000,02E19B30), ref: 00426787
GetProcAddress.KERNEL32(75550000,02E173B8), ref: 0042679F
GetProcAddress.KERNEL32(75550000,02E173D0), ref: 004267B8
GetProcAddress.KERNEL32(75550000,02E17370), ref: 004267D0
GetProcAddress.KERNEL32(75550000,02E1DCD8), ref: 004267E8
GetProcAddress.KERNEL32(75550000,02DF2640), ref: 00426801
GetProcAddress.KERNEL32(75550000,02DF28A0), ref: 00426819
GetProcAddress.KERNEL32(75550000,02DF2760), ref: 00426831
GetProcAddress.KERNEL32(75550000,02DF26E0), ref: 0042684A
GetProcAddress.KERNEL32(75550000,02E1DBD0), ref: 00426862
GetProcAddress.KERNEL32(75550000,02E1DD50), ref: 0042687A
GetProcAddress.KERNEL32(75550000,02E19900), ref: 00426893
GetProcAddress.KERNEL32(75550000,02DF24E0), ref: 004268AB
GetProcAddress.KERNEL32(75550000,02E1DC18), ref: 004268C3
GetProcAddress.KERNEL32(75550000,02E1DCF0), ref: 004268DC
GetProcAddress.KERNEL32(75550000,02E1DD80), ref: 004268F4
GetProcAddress.KERNEL32(75550000,02E1DE70), ref: 0042690C
GetProcAddress.KERNEL32(75550000,02DF2500), ref: 00426925
GetProcAddress.KERNEL32(75550000,02E1DC90), ref: 0042693D
GetProcAddress.KERNEL32(75550000,02E1DC48), ref: 00426955
GetProcAddress.KERNEL32(75550000,02E1DDF8), ref: 0042696E
GetProcAddress.KERNEL32(75550000,02E1DCA8), ref: 00426986
GetProcAddress.KERNEL32(75550000,02E1DD08), ref: 0042699E
GetProcAddress.KERNEL32(75550000,02E1DD38), ref: 004269B7
GetProcAddress.KERNEL32(75550000,02E1DD20), ref: 004269CF
GetProcAddress.KERNEL32(75550000,02E1DEA0), ref: 004269E7
GetProcAddress.KERNEL32(75550000,02E1DD68), ref: 00426A00
GetProcAddress.KERNEL32(75550000,02E196F0), ref: 00426A18
GetProcAddress.KERNEL32(75550000,02E1DBE8), ref: 00426A30
GetProcAddress.KERNEL32(75550000,02E1DE10), ref: 00426A49
GetProcAddress.KERNEL32(75550000,02DF25A0), ref: 00426A61
GetProcAddress.KERNEL32(75550000,02E1DE58), ref: 00426A79
GetProcAddress.KERNEL32(75550000,02DF27A0), ref: 00426A92
GetProcAddress.KERNEL32(75550000,02E1DC78), ref: 00426AAA
GetProcAddress.KERNEL32(75550000,02E1DDB0), ref: 00426AC2
GetProcAddress.KERNEL32(75550000,02DF2520), ref: 00426ADB
GetProcAddress.KERNEL32(75550000,02DF2540), ref: 00426AF3
LoadLibraryA.KERNEL32(02E1DDE0,0042051F,?,00421EA5), ref: 00426B05
LoadLibraryA.KERNEL32(02E1DC30,?,00421EA5), ref: 00426B16
LoadLibraryA.KERNEL32(02E1DE28,?,00421EA5), ref: 00426B28
LoadLibraryA.KERNEL32(02E1DDC8,?,00421EA5), ref: 00426B3A
LoadLibraryA.KERNEL32(02E1DCC0,?,00421EA5), ref: 00426B4B
LoadLibraryA.KERNEL32(02E1DC60,?,00421EA5), ref: 00426B5D
LoadLibraryA.KERNEL32(02E1DD98,?,00421EA5), ref: 00426B6F
LoadLibraryA.KERNEL32(02E1DE40,?,00421EA5), ref: 00426B80
GetProcAddress.KERNEL32(75750000,02DF25C0), ref: 00426B9C
GetProcAddress.KERNEL32(75750000,02E1DE88), ref: 00426BB4
GetProcAddress.KERNEL32(75750000,02E17678), ref: 00426BCD
GetProcAddress.KERNEL32(75750000,02E1DC00), ref: 00426BE5
GetProcAddress.KERNEL32(75750000,02DF2980), ref: 00426BFD
GetProcAddress.KERNEL32(73CC0000,02E19A40), ref: 00426C1D
GetProcAddress.KERNEL32(73CC0000,02DF2AE0), ref: 00426C35
GetProcAddress.KERNEL32(73CC0000,02E19BA8), ref: 00426C4E
GetProcAddress.KERNEL32(73CC0000,02E1DEB8), ref: 00426C66
GetProcAddress.KERNEL32(73CC0000,02E1DF18), ref: 00426C7E
GetProcAddress.KERNEL32(73CC0000,02DF2A60), ref: 00426C97
GetProcAddress.KERNEL32(73CC0000,02DF2BE0), ref: 00426CAF
GetProcAddress.KERNEL32(73CC0000,02E1DF78), ref: 00426CC7
GetProcAddress.KERNEL32(757E0000,02DF2AC0), ref: 00426CE3
GetProcAddress.KERNEL32(757E0000,02DF2C00), ref: 00426CFB
GetProcAddress.KERNEL32(757E0000,02E1DF60), ref: 00426D14
GetProcAddress.KERNEL32(757E0000,02E1DF48), ref: 00426D2C
GetProcAddress.KERNEL32(757E0000,02DF2A00), ref: 00426D44
GetProcAddress.KERNEL32(758D0000,02E19978), ref: 00426D64
GetProcAddress.KERNEL32(758D0000,02E19C48), ref: 00426D7C
GetProcAddress.KERNEL32(758D0000,02E1DF90), ref: 00426D95
GetProcAddress.KERNEL32(758D0000,02DF2C40), ref: 00426DAD
GetProcAddress.KERNEL32(758D0000,02DF2BA0), ref: 00426DC5
GetProcAddress.KERNEL32(758D0000,02E19928), ref: 00426DDE
GetProcAddress.KERNEL32(76BE0000,02E1DED0), ref: 00426DFE
GetProcAddress.KERNEL32(76BE0000,02DF2BC0), ref: 00426E16
GetProcAddress.KERNEL32(76BE0000,02E177C8), ref: 00426E2F
GetProcAddress.KERNEL32(76BE0000,02E1DEE8), ref: 00426E47
GetProcAddress.KERNEL32(76BE0000,02E1DF00), ref: 00426E5F
GetProcAddress.KERNEL32(76BE0000,02DF2C20), ref: 00426E78
GetProcAddress.KERNEL32(76BE0000,02DF2C60), ref: 00426E90
GetProcAddress.KERNEL32(76BE0000,02E1DF30), ref: 00426EA8
GetProcAddress.KERNEL32(76BE0000,02E1DFD8), ref: 00426EC1
GetProcAddress.KERNEL32(76BE0000,CreateDesktopA), ref: 00426ED7
GetProcAddress.KERNEL32(76BE0000,OpenDesktopA), ref: 00426EEE
GetProcAddress.KERNEL32(76BE0000,CloseDesktop), ref: 00426F05
GetProcAddress.KERNEL32(75670000,02DF2A40), ref: 00426F21
GetProcAddress.KERNEL32(75670000,02E1E0C8), ref: 00426F39
GetProcAddress.KERNEL32(75670000,02E1E248), ref: 00426F52
GetProcAddress.KERNEL32(75670000,02E1E170), ref: 00426F6A
GetProcAddress.KERNEL32(75670000,02E1E0E0), ref: 00426F82
GetProcAddress.KERNEL32(759D0000,02DF28E0), ref: 00426F9E
GetProcAddress.KERNEL32(759D0000,02DF2B00), ref: 00426FB6
GetProcAddress.KERNEL32(76D80000,02DF29A0), ref: 00426FD2
GetProcAddress.KERNEL32(76D80000,02E1E200), ref: 00426FEA
GetProcAddress.KERNEL32(6F5C0000,02DF2960), ref: 0042700A
GetProcAddress.KERNEL32(6F5C0000,02DF2A80), ref: 00427022
GetProcAddress.KERNEL32(6F5C0000,02DF2B20), ref: 0042703B
GetProcAddress.KERNEL32(6F5C0000,02E1E278), ref: 00427053
GetProcAddress.KERNEL32(6F5C0000,02DF2900), ref: 0042706B
GetProcAddress.KERNEL32(6F5C0000,02DF2A20), ref: 00427084
GetProcAddress.KERNEL32(6F5C0000,02DF29C0), ref: 0042709C
GetProcAddress.KERNEL32(6F5C0000,02DF2C80), ref: 004270B4
GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 004270CB
GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 004270E2
GetProcAddress.KERNEL32(75480000,02E1E0B0), ref: 004270FE
GetProcAddress.KERNEL32(75480000,02E17748), ref: 00427116
GetProcAddress.KERNEL32(75480000,02E1E140), ref: 0042712F
GetProcAddress.KERNEL32(75480000,02E1E0F8), ref: 00427147
GetProcAddress.KERNEL32(753B0000,02DF2920), ref: 00427163
GetProcAddress.KERNEL32(6D660000,02E1E110), ref: 0042717F
GetProcAddress.KERNEL32(6D660000,02DF2B40), ref: 00427197
GetProcAddress.KERNEL32(6D660000,02E1DFF0), ref: 004271B0
GetProcAddress.KERNEL32(6D660000,02E1E218), ref: 004271C8

Strings

InternetSetOptionA, xrefs: 004270C0
P2Wu, xrefs: 004268E8
CloseDesktop, xrefs: 00426EFA
CreateDesktopA, xrefs: 00426ED1
HttpQueryInfoA, xrefs: 004270D7
OpenDesktopA, xrefs: 00426EE3
1Wu, xrefs: 004269DB

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$P2Wu$1Wu
API String ID: 2238633743-1673689602
Opcode ID: 8a0bdfc08fccdd3cba7c5a7ed546d60d1095bcb3ca406ab1f60ec5b9cf0af696
Instruction ID: 24e69b76aff6c9b7150681862aeee9ecdced478a12f1b503b046a4f57b6f05f2
Opcode Fuzzy Hash: 8a0bdfc08fccdd3cba7c5a7ed546d60d1095bcb3ca406ab1f60ec5b9cf0af696
Instruction Fuzzy Hash: 18625EB9A103009FD758DF65ED88AA637BBF789345310A91DF95683364DBB4A800DFB0

Function 00404C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404C7F
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404CD2
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D05
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D35
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D73
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404DA6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DB6

Strings

------, xrefs: 00404EDC, 00404F09, 0040518B, 0040527C
", xrefs: 00405224, 00405312

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 14802837412dab40ccde9c16937c2f05542ed3580c852b768cfde8aaca49ba56
Instruction ID: afea9254e350e2c83c5ca1416078c05f3deafe074f832828c9fbfb0ea130657c
Opcode Fuzzy Hash: 14802837412dab40ccde9c16937c2f05542ed3580c852b768cfde8aaca49ba56
Instruction Fuzzy Hash: D3527C71A006169BDB21EBA5DC89A9F77B9AF44304F14502AF901B7291DB78EC41CFE8

Function 00404A60 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A74
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A82
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A89
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A90
GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
RtlAllocateHeap.NTDLL(00000000), ref: 00404AA2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ACE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AD9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AEE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AF5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B0B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B12
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B19
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B20
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B27
strlen.MSVCRT ref: 00404B2F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B53
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B5A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B61
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B68
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B6F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B7F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B86
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B8D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B94
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B9B
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404BB0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404A6F, 00404A76, 00404A7D, 00404A84, 00404A8B, 00404AAA, 00404AB4, 00404ABB, 00404AC2, 00404AC9, 00404AD0, 00404ADB, 00404AE2, 00404AE9, 00404AF0, 00404B06, 00404B0D, 00404B14, 00404B1B, 00404B22, 00404B43, 00404B55, 00404B5C, 00404B63, 00404B6A, 00404B7A, 00404B81, 00404B88, 00404B8F, 00404B96

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-3329630956
Opcode ID: 045d89fccd1938906dd098eb9d538f982648d72d25a4e93490e98aa75e76be42
Instruction ID: 85cb4657458729044da74830f500108033980542ca90528f5ca988eecffe09e6
Opcode Fuzzy Hash: 045d89fccd1938906dd098eb9d538f982648d72d25a4e93490e98aa75e76be42
Instruction Fuzzy Hash: 1D31E5A8B40218768620EBFB4C4BB9F7E54DFCC750F215093751857180C9B96681CBEA

Function 00426390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,02DF8BF8), ref: 004263E9
GetProcAddress.KERNEL32(75550000,02DF8C70), ref: 00426402
GetProcAddress.KERNEL32(75550000,02DF8BE0), ref: 0042641A
GetProcAddress.KERNEL32(75550000,02DF8C10), ref: 00426432
GetProcAddress.KERNEL32(75550000,02DF4130), ref: 0042644B
GetProcAddress.KERNEL32(75550000,02DF2720), ref: 00426463
GetProcAddress.KERNEL32(75550000,02DF2560), ref: 0042647B
GetProcAddress.KERNEL32(75550000,02DF8C28), ref: 00426494
GetProcAddress.KERNEL32(75550000,02E17148), ref: 004264AC
GetProcAddress.KERNEL32(75550000,02E171C0), ref: 004264C4
GetProcAddress.KERNEL32(75550000,02E17028), ref: 004264DD
GetProcAddress.KERNEL32(75550000,02DF27C0), ref: 004264F5
GetProcAddress.KERNEL32(75550000,02E17058), ref: 0042650D
GetProcAddress.KERNEL32(75550000,02E17118), ref: 00426526
GetProcAddress.KERNEL32(75550000,02DF2740), ref: 0042653E
GetProcAddress.KERNEL32(75550000,02E172B0), ref: 00426556
GetProcAddress.KERNEL32(75550000,02E17040), ref: 0042656F
GetProcAddress.KERNEL32(75550000,02DF25E0), ref: 00426587
GetProcAddress.KERNEL32(75550000,02E17088), ref: 0042659F
GetProcAddress.KERNEL32(75550000,02DF27E0), ref: 004265B8
LoadLibraryA.KERNEL32(02E170E8,?,?,?,00421C03), ref: 004265C9
LoadLibraryA.KERNEL32(02E17130,?,?,?,00421C03), ref: 004265DB
LoadLibraryA.KERNEL32(02E17178,?,?,?,00421C03), ref: 004265ED
LoadLibraryA.KERNEL32(02E17160,?,?,?,00421C03), ref: 004265FE
LoadLibraryA.KERNEL32(02E172E0,?,?,?,00421C03), ref: 00426610
GetProcAddress.KERNEL32(75670000,02E17190), ref: 0042662D
GetProcAddress.KERNEL32(75750000,02E171A8), ref: 00426649
GetProcAddress.KERNEL32(75750000,02E17100), ref: 00426661
GetProcAddress.KERNEL32(76BE0000,02E17280), ref: 0042667D
GetProcAddress.KERNEL32(759D0000,02DF2620), ref: 00426699
GetProcAddress.KERNEL32(773F0000,02DF4140), ref: 004266B5
GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004266CC

Strings

NtQueryInformationProcess, xrefs: 004266C1

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
Instruction ID: 56f15a9ebe07009b104d3bca99d0accdf766ba62d45a378873afb81fcff78c7b
Opcode Fuzzy Hash: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
Instruction Fuzzy Hash: 0FA16EB9A117009FD758DF65EE88A6637BBF789744300A51DF94683360DBB4A900DFB0

Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406C6F
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406CC2
InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 00406CD5
StrCmpCA.SHLWAPI(?,02E1FEC0), ref: 00406CED
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406D15
HttpOpenRequestA.WININET(00000000,GET,?,02E1F628,00000000,00000000,-00400100,00000000), ref: 00406D50
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406D77
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406D86
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406DA5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406DFF
lstrcpy.KERNEL32(00000000,?), ref: 00406E5B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406E7D
InternetCloseHandle.WININET(00000000), ref: 00406E8E
InternetCloseHandle.WININET(?), ref: 00406E98
InternetCloseHandle.WININET(00000000), ref: 00406EA2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406EC3

Strings

GET, xrefs: 00406D4A
ERROR, xrefs: 00406DB2

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: 277e38131a39cec4d9c9ceb8bf16b3395a0fa65b5aabf89f400ef5f662ce2996
Instruction ID: 91590bf360eea9fd530f380bfccddf156e0f5cf0bac8cd817fa6b8c96a2a5053
Opcode Fuzzy Hash: 277e38131a39cec4d9c9ceb8bf16b3395a0fa65b5aabf89f400ef5f662ce2996
Instruction Fuzzy Hash: 3B816F71B10315ABEB20DFA5DC89BAF77B9AF44700F154069F905B72C0DB78AD058BA8

Function 00421BF0 Relevance: 13.6, APIs: 9, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: c0e07e5736444788f42130480223deb20be2e16b05951c8c3a86ec550b31ae20
Instruction ID: be81ce98aa493f162cc39ac66973376a527fee05715f75cc57822fee9a4dccdf
Opcode Fuzzy Hash: c0e07e5736444788f42130480223deb20be2e16b05951c8c3a86ec550b31ae20
Instruction Fuzzy Hash: 494183317007169BC720ABB6ED49B9F76A6AF50744F45003EF501E72A1DFB8E8058B98

Function 00405640 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040565A
RtlAllocateHeap.NTDLL(00000000), ref: 00405661
InternetOpenA.WININET(Function_0002CFEC,00000000,00000000,00000000,00000000), ref: 00405677
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00405692
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004056BC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 004056E1
InternetCloseHandle.WININET(?), ref: 004056FA
InternetCloseHandle.WININET(00000000), ref: 00405701

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
Instruction ID: 497886bade507dc047050612015881185fcc427d3ee3b68b24892f00a211d5cf
Opcode Fuzzy Hash: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
Instruction Fuzzy Hash: 2E415C70A00605AFDB14CF54DD88F9BB7B5FF48304F14806AE909AB391D7759941CFA8

Function 00422A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A6F
HeapAlloc.KERNEL32(00000000), ref: 00422A76
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A8A

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 6c1fa00503cf644c0ad8ae9dfa58bb6559640976417a912d3d4b7ac5badfbdc6
Instruction ID: daca8bc385b25320d3fa5486434c0ccaa4de5bcaee4211da3630c20ba90b8488
Opcode Fuzzy Hash: 6c1fa00503cf644c0ad8ae9dfa58bb6559640976417a912d3d4b7ac5badfbdc6
Instruction Fuzzy Hash: DBF0B4B1A44214AFC700DF88DD49B9EBBBCF704B21F10021AFD15E3280D7B419048BE1

Function 0041F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042CFEC,00000001,00000000,00000000), ref: 0041F1D5
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F1F1
lstrlenA.KERNEL32(0042CFEC), ref: 0041F1FC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F215
lstrlenA.KERNEL32(0042CFEC), ref: 0041F220
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F239
lstrcpy.KERNEL32(00000000,00434F9C), ref: 0041F25E
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F28C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F2C0
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F2F0
lstrlenA.KERNEL32(02DF28C0), ref: 0041F315

Strings

ERROR, xrefs: 0041F616, 0041F712, 0041F99E, 0041FA2C, 0041FCB8, 0041FD50

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ERROR
API String ID: 367037083-2861137601
Opcode ID: 77f58e9e4a73e238c65df14d81476ff21136097aed580324177bbc0d500d2e1d
Instruction ID: 9040d6f19fad2f554d89e7cb04000db69b8e1dab663b12f148e4c904462f9889
Opcode Fuzzy Hash: 77f58e9e4a73e238c65df14d81476ff21136097aed580324177bbc0d500d2e1d
Instruction Fuzzy Hash: BFA23270A012059FCB20DF65D948A9BB7F5AF44314F18847AE809EB3A1DB79DC86CF94

Function 00405790 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004057BF
lstrlenA.KERNEL32(?), ref: 00405812
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 00405854
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 00405893
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 004058C3
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 004058F8

Strings

------, xrefs: 004059F9, 00405A26
------, xrefs: 00405BDB, 00405CCC, 00405DBA
--, xrefs: 00405A5F, 00405A87
.A, xrefs: 0040583C, 004060BA, 00405F60
", xrefs: 00405C74, 00405D62, 00405E50

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$.A
API String ID: 367037083-1166535305
Opcode ID: 8b8e648e84790d0d315e7e9be9a642b64d15ba72e26f7175dbbc07fb82001778
Instruction ID: 78e5efbc316df923fcc7cbd0813b046ea13c58d0eb3bd30a0976a401dee716d8
Opcode Fuzzy Hash: 8b8e648e84790d0d315e7e9be9a642b64d15ba72e26f7175dbbc07fb82001778
Instruction Fuzzy Hash: F1425D71B002199BCB20EBB9DD89A9F77B5AF44304F05543AF905B7291DB78AC058FE8

Function 0042658E Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 88
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,02E17088), ref: 0042659F
GetProcAddress.KERNEL32(75550000,02DF27E0), ref: 004265B8
LoadLibraryA.KERNEL32(02E170E8,?,?,?,00421C03), ref: 004265C9
LoadLibraryA.KERNEL32(02E17130,?,?,?,00421C03), ref: 004265DB
LoadLibraryA.KERNEL32(02E17178,?,?,?,00421C03), ref: 004265ED
LoadLibraryA.KERNEL32(02E17160,?,?,?,00421C03), ref: 004265FE
LoadLibraryA.KERNEL32(02E172E0,?,?,?,00421C03), ref: 00426610
GetProcAddress.KERNEL32(75670000,02E17190), ref: 0042662D
GetProcAddress.KERNEL32(75750000,02E171A8), ref: 00426649
GetProcAddress.KERNEL32(75750000,02E17100), ref: 00426661
GetProcAddress.KERNEL32(76BE0000,02E17280), ref: 0042667D
GetProcAddress.KERNEL32(759D0000,02DF2620), ref: 00426699
GetProcAddress.KERNEL32(773F0000,02DF4140), ref: 004266B5
GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004266CC

Strings

NtQueryInformationProcess, xrefs: 004266C1

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 9fb865e721fbffa39379ccc749f7c1f062223782d0a66bb1a8d01fed4bc13022
Instruction ID: 417828fd74631f7b98bacc5121334c04d36de36b3288361a418e6e9bbd4668d5
Opcode Fuzzy Hash: 9fb865e721fbffa39379ccc749f7c1f062223782d0a66bb1a8d01fed4bc13022
Instruction Fuzzy Hash: 24316BB5A113009FD758DFA9EE48AA63BBBB789745300651EF545C3260EBB49800CFB5

Function 02D0003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D0024D

Strings

kernel32.dll, xrefs: 02D0008F, 02D00095
cess, xrefs: 02D0018D

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 112ab9a8d626c55c735fcb8e96531faa9c8ff8868af091c86c716b5e6674c398
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 26525974A012299FDB64CF58C984BACBBB1BF09305F1480D9E54DAB3A1DB30AE95DF14

Function 00422740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,02E17358,00000000), ref: 0042277B
GetVolumeInformationA.KERNEL32(0042A440,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 004227AC
GetProcessHeap.KERNEL32(00000000,00000104), ref: 0042280F
HeapAlloc.KERNEL32(00000000), ref: 00422816
wsprintfA.USER32 ref: 0042283B

Strings

C, xrefs: 00422785
:\, xrefs: 00422795

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
Instruction ID: d93c7da38ddd29de155311ca5e1d1e4f781f7aaabd56b552648b56c95dd02ec1
Opcode Fuzzy Hash: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
Instruction Fuzzy Hash: 4E3170B1908219AFCB04DFA89A859EFBFB8EF58740F10016EE505E7250E6748B408BA5

Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,02E17638), ref: 00404BF7
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C01
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C0B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404C1F
InternetCrackUrlA.WININET(?,00000000), ref: 00404C27

Strings

<, xrefs: 00404BE7

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 285894264c2d7e9187e750985268b8b3b2c891db7afd2989fead038aed9c22b4
Instruction ID: 1bd60353331dbecd9a7383d9733d23d0053dd466cc4828cfdfd0774d9622719e
Opcode Fuzzy Hash: 285894264c2d7e9187e750985268b8b3b2c891db7afd2989fead038aed9c22b4
Instruction Fuzzy Hash: D8012D71D00218AFDB10DFA9EC45B9EBBB8EB48364F00412AF914E7390EB7459058FD4

Function 00422910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422925
HeapAlloc.KERNEL32(00000000), ref: 0042292C
RegOpenKeyExA.KERNEL32(80000002,02E1A0B0,00000000,00020119,004228A9), ref: 0042294B
RegQueryValueExA.KERNEL32(004228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422965
RegCloseKey.ADVAPI32(004228A9), ref: 0042296F

Strings

CurrentBuildNumber, xrefs: 0042295F

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
Instruction ID: c5fe118d464dd8edc36b27dd1f265e731215acc2a0e12dade4fb376ba34b0d4d
Opcode Fuzzy Hash: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
Instruction Fuzzy Hash: 1501B175600329BFD314CBA0AC59EFB7BBDEB48755F100059FE4597240EAB159448BE0

Function 00422880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422895
HeapAlloc.KERNEL32(00000000), ref: 0042289C

Part of subcall function 00422910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422925
Part of subcall function 00422910: HeapAlloc.KERNEL32(00000000), ref: 0042292C
Part of subcall function 00422910: RegOpenKeyExA.KERNEL32(80000002,02E1A0B0,00000000,00020119,004228A9), ref: 0042294B
Part of subcall function 00422910: RegQueryValueExA.KERNEL32(004228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422965
Part of subcall function 00422910: RegCloseKey.ADVAPI32(004228A9), ref: 0042296F

RegOpenKeyExA.KERNEL32(80000002,02E1A0B0,00000000,00020119,00419500), ref: 004228D1
RegQueryValueExA.KERNEL32(00419500,02E1E3E0,00000000,00000000,00000000,000000FF), ref: 004228EC
RegCloseKey.ADVAPI32(00419500), ref: 004228F6

Strings

Windows 11, xrefs: 004228B0

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
Instruction ID: b838523736346adb7ce8e3c82dd77743de362bd687d96efd208b95ca381da15e
Opcode Fuzzy Hash: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
Instruction Fuzzy Hash: B301A271B00318BFD714ABA4AD49FEA777EEB44315F000159FE09D3250DAB499448BE0

Function 00401030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00000000,00000000,?,?,00421C8A), ref: 00401046
VirtualAllocExNuma.KERNEL32(00000000,?,?,00421C8A), ref: 0040104D
ExitProcess.KERNEL32 ref: 00401058
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,00421C8A), ref: 0040106C
VirtualFree.KERNEL32(00000000,17C841C0,00008000,?,?,00421C8A), ref: 004010AB

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID:
API String ID: 3477276466-0
Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction ID: aa33e4c314b55322e5f005f032d3d73aad5dab283e8b13059c6bb542b9569755
Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction Fuzzy Hash: 5E0144713403047BE7240A656C1AF6B77AEA781B01F209029F744F33D0DAB1EA008AB8

Function 0041EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EEC3
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F3E8), ref: 0041EEDE
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041EF3F

Strings

ERROR, xrefs: 0041EED8, 0041EF39

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 72d5ddd9ec663449337a3931984c70009c9313c80dea8de56a7e8cf0e1bcc8b6
Instruction ID: c28ac5a7a25757f932124dc7d3da9c4eb04f0c6587e56c0f8f9bd0407561c574
Opcode Fuzzy Hash: 72d5ddd9ec663449337a3931984c70009c9313c80dea8de56a7e8cf0e1bcc8b6
Instruction Fuzzy Hash: 662103747202065BCB21FF7ADD4969B37A4AF14304F04543EBC4AEB2D2DE78E8558B98

Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 004010EA
ExitProcess.KERNEL32 ref: 00401114

Strings

@, xrefs: 004010E2

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 803317263-2766056989
Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction ID: 822a68ba0681b22967503a2222785f0e102d58cfae2bd9798b899adfc8918474
Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction Fuzzy Hash: A8F027701082444BEB186A64DD4A32EF7D9EB46350F10493BEEDAE72E2E278C840857F

Function 00422AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422AFF
HeapAlloc.KERNEL32(00000000), ref: 00422B06
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422B1A

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
Instruction ID: 161a44a7ca907f82e4f91189bba25393484f2c5b0b651073a0db56667aea58a7
Opcode Fuzzy Hash: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
Instruction Fuzzy Hash: 45018F72A44618ABC714CF99AD45B9AB7A8F744B21F00026AE915D2780D7B819008AA5

Function 02DFA04E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DFA076
Module32First.KERNEL32(00000000,00000224), ref: 02DFA096

Memory Dump Source

Source File: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df9000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 474bc2f65486ab4f4e3fac82ed2b7574fcfa512587bd9ba4afd26babf118124e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: FFF0F6361003106FD7603BF4BC8CBAE73E8AF4D228F210128E74695AC0CBB0EC058A69

Function 02D00E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02D00223,?,?), ref: 02D00E19
SetErrorMode.KERNEL32(00000000,?,?,02D00223,?,?), ref: 02D00E1E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 321e974b036e4f16ea177584da4ce767ebf48987a111953a049e8d08f4e0b479
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4CD0123114512877D7002A94DC09BCD7B1CDF05B67F008011FB0DE9180C770994046E5

Function 0041EDE0 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EE12

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 56cc2fd4b268bed5366ddfd9a30f0340bfcf23e6d13ca5de0974df139b39ebd2
Instruction ID: fee62f33bcd31fc09c73aaf4a1b77b4d3787390e32f2935f10386d1c9e65d501
Opcode Fuzzy Hash: 56cc2fd4b268bed5366ddfd9a30f0340bfcf23e6d13ca5de0974df139b39ebd2
Instruction Fuzzy Hash: DE11C0713201055BCB25FF6EED4AA9F37A4AF50304F405039B849AB2D2DE78ED588B99

Function 02DF9D0D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02DF9D5E

Memory Dump Source

Source File: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df9000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 821f6bd8b8362e04e5aa3f45100cb2b5ada12366f92d7be4e403187ebd65e614
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AC112A79A00208EFDB41DF98C985E98BBF5EB08351F1580A4FA489B361D371EA50DF94

Non-executed Functions

Function 02D01907 Relevance: 172.2, APIs: 114, Instructions: 1164stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01949
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01980
lstrcpy.KERNEL32(00000000,00000000), ref: 02D019D3
lstrcat.KERNEL32(00000000), ref: 02D019DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01A09
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01A56
lstrcat.KERNEL32(00000000,00000000), ref: 02D01A60
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01A8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01ADC
lstrcat.KERNEL32(00000000), ref: 02D01AE6
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01B12
lstrcpy.KERNEL32(00000000,?), ref: 02D01B5A
lstrcat.KERNEL32(00000000,00000000), ref: 02D01B65
lstrlen.KERNEL32(00431794), ref: 02D01B70
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01B90
lstrcat.KERNEL32(00000000,00431794), ref: 02D01B9C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01BC2
lstrcat.KERNEL32(00000000,00000000), ref: 02D01BCD
lstrlen.KERNEL32(00431798), ref: 02D01BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01BF5
lstrcat.KERNEL32(00000000,00431798), ref: 02D01C01

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

lstrcpy.KERNEL32(00000000,00000000), ref: 02D01C2A
lstrcpy.KERNEL32(00000000,?), ref: 02D01C75
lstrcat.KERNEL32(00000000,00000000), ref: 02D01C7D
lstrlen.KERNEL32(00431794), ref: 02D01C88
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01CA8
lstrcat.KERNEL32(00000000,00431794), ref: 02D01CB4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01CDD
lstrcat.KERNEL32(00000000,00000000), ref: 02D01CE8
lstrlen.KERNEL32(00431794), ref: 02D01CF3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01D13
lstrcat.KERNEL32(00000000,00431794), ref: 02D01D1F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01D45
lstrcat.KERNEL32(00000000,00000000), ref: 02D01D50
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01D78
FindFirstFileA.KERNEL32(00000000,?), ref: 02D01DAC
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D01DD7
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D01DF1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01E2B
lstrcpy.KERNEL32(00000000,?), ref: 02D01E62
lstrcat.KERNEL32(00000000,00000000), ref: 02D01E6A
lstrlen.KERNEL32(00431794), ref: 02D01E75
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01E98
lstrcat.KERNEL32(00000000,00431794), ref: 02D01EA4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01ED0
lstrcat.KERNEL32(00000000,00000000), ref: 02D01EDB
lstrlen.KERNEL32(00431794), ref: 02D01EE6
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01F09
lstrcat.KERNEL32(00000000,00431794), ref: 02D01F15
lstrlen.KERNEL32(?), ref: 02D01F22
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01F42
lstrcat.KERNEL32(00000000,?), ref: 02D01F50
lstrlen.KERNEL32(00431794), ref: 02D01F5B
lstrcpy.KERNEL32(00000000,?), ref: 02D01F7B
lstrcat.KERNEL32(00000000,00431794), ref: 02D01F87
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01FAD
lstrcat.KERNEL32(00000000,00000000), ref: 02D01FB8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01FE4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02047
lstrcat.KERNEL32(00000000,00000000), ref: 02D02052
lstrlen.KERNEL32(00431794), ref: 02D0205D
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02080
lstrcat.KERNEL32(00000000,00431794), ref: 02D0208C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D020B2
lstrcat.KERNEL32(00000000,00000000), ref: 02D020BD
lstrlen.KERNEL32(00431794), ref: 02D020C8
lstrcpy.KERNEL32(00000000,?), ref: 02D020E8
lstrcat.KERNEL32(00000000,00431794), ref: 02D020F4
lstrlen.KERNEL32(?), ref: 02D02101
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02121
lstrcat.KERNEL32(00000000,?), ref: 02D0212F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0215B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D021A5
GetFileAttributesA.KERNEL32(00000000), ref: 02D021AC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D02206
lstrlen.KERNEL32(006389F0), ref: 02D02215
lstrcpy.KERNEL32(00000000,?), ref: 02D02242
lstrcat.KERNEL32(00000000,?), ref: 02D0224A
lstrlen.KERNEL32(00431794), ref: 02D02255
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02275
lstrcat.KERNEL32(00000000,00431794), ref: 02D02281
lstrcpy.KERNEL32(00000000,?), ref: 02D022A9
lstrcat.KERNEL32(00000000,00000000), ref: 02D022B4
lstrlen.KERNEL32(00431794), ref: 02D022BF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D022DC
lstrcat.KERNEL32(00000000,00431794), ref: 02D022E8

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
String ID:
API String ID: 4127656590-0
Opcode ID: b47ce8a7f0e21845c30875caa1eccb5d7b5f46704766099070902513762b18b6
Instruction ID: fe92247b9568fdd69c86efee5657353ec99c372148eee672870e74cb6fc46824
Opcode Fuzzy Hash: b47ce8a7f0e21845c30875caa1eccb5d7b5f46704766099070902513762b18b6
Instruction Fuzzy Hash: 7492F9719026569BCB11AF64CDCCBAEB7BAEF44708F144128E809A73A4DB74DD05CFA4

Function 02D0DDE7 Relevance: 145.2, APIs: 96, Instructions: 1193stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DE28
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DE4B
lstrcat.KERNEL32(00000000,00000000), ref: 02D0DE56
lstrlen.KERNEL32(00434CA4), ref: 02D0DE61
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DE7E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D0DE8A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DEB3
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DEF6
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DF26
FindFirstFileA.KERNEL32(00000000,?), ref: 02D0DF37
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D0DF57
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D0DF71
lstrlen.KERNEL32(0042CFEC), ref: 02D0DF84
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DFAE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DFD7
lstrcat.KERNEL32(00000000,00000000), ref: 02D0DFE2
lstrlen.KERNEL32(00431794), ref: 02D0DFED
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E00A
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E016
lstrlen.KERNEL32(?), ref: 02D0E023
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E046
lstrcat.KERNEL32(00000000,?), ref: 02D0E054
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E080
lstrlen.KERNEL32(00431794), ref: 02D0E0A4
lstrcpy.KERNEL32(00000000,?), ref: 02D0E0D6
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E0E2
lstrlen.KERNEL32(00638D28), ref: 02D0E0F1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E117
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E122
lstrlen.KERNEL32(00431794), ref: 02D0E12D
lstrcpy.KERNEL32(00000000,?), ref: 02D0E14D
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E159
lstrlen.KERNEL32(006388C8), ref: 02D0E168
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E18E
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E199
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E1C5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E20C
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E218
lstrlen.KERNEL32(00638D28), ref: 02D0E227
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E250
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E25B
lstrlen.KERNEL32(00431794), ref: 02D0E266
lstrcpy.KERNEL32(00000000,?), ref: 02D0E289
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E295
lstrlen.KERNEL32(006388C8), ref: 02D0E2A4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E2CA
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E2D5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E301
StrCmpCA.SHLWAPI(?,00434CA8), ref: 02D0E334
StrCmpCA.SHLWAPI(?,00434CB0), ref: 02D0E34E
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0E386
lstrlen.KERNEL32(00638CA4), ref: 02D0E395
lstrcpy.KERNEL32(00000000,?), ref: 02D0E3BC
lstrcat.KERNEL32(00000000,?), ref: 02D0E3C4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E406
lstrcat.KERNEL32(00000000), ref: 02D0E410
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E437
CopyFileA.KERNEL32(00000000,?,00000001), ref: 02D0E460
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0E496
lstrlen.KERNEL32(006389F0), ref: 02D0E4A4
lstrcpy.KERNEL32(00000000,?), ref: 02D0E4C8
lstrcat.KERNEL32(00000000,006389F0), ref: 02D0E4D0
lstrlen.KERNEL32(00434CBC), ref: 02D0E4DB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E502
lstrcat.KERNEL32(00000000,00434CBC), ref: 02D0E50E
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E536
lstrcpy.KERNEL32(00000000,?), ref: 02D0E576
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E5B0
DeleteFileA.KERNEL32(?), ref: 02D0E5E8
StrCmpCA.SHLWAPI(?,00638C74), ref: 02D0E612
lstrcpy.KERNEL32(00000000,?), ref: 02D0E65B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E683
lstrcpy.KERNEL32(00000000,?), ref: 02D0E6AC
StrCmpCA.SHLWAPI(?,006388C8), ref: 02D0E6CF
StrCmpCA.SHLWAPI(?,00638D28), ref: 02D0E6E4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E740
GetFileAttributesA.KERNEL32(00000000), ref: 02D0E747
StrCmpCA.SHLWAPI(?,00638CC8), ref: 02D0E7F5
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0E82B
CopyFileA.KERNEL32(00000000,?,00000001), ref: 02D0E8A0
lstrcpy.KERNEL32(00000000,?), ref: 02D0E8DF
lstrcpy.KERNEL32(00000000,?), ref: 02D0E908
lstrcpy.KERNEL32(00000000,?), ref: 02D0E92E
lstrcpy.KERNEL32(00000000,?), ref: 02D0E975
lstrcpy.KERNEL32(00000000,?), ref: 02D0E99E
lstrcpy.KERNEL32(00000000,?), ref: 02D0E9C3
StrCmpCA.SHLWAPI(?,00434CD0), ref: 02D0E9DD
DeleteFileA.KERNEL32(?), ref: 02D0EA39
StrCmpCA.SHLWAPI(?,00638B20), ref: 02D0EA63
lstrcpy.KERNEL32(00000000,?), ref: 02D0EAF3
lstrcpy.KERNEL32(00000000,?), ref: 02D0EB1C
lstrcpy.KERNEL32(00000000,?), ref: 02D0EB55
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0EB7D
lstrcpy.KERNEL32(00000000,?), ref: 02D0EBB9

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
String ID:
API String ID: 2635522530-0
Opcode ID: df1bd6274aba3b12cd408392eac2fcfb392000615a603bf693a119dd985772f0
Instruction ID: 6c048ec795b0260c9c8a225838ea67f862bae57c37fa1dbb59ffc8fbca894fdc
Opcode Fuzzy Hash: df1bd6274aba3b12cd408392eac2fcfb392000615a603bf693a119dd985772f0
Instruction Fuzzy Hash: 3B922E719012569BCB20AF74DCC8BAEBBBAEF44304F144969E845A73A0DB74DD45CFA0

Function 02D11B07 Relevance: 132.9, APIs: 88, Instructions: 909stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D11B39
lstrlen.KERNEL32(00431798), ref: 02D11B44
lstrcpy.KERNEL32(00000000,?), ref: 02D11B66
lstrcat.KERNEL32(00000000,00431798), ref: 02D11B72
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11B99
FindFirstFileA.KERNEL32(00000000,?), ref: 02D11BAE
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D11BCE
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D11BE8
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D11C26
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D11C59
lstrcpy.KERNEL32(00000000,?), ref: 02D11C81
lstrcat.KERNEL32(00000000,00000000), ref: 02D11C8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11CB3
lstrlen.KERNEL32(00431794), ref: 02D11CC5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11CE7
lstrcat.KERNEL32(00000000,00431794), ref: 02D11CF3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11D1B
lstrlen.KERNEL32(?), ref: 02D11D2F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11D4C
lstrcat.KERNEL32(00000000,?), ref: 02D11D5A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11D80
lstrlen.KERNEL32(00638D00), ref: 02D11D96
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11DC0
lstrcat.KERNEL32(00000000,00000000), ref: 02D11DCB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11DF6
lstrlen.KERNEL32(00431794), ref: 02D11E08
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11E2A
lstrcat.KERNEL32(00000000,00431794), ref: 02D11E36
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11E5F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11E8C
lstrcat.KERNEL32(00000000,00000000), ref: 02D11E97
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11EBE
lstrlen.KERNEL32(00431794), ref: 02D11ED0
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11EF2
lstrcat.KERNEL32(00000000,00431794), ref: 02D11EFE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11F27
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11F56
lstrcat.KERNEL32(00000000,00000000), ref: 02D11F61
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11F88
lstrlen.KERNEL32(00431794), ref: 02D11F9A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11FBC
lstrcat.KERNEL32(00000000,00431794), ref: 02D11FC8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11FF1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12020
lstrcat.KERNEL32(00000000,00000000), ref: 02D1202B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12054
lstrlen.KERNEL32(00431794), ref: 02D12080
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1209D
lstrcat.KERNEL32(00000000,00431794), ref: 02D120A9
lstrcpy.KERNEL32(00000000,00000000), ref: 02D120CF
lstrlen.KERNEL32(006389A8), ref: 02D120E5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12119
lstrlen.KERNEL32(00431794), ref: 02D1212D
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1214A
lstrcat.KERNEL32(00000000,00431794), ref: 02D12156
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1217C
lstrlen.KERNEL32(00638BDC), ref: 02D12192
lstrcpy.KERNEL32(00000000,00000000), ref: 02D121C6
lstrlen.KERNEL32(00431794), ref: 02D121DA
lstrcpy.KERNEL32(00000000,00000000), ref: 02D121F7
lstrcat.KERNEL32(00000000,00431794), ref: 02D12203
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12229
lstrlen.KERNEL32(00638CE8), ref: 02D1223F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12267
lstrcat.KERNEL32(00000000,00000000), ref: 02D12272
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1229D
lstrlen.KERNEL32(00431794), ref: 02D122AF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D122CE
lstrcat.KERNEL32(00000000,00431794), ref: 02D122DA
lstrcpy.KERNEL32(00000000,00000000), ref: 02D122FF
lstrlen.KERNEL32(?), ref: 02D12313
lstrcpy.KERNEL32(00000000,00000000), ref: 02D12337
lstrcat.KERNEL32(00000000,?), ref: 02D12345
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1236A
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D123A6
lstrlen.KERNEL32(00638CA4), ref: 02D123B5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D123DD
lstrcat.KERNEL32(00000000,00000000), ref: 02D123E8

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
String ID:
API String ID: 712834838-0
Opcode ID: 4ce771d22f91469fb80aa1fc91939a485c3ea60ca114c77d5d502a966bb14593
Instruction ID: b2bbb7638ed9017b787f9bd7924535f416783f19f3a066ec8ea731d1e13a1a45
Opcode Fuzzy Hash: 4ce771d22f91469fb80aa1fc91939a485c3ea60ca114c77d5d502a966bb14593
Instruction Fuzzy Hash: 3C624C71502616ABCB21AF74DC8CBAEB7BAEF44708F144528E805A77A4DB74DD05CFA0

Function 02D16BC7 Relevance: 125.3, APIs: 83, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16BFC
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 02D16C2F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16C69
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16C90
lstrcat.KERNEL32(00000000,00000000), ref: 02D16C9B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16CC4
lstrlen.KERNEL32(00434D58), ref: 02D16CDE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16D00
lstrcat.KERNEL32(00000000,00434D58), ref: 02D16D0C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16D37
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16D67
LocalAlloc.KERNEL32(00000040,?), ref: 02D16D9C
strtok_s.MSVCRT ref: 02D16DC9
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E04
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E34

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID:
API String ID: 922491270-0
Opcode ID: eafb68b21d08b5959392c16b3f5027c3f0252857160b3bee96a810a3953ca481
Instruction ID: 6b3b6349a15a9b1166cb473b02c1d8ad9ec0b9794ce75e945a64157e24363f23
Opcode Fuzzy Hash: eafb68b21d08b5959392c16b3f5027c3f0252857160b3bee96a810a3953ca481
Instruction Fuzzy Hash: CE425071A01256ABDB11ABB4EC8CBAEBBBAEF44704F145418F801977A0DB74DD05CFA4

Function 02D06337 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D06366
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D063B9
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D063EC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0641C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D06457
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0648A
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02D0649A

Strings

", xrefs: 02D068FE, 02D069EC
------, xrefs: 02D065C0, 02D065ED, 02D06865, 02D06956

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: cf1a6c2041626ebf463119a37b4062f1c5bca86e292e3d2c8c6f5cb3243bbf73
Instruction ID: dcb24d3b19825298d333dd14e6a5e4f912d8ba37f4f8465f8e91487825716497
Opcode Fuzzy Hash: cf1a6c2041626ebf463119a37b4062f1c5bca86e292e3d2c8c6f5cb3243bbf73
Instruction Fuzzy Hash: 5A5230719012569BDB11AFB4DCC8B9EB7BAEF44318F158424E905A73A0DB74EC05CFA4

Function 004060D0 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004060FF
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406152
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406185
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004061B5
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004061F0
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406223
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406233

Strings

------, xrefs: 00406359, 00406386, 004065FE, 004066EF
", xrefs: 00406697, 00406785

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 04f9cf47dfec5be050777e69d84e98be2ec72ffd65f30c005331e705a2bd9645
Instruction ID: ffbc6fd56c8a94c556c3f2c906f19bfa2bc12b6ecd202742e41b97733aae5ab7
Opcode Fuzzy Hash: 04f9cf47dfec5be050777e69d84e98be2ec72ffd65f30c005331e705a2bd9645
Instruction Fuzzy Hash: 9B525F71A002169BCB21ABB9DD49A9F77B9AF44304F15503AF806B72D1DB78DC05CFA8

Function 02D13B77 Relevance: 122.4, APIs: 81, Instructions: 869stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02D13B93
FindFirstFileA.KERNEL32(?,?), ref: 02D13BAA
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D13BD3
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D13BED
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D13C26
lstrcpy.KERNEL32(00000000,?), ref: 02D13C4E
lstrcat.KERNEL32(00000000,00000000), ref: 02D13C59
lstrlen.KERNEL32(00431794), ref: 02D13C64
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13C81
lstrcat.KERNEL32(00000000,00431794), ref: 02D13C8D
lstrlen.KERNEL32(?), ref: 02D13C9A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13CBA
lstrcat.KERNEL32(00000000,?), ref: 02D13CC8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13CF1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D13D35
lstrlen.KERNEL32(?), ref: 02D13D3F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13D6C
lstrcat.KERNEL32(00000000,00000000), ref: 02D13D77
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13D9D
lstrlen.KERNEL32(00431794), ref: 02D13DAF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13DD1
lstrcat.KERNEL32(00000000,00431794), ref: 02D13DDD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13E05
lstrlen.KERNEL32(?), ref: 02D13E19
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13E39
lstrcat.KERNEL32(00000000,?), ref: 02D13E47
lstrlen.KERNEL32(006389F0), ref: 02D13E72
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13E98
lstrcat.KERNEL32(00000000,00000000), ref: 02D13EA3
lstrlen.KERNEL32(00638D00), ref: 02D13EC5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13EEB
lstrcat.KERNEL32(00000000,00000000), ref: 02D13EF6
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13F1E
lstrlen.KERNEL32(00431794), ref: 02D13F30
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13F4F
lstrcat.KERNEL32(00000000,00431794), ref: 02D13F5B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13F81
lstrcpy.KERNEL32(00000000,?), ref: 02D13FAE
lstrcat.KERNEL32(00000000,00000000), ref: 02D13FB9
lstrcpy.KERNEL32(00000000,00000000), ref: 02D13FE0
lstrlen.KERNEL32(00431794), ref: 02D13FF2
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14014
lstrcat.KERNEL32(00000000,00431794), ref: 02D14020
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14049
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14078
lstrcat.KERNEL32(00000000,00000000), ref: 02D14083
lstrcpy.KERNEL32(00000000,00000000), ref: 02D140AA
lstrlen.KERNEL32(00431794), ref: 02D140BC
lstrcpy.KERNEL32(00000000,00000000), ref: 02D140DE
lstrcat.KERNEL32(00000000,00431794), ref: 02D140EA
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14113
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14142
lstrcat.KERNEL32(00000000,00000000), ref: 02D1414D
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14174
lstrlen.KERNEL32(00431794), ref: 02D14186
lstrcpy.KERNEL32(00000000,00000000), ref: 02D141A8
lstrcat.KERNEL32(00000000,00431794), ref: 02D141B4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D141DC
lstrlen.KERNEL32(?), ref: 02D141F0
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14210
lstrcat.KERNEL32(00000000,?), ref: 02D1421E
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14247
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14286
lstrlen.KERNEL32(00638CA4), ref: 02D14295
lstrcpy.KERNEL32(00000000,00000000), ref: 02D142BD
lstrcat.KERNEL32(00000000,00000000), ref: 02D142C8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D142F1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14335
lstrcat.KERNEL32(00000000), ref: 02D14342
FindNextFileA.KERNEL32(00000000,?), ref: 02D14540
FindClose.KERNEL32(00000000), ref: 02D1454F

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 1006159827-0
Opcode ID: 55ba17bff02ee27f2bb2d89e516c7728b2b25d5ac4c7a1b0abb5fe8dbff3d3d8
Instruction ID: d79b11b8077ffbdea050d86c63c42359740034ebc83441d961b00dc195d75e15
Opcode Fuzzy Hash: 55ba17bff02ee27f2bb2d89e516c7728b2b25d5ac4c7a1b0abb5fe8dbff3d3d8
Instruction Fuzzy Hash: 90627575901616ABCB11AF74ED8CBAEB7BAEF44308F144528E805A77A0DB74DD05CFA0

Function 02D04EB7 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D04EE6
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D04F39
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D04F6C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D04F9C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D04FDA
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0500D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02D0501D

Strings

", xrefs: 02D0548B, 02D05579
------, xrefs: 02D05143, 02D05170, 02D053F2, 02D054E3

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: eaa2490e6988f320b6a1ade99cc003943cb06326491ce6d684f1855e1fbd764e
Instruction ID: 62d00c1efa2872a6769f457f897b9eed87658beb088843fadc38aa858baa2f32
Opcode Fuzzy Hash: eaa2490e6988f320b6a1ade99cc003943cb06326491ce6d684f1855e1fbd764e
Instruction Fuzzy Hash: 50525C719012569BDB21EFB4DC88BADBBBAEF44318F145424E905A73A0DB74EC45CFA0

Function 02D0DE00 Relevance: 102.8, APIs: 68, Instructions: 763stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DE28
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DE4B
lstrcat.KERNEL32(00000000,00000000), ref: 02D0DE56
lstrlen.KERNEL32(00434CA4), ref: 02D0DE61
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DE7E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D0DE8A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DEB3
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DEF6
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DF26
FindFirstFileA.KERNEL32(00000000,?), ref: 02D0DF37
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D0DF57
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D0DF71
lstrlen.KERNEL32(0042CFEC), ref: 02D0DF84
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0DFAE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0DFD7
lstrcat.KERNEL32(00000000,00000000), ref: 02D0DFE2
lstrlen.KERNEL32(00431794), ref: 02D0DFED
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E00A
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E016
lstrlen.KERNEL32(?), ref: 02D0E023
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E046
lstrcat.KERNEL32(00000000,?), ref: 02D0E054
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E080
lstrlen.KERNEL32(00431794), ref: 02D0E0A4
lstrcpy.KERNEL32(00000000,?), ref: 02D0E0D6
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E0E2
lstrlen.KERNEL32(00638D28), ref: 02D0E0F1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E117
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E122
lstrlen.KERNEL32(00431794), ref: 02D0E12D
lstrcpy.KERNEL32(00000000,?), ref: 02D0E14D
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E159
lstrlen.KERNEL32(006388C8), ref: 02D0E168
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E18E
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E199
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E1C5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E20C
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E218
lstrlen.KERNEL32(00638D28), ref: 02D0E227
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E250
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E25B
lstrlen.KERNEL32(00431794), ref: 02D0E266
lstrcpy.KERNEL32(00000000,?), ref: 02D0E289
lstrcat.KERNEL32(00000000,00431794), ref: 02D0E295
lstrlen.KERNEL32(006388C8), ref: 02D0E2A4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E2CA
lstrcat.KERNEL32(00000000,00000000), ref: 02D0E2D5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E301
StrCmpCA.SHLWAPI(?,00434CA8), ref: 02D0E334
StrCmpCA.SHLWAPI(?,00434CB0), ref: 02D0E34E
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0E386
lstrlen.KERNEL32(00638CA4), ref: 02D0E395
lstrcpy.KERNEL32(00000000,?), ref: 02D0E3BC
lstrcat.KERNEL32(00000000,?), ref: 02D0E3C4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E406
lstrcat.KERNEL32(00000000), ref: 02D0E410
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0E437
CopyFileA.KERNEL32(00000000,?,00000001), ref: 02D0E460
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0E496
lstrlen.KERNEL32(006389F0), ref: 02D0E4A4
lstrcpy.KERNEL32(00000000,?), ref: 02D0E4C8
lstrcat.KERNEL32(00000000,006389F0), ref: 02D0E4D0
FindNextFileA.KERNEL32(00000000,?), ref: 02D0EBEF
FindClose.KERNEL32(00000000), ref: 02D0EBFE

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
String ID:
API String ID: 1346089424-0
Opcode ID: d1e183e24c838eb74bc44f38f99ce4fe9a798cbb56237ed8471f726288990ab3
Instruction ID: 8e76d5654b66b1837fc890ba7098b03d89777ef3da3b29d8e98cfe16e704c8f9
Opcode Fuzzy Hash: d1e183e24c838eb74bc44f38f99ce4fe9a798cbb56237ed8471f726288990ab3
Instruction Fuzzy Hash: D0520B71A016569BCB20AFB4DDCCBAEBBB6EF44304F144969A805973A0DB74DC45CFA0

Function 02D16DE0 Relevance: 96.5, APIs: 64, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E04
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E34
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E64
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D16E96
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02D16EA3
RtlAllocateHeap.NTDLL(00000000), ref: 02D16EAA
StrStrA.SHLWAPI(00000000,00434D88), ref: 02D16EC1
lstrlen.KERNEL32(00000000), ref: 02D16ECC
malloc.MSVCRT ref: 02D16ED6
strncpy.MSVCRT ref: 02D16EE4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16F36
StrStrA.SHLWAPI(00000000,00434D90), ref: 02D16F49
lstrlen.KERNEL32(00000000), ref: 02D16F54
malloc.MSVCRT ref: 02D16F5E
strncpy.MSVCRT ref: 02D16F6C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16F97
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16FBE
StrStrA.SHLWAPI(00000000,00434D98), ref: 02D16FD1
lstrlen.KERNEL32(00000000), ref: 02D16FDC
malloc.MSVCRT ref: 02D16FE6
strncpy.MSVCRT ref: 02D16FF4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1701F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D17046
StrStrA.SHLWAPI(00000000,00434DA0), ref: 02D17059
lstrlen.KERNEL32(00000000), ref: 02D17068
malloc.MSVCRT ref: 02D17072
strncpy.MSVCRT ref: 02D17080
lstrcpy.KERNEL32(00000000,00000000), ref: 02D170B0
lstrcpy.KERNEL32(00000000,00000000), ref: 02D170D8
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D170FB
LocalAlloc.KERNEL32(00000040,00000000), ref: 02D1710F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 02D17130
LocalFree.KERNEL32(00000000), ref: 02D1713B
lstrlen.KERNEL32(?), ref: 02D171D5
lstrlen.KERNEL32(?), ref: 02D171E8
lstrlen.KERNEL32(?), ref: 02D171FB

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID:
API String ID: 2413810636-0
Opcode ID: 8e357f5a8b514afc5501354df5a1341233d7ce63c8ec9d167fd008e543547116
Instruction ID: 0b52dd24620d0b8b3af28c8b9f34cb4765d85bd32f7f5c043712e12514789c64
Opcode Fuzzy Hash: 8e357f5a8b514afc5501354df5a1341233d7ce63c8ec9d167fd008e543547116
Instruction Fuzzy Hash: D1023E75A01256ABDB11ABB4EC8CB9EBBBAEF04704F145418F805E77A0DB74DD01CBA4

Function 02D14D77 Relevance: 67.1, APIs: 44, Instructions: 1095stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14DB8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14DDB
lstrcat.KERNEL32(00000000,00000000), ref: 02D14DE6
lstrlen.KERNEL32(00434CA4), ref: 02D14DF1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14E0E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D14E1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14E45
FindFirstFileA.KERNEL32(00000000,?), ref: 02D14E61

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: adb27d7dacb31245e4674c0be4222ac75c9e854827ba9e862aaf555f94067a1f
Instruction ID: 43bc8b551732cfe6a57309cdfb3cdd64c6783678ea79018453d29f21e81218f7
Opcode Fuzzy Hash: adb27d7dacb31245e4674c0be4222ac75c9e854827ba9e862aaf555f94067a1f
Instruction Fuzzy Hash: 74923F70A012019FDB24DF29E988B69B7F6AF84318F5980ADE8099B7A1D775DC41CF90

Function 02D114B7 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D114F8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1151B
lstrcat.KERNEL32(00000000,00000000), ref: 02D11526
lstrlen.KERNEL32(00434CA4), ref: 02D11531
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1154E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D1155A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11585
FindFirstFileA.KERNEL32(00000000,?), ref: 02D115A1
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D115C3
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D115DD
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D11616
lstrcpy.KERNEL32(00000000,?), ref: 02D1163E
lstrcat.KERNEL32(00000000,00000000), ref: 02D11649
lstrlen.KERNEL32(00431794), ref: 02D11654
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11671
lstrcat.KERNEL32(00000000,00431794), ref: 02D1167D
lstrlen.KERNEL32(?), ref: 02D1168A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D116AA
lstrcat.KERNEL32(00000000,?), ref: 02D116B8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D116E1
StrCmpCA.SHLWAPI(?,00638C28), ref: 02D1170A
lstrcpy.KERNEL32(00000000,?), ref: 02D1174B
lstrcpy.KERNEL32(00000000,?), ref: 02D11774
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1179C
StrCmpCA.SHLWAPI(?,006388A8), ref: 02D117B9
lstrcpy.KERNEL32(00000000,?), ref: 02D117FA
lstrcpy.KERNEL32(00000000,?), ref: 02D11823
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1184B
StrCmpCA.SHLWAPI(?,00638E3C), ref: 02D11869
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1189A
lstrcpy.KERNEL32(00000000,?), ref: 02D118C3
lstrcpy.KERNEL32(00000000,?), ref: 02D118EC
StrCmpCA.SHLWAPI(?,00638938), ref: 02D1191A
lstrcpy.KERNEL32(00000000,?), ref: 02D1195B
lstrcpy.KERNEL32(00000000,?), ref: 02D11984
lstrcpy.KERNEL32(00000000,00000000), ref: 02D119AC
lstrcpy.KERNEL32(00000000,?), ref: 02D119FD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11A25
lstrcpy.KERNEL32(00000000,?), ref: 02D11A5C
FindNextFileA.KERNEL32(00000000,?), ref: 02D11A83
FindClose.KERNEL32(00000000), ref: 02D11A92

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: cc99e91d25dbf7c2b882c41ba1a681dd11c02f8c6b39d3f02d38f063ee02ee89
Instruction ID: f3951d55c18ffe95d1638eb7b2f3794823b87282ea00b44958753ad8b40b34f5
Opcode Fuzzy Hash: cc99e91d25dbf7c2b882c41ba1a681dd11c02f8c6b39d3f02d38f063ee02ee89
Instruction Fuzzy Hash: FF125170A01246ABDB24EF74EC8CAAE7BB6EF44304F144528E95997790DB74DC45CFA0

Function 02D265F7 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02D26650
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02D26669
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 02D26681
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 02D26699
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 02D266B2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 02D266CA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02D266E2
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 02D266FB
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02D26713
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 02D2672B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02D26744
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 02D2675C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 02D26774
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 02D2678D
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 02D267A5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 02D267BD
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 02D267D6
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 02D267EE
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 02D26806
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 02D2681F
LoadLibraryA.KERNEL32(00638D50,?,?,?,02D21E6A), ref: 02D26830
LoadLibraryA.KERNEL32(0063897C,?,?,?,02D21E6A), ref: 02D26842
LoadLibraryA.KERNEL32(00638904,?,?,?,02D21E6A), ref: 02D26854
LoadLibraryA.KERNEL32(006389DC,?,?,?,02D21E6A), ref: 02D26865
LoadLibraryA.KERNEL32(00638B28,?,?,?,02D21E6A), ref: 02D26877
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 02D26894
GetProcAddress.KERNEL32(00639020,00638C24), ref: 02D268B0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 02D268C8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 02D268E4
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 02D26900
GetProcAddress.KERNEL32(00639004,00638C14), ref: 02D2691C
GetProcAddress.KERNEL32(00639004,0043529C), ref: 02D26933

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
Instruction ID: 5c50943ed911b933a3a11907f55c015ddfd9ad38c2bd2d9bacfd6a530f5ba0ed
Opcode Fuzzy Hash: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
Instruction Fuzzy Hash: A0A16BB9A117009FD758DF69EE88A6637BBF789344300A51DF95683360DBB4A900DFB0

Function 00409770 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 233stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409790
lstrcatA.KERNEL32(?,?), ref: 004097A0
lstrcatA.KERNEL32(?,?), ref: 004097B1
lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004097C3
memset.MSVCRT ref: 004097D7

Part of subcall function 00423E70: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00423EA5
Part of subcall function 00423E70: lstrcpy.KERNEL32(00000000,02E197B0), ref: 00423ECF
Part of subcall function 00423E70: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404DFA,?,00000014), ref: 00423ED9

wsprintfA.USER32 ref: 00409806
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409827
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409844

Part of subcall function 004246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246B9
Part of subcall function 004246A0: Process32First.KERNEL32(00000000,00000128), ref: 004246C9
Part of subcall function 004246A0: Process32Next.KERNEL32(00000000,00000128), ref: 004246DB
Part of subcall function 004246A0: StrCmpCA.SHLWAPI(?,?), ref: 004246ED
Part of subcall function 004246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424702
Part of subcall function 004246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00424711
Part of subcall function 004246A0: CloseHandle.KERNEL32(00000000), ref: 00424718
Part of subcall function 004246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00424726
Part of subcall function 004246A0: CloseHandle.KERNEL32(00000000), ref: 00424731

memset.MSVCRT ref: 00409862
lstrcatA.KERNEL32(00000000,?), ref: 00409878
lstrcatA.KERNEL32(00000000,?), ref: 00409889
lstrcatA.KERNEL32(00000000,00434B60), ref: 0040989B
memset.MSVCRT ref: 004098AF
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004098D4
lstrcpy.KERNEL32(00000000,?), ref: 00409903
StrStrA.SHLWAPI(00000000,02E1E710), ref: 00409919
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00409938
lstrlenA.KERNEL32(?), ref: 0040994B
wsprintfA.USER32 ref: 0040995B
lstrcpy.KERNEL32(?,00000000), ref: 00409971
memset.MSVCRT ref: 00409986
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004099D8
Sleep.KERNEL32(00001388), ref: 004099E7

Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF

Part of subcall function 004092B0: strlen.MSVCRT ref: 004092E1
Part of subcall function 004092B0: strlen.MSVCRT ref: 004092FA
Part of subcall function 004092B0: memset.MSVCRT ref: 00409341
Part of subcall function 004092B0: lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
Part of subcall function 004092B0: lstrcatA.KERNEL32(?,00000000), ref: 00409372
Part of subcall function 004092B0: strlen.MSVCRT ref: 00409399
Part of subcall function 004092B0: strlen.MSVCRT ref: 004093E6

Part of subcall function 00424740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424759
Part of subcall function 00424740: Process32First.KERNEL32(00000000,00000128), ref: 00424769
Part of subcall function 00424740: Process32Next.KERNEL32(00000000,00000128), ref: 0042477B
Part of subcall function 00424740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042479C
Part of subcall function 00424740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004247AB
Part of subcall function 00424740: CloseHandle.KERNEL32(00000000), ref: 004247B2
Part of subcall function 00424740: Process32Next.KERNEL32(00000000,00000128), ref: 004247C0
Part of subcall function 00424740: CloseHandle.KERNEL32(00000000), ref: 004247CB

CloseDesktop.USER32(?), ref: 00409A1C

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 004097B7
%s%s, xrefs: 00409955
D, xrefs: 00409999

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy$Process32memset$CloseProcess$CreateHandleNextstrlen$DesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
API String ID: 67568813-1862457068
Opcode ID: e42de8a202d5d6dea2dc93eaaf91a578506c47d524820bb0a75ed9ed1e9241c9
Instruction ID: 2c37e3413e6ee4b4ed1961789d92b732caee71be02ea627586429f29572cbb88
Opcode Fuzzy Hash: e42de8a202d5d6dea2dc93eaaf91a578506c47d524820bb0a75ed9ed1e9241c9
Instruction Fuzzy Hash: 85916271A10218AFDB10DF64DC89FDE77B9AF48700F5041A9F609A72D1DFB4AA448FA4

Function 02D114D0 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D114F8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1151B
lstrcat.KERNEL32(00000000,00000000), ref: 02D11526
lstrlen.KERNEL32(00434CA4), ref: 02D11531
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1154E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D1155A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11585
FindFirstFileA.KERNEL32(00000000,?), ref: 02D115A1
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D115C3
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D115DD
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D11616
lstrcpy.KERNEL32(00000000,?), ref: 02D1163E
lstrcat.KERNEL32(00000000,00000000), ref: 02D11649
lstrlen.KERNEL32(00431794), ref: 02D11654
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11671
lstrcat.KERNEL32(00000000,00431794), ref: 02D1167D
lstrlen.KERNEL32(?), ref: 02D1168A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D116AA
lstrcat.KERNEL32(00000000,?), ref: 02D116B8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D116E1
StrCmpCA.SHLWAPI(?,00638C28), ref: 02D1170A
lstrcpy.KERNEL32(00000000,?), ref: 02D1174B
lstrcpy.KERNEL32(00000000,?), ref: 02D11774
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1179C
StrCmpCA.SHLWAPI(?,006388A8), ref: 02D117B9
lstrcpy.KERNEL32(00000000,?), ref: 02D117FA
lstrcpy.KERNEL32(00000000,?), ref: 02D11823
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1184B
lstrcpy.KERNEL32(00000000,?), ref: 02D119FD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D11A25
lstrcpy.KERNEL32(00000000,?), ref: 02D11A5C
FindNextFileA.KERNEL32(00000000,?), ref: 02D11A83
FindClose.KERNEL32(00000000), ref: 02D11A92

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: be495782e5e69fd1e300f1058cd6e7670e16721e9f53d5594ca678ea9e884695
Instruction ID: 2e299a00136dffd9cc2f19e7f871e573b4658e6964e8bff93ac15de5cdfc3ea6
Opcode Fuzzy Hash: be495782e5e69fd1e300f1058cd6e7670e16721e9f53d5594ca678ea9e884695
Instruction Fuzzy Hash: 2EC14E71A01656ABCB20AF74DC8CBAE7BB6EF04304F144528E909977A0DB74DD05CFA0

Function 02D1CE47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02D1CE63
FindFirstFileA.KERNEL32(?,?), ref: 02D1CE7A
lstrcat.KERNEL32(?,?), ref: 02D1CEC6
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D1CED8
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D1CEF2
wsprintfA.USER32 ref: 02D1CF17
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 02D1CF49
CoInitialize.OLE32(00000000), ref: 02D1CF55

Part of subcall function 02D1CD47: CoCreateInstance.COMBASE(0042B110,00000000,00000001,0042B100,?), ref: 02D1CD6D
Part of subcall function 02D1CD47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 02D1CDAD
Part of subcall function 02D1CD47: lstrcpyn.KERNEL32(?,?,00000104), ref: 02D1CE30

CoUninitialize.COMBASE ref: 02D1CF70
lstrcat.KERNEL32(?,?), ref: 02D1CF95
lstrlen.KERNEL32(?), ref: 02D1CFA2
StrCmpCA.SHLWAPI(?,0042CFEC), ref: 02D1CFBC
wsprintfA.USER32 ref: 02D1CFE4
wsprintfA.USER32 ref: 02D1D003
PathMatchSpecA.SHLWAPI(?,?), ref: 02D1D017
wsprintfA.USER32 ref: 02D1D03F
CopyFileA.KERNEL32(?,?,00000001), ref: 02D1D058
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02D1D077
GetFileSizeEx.KERNEL32(00000000,?), ref: 02D1D08F
CloseHandle.KERNEL32(00000000), ref: 02D1D09A
CloseHandle.KERNEL32(00000000), ref: 02D1D0A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D1D0BB
lstrcpy.KERNEL32(00000000,?), ref: 02D1D0FB
FindNextFileA.KERNEL32(?,?), ref: 02D1D1F4
FindClose.KERNEL32(?), ref: 02D1D206

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: 1e6a93290bb48ebea9772b804d05712693bbf75eec94ca6b3c8864a1428dd4ec
Instruction ID: 8f6d11f5767558509b760b7114d5ecd2e5f957c734d6117bb84fde4404202839
Opcode Fuzzy Hash: 1e6a93290bb48ebea9772b804d05712693bbf75eec94ca6b3c8864a1428dd4ec
Instruction Fuzzy Hash: CDC13E75900219AFCB14DF64DC88BEE777AEF48304F144599F909A7690EB74AE84CFA0

Function 02D1E477 Relevance: 30.2, APIs: 20, Instructions: 212stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02D1E493
FindFirstFileA.KERNEL32(?,?), ref: 02D1E4AA
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D1E4CA
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D1E4E4
wsprintfA.USER32 ref: 02D1E509
StrCmpCA.SHLWAPI(?,0042CFEC), ref: 02D1E51B
wsprintfA.USER32 ref: 02D1E538

Part of subcall function 02D1F047: lstrcpy.KERNEL32(00000000,?), ref: 02D1F079

wsprintfA.USER32 ref: 02D1E557
PathMatchSpecA.SHLWAPI(?,?), ref: 02D1E56B
lstrcat.KERNEL32(?,00638D24), ref: 02D1E59C
lstrcat.KERNEL32(?,00431794), ref: 02D1E5AE
lstrcat.KERNEL32(?,?), ref: 02D1E5BF
lstrcat.KERNEL32(?,00431794), ref: 02D1E5D1
lstrcat.KERNEL32(?,?), ref: 02D1E5E5
CopyFileA.KERNEL32(?,?,00000001), ref: 02D1E5FB
lstrcpy.KERNEL32(00000000,?), ref: 02D1E639
lstrcpy.KERNEL32(00000000,?), ref: 02D1E689
DeleteFileA.KERNEL32(?), ref: 02D1E6C3

Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01802
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01866

FindNextFileA.KERNEL32(00000000,?), ref: 02D1E702
FindClose.KERNEL32(00000000), ref: 02D1E711

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID:
API String ID: 1375681507-0
Opcode ID: c1c9efcaad2f5e6ed68961a17fa1f607964aba2db125c197c65617b576b34e73
Instruction ID: dc4a68c09b84f00d1790571776e971f97cb1604e258ecee17bb5b32ceb34c806
Opcode Fuzzy Hash: c1c9efcaad2f5e6ed68961a17fa1f607964aba2db125c197c65617b576b34e73
Instruction Fuzzy Hash: B88164B1900259ABCB14EF64DC88EEE777AFF44304F044599F90593650EB75AE48CFA0

Function 02D01920 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01949
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01980
lstrcpy.KERNEL32(00000000,00000000), ref: 02D019D3
lstrcat.KERNEL32(00000000), ref: 02D019DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01A09
lstrcpy.KERNEL32(00000000,?), ref: 02D01B5A
lstrcat.KERNEL32(00000000,00000000), ref: 02D01B65

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: c4b74769114b713f627fa1af7ac0ecb7a329170a52fe1645dd556dd1b1344424
Instruction ID: 667335946c83d3dd85f59afb4b1ddf51da66e995d80ae2dbdb5abfe71761e1fb
Opcode Fuzzy Hash: c4b74769114b713f627fa1af7ac0ecb7a329170a52fe1645dd556dd1b1344424
Instruction Fuzzy Hash: 1E81197590165A9BCB11EF68DDC8BAEB7B6EF40308F144124E809A73A0EB74DD05CFA4

Function 02D1DF97 Relevance: 24.2, APIs: 16, Instructions: 171stringfilememoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02D1DFAC
RtlAllocateHeap.NTDLL(00000000), ref: 02D1DFB3
wsprintfA.USER32 ref: 02D1DFC9
FindFirstFileA.KERNEL32(?,?), ref: 02D1DFE0
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D1E003
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D1E01D
wsprintfA.USER32 ref: 02D1E03B
DeleteFileA.KERNEL32(?), ref: 02D1E087
CopyFileA.KERNEL32(?,?,00000001), ref: 02D1E054

Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01802
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01866

Part of subcall function 02D1DBE7: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1DC42
Part of subcall function 02D1DBE7: lstrcpy.KERNEL32(00000000,?), ref: 02D1DC75
Part of subcall function 02D1DBE7: lstrcat.KERNEL32(?,00000000), ref: 02D1DC83
Part of subcall function 02D1DBE7: lstrcat.KERNEL32(?,00638B0C), ref: 02D1DC9D
Part of subcall function 02D1DBE7: lstrcat.KERNEL32(?,?), ref: 02D1DCB1
Part of subcall function 02D1DBE7: lstrcat.KERNEL32(?,00638DD8), ref: 02D1DCC5
Part of subcall function 02D1DBE7: lstrcpy.KERNEL32(00000000,?), ref: 02D1DCF5
Part of subcall function 02D1DBE7: GetFileAttributesA.KERNEL32(00000000), ref: 02D1DCFC

FindNextFileA.KERNEL32(00000000,?), ref: 02D1E095
FindClose.KERNEL32(00000000), ref: 02D1E0A4
lstrcat.KERNEL32(?,00638D24), ref: 02D1E0CD
lstrcat.KERNEL32(?,00638A2C), ref: 02D1E0E1
lstrlen.KERNEL32(?), ref: 02D1E0EB
lstrlen.KERNEL32(?), ref: 02D1E0F9
lstrcpy.KERNEL32(00000000,?), ref: 02D1E139

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
String ID:
API String ID: 3181694991-0
Opcode ID: 16588d79e064be33b0955ab269401267c5d66f00aa31094a3ef177447a8a1426
Instruction ID: 619c1710e82e386b019649b3dc15e43a9413cc18240ad52445846097d35b93f5
Opcode Fuzzy Hash: 16588d79e064be33b0955ab269401267c5d66f00aa31094a3ef177447a8a1426
Instruction Fuzzy Hash: F6613F75900209AFCB14EF74DC88AED77BAFF48304F1445A9A94597390EB74AE44CFA0

Function 02D24B17 Relevance: 23.6, APIs: 9, Strings: 6, Instructions: 1120stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 02D24B45
strlen.MSVCRT ref: 02D24B6F

Part of subcall function 02D08BE7: std::_Xinvalid_argument.LIBCPMT ref: 02D08BFD

strlen.MSVCRT ref: 02D24BB4
memcmp.MSVCRT(?,004351EC,?), ref: 02D24BEA

Part of subcall function 02D08BE7: std::_Xinvalid_argument.LIBCPMT ref: 02D08C34
Part of subcall function 02D08BE7: memcpy.MSVCRT(?,00000000,?,00000000,?,?,02D08A37,?,00000000,02D07AFE), ref: 02D08C92

Part of subcall function 02D25AF7: memmove.MSVCRT(?,?,?,00000000), ref: 02D25B3E

strlen.MSVCRT ref: 02D24EAE

Strings

Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: , xrefs: 02D2516B
:, xrefs: 02D24D69
Sec-WebSocket-Version: 13, xrefs: 02D2518F
{"id":1,"method":"Storage.getCookies"}, xrefs: 02D2526A
QC, xrefs: 02D24B50
HTTP/1.1Host: , xrefs: 02D25129

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: strlen$Xinvalid_argumentstd::_$memcmpmemcpymemmove
String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:${"id":1,"method":"Storage.getCookies"}$QC
API String ID: 3894209532-2441679285
Opcode ID: 09200de26881e756e968cafb3f6607e7d6afed7e15c7dc6c433659dd52967857
Instruction ID: 2b421319d626621a232d424c69bd05232d3e1c68bf9c1e296355814c573a3045
Opcode Fuzzy Hash: 09200de26881e756e968cafb3f6607e7d6afed7e15c7dc6c433659dd52967857
Instruction Fuzzy Hash: 60A26B71D012699FDB24DFA4D880BDDBBB6EF48304F5481AAD518A7390DB705E89CFA0

Function 02D1D797 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02D1D7B4
FindFirstFileA.KERNEL32(?,?), ref: 02D1D7CB
StrCmpCA.SHLWAPI(?,004317A0), ref: 02D1D7EB
StrCmpCA.SHLWAPI(?,004317A4), ref: 02D1D805
lstrcat.KERNEL32(?,00638D24), ref: 02D1D84A
lstrcat.KERNEL32(?,00638BF8), ref: 02D1D85E
lstrcat.KERNEL32(?,?), ref: 02D1D872
lstrcat.KERNEL32(?,?), ref: 02D1D883
lstrcat.KERNEL32(?,00431794), ref: 02D1D895
lstrcat.KERNEL32(?,?), ref: 02D1D8A9
lstrcpy.KERNEL32(00000000,?), ref: 02D1D8E9
lstrcpy.KERNEL32(00000000,?), ref: 02D1D939
FindNextFileA.KERNEL32(00000000,?), ref: 02D1D99E
FindClose.KERNEL32(00000000), ref: 02D1D9AD

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
String ID:
API String ID: 50252434-0
Opcode ID: 2f3143f31f884eba7a7c8b7dced017aca425ee65d456ec9c39855a417081a655
Instruction ID: f1e2c50871909ad37da2a57e09abdc233a126daf311e3f511e2b4d2cf0a6bfe6
Opcode Fuzzy Hash: 2f3143f31f884eba7a7c8b7dced017aca425ee65d456ec9c39855a417081a655
Instruction Fuzzy Hash: 506155B5900219AFCB14EF74DC88ADDB7BAEF48304F108599E94997354EB74AE44CFA0

Function 02D24907 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 02D24920
Process32First.KERNEL32(00000000,00000128), ref: 02D24930
Process32Next.KERNEL32(00000000,00000128), ref: 02D24942
StrCmpCA.SHLWAPI(?,?), ref: 02D24954
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24969
TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24978
CloseHandle.KERNEL32(00000000), ref: 02D2497F
Process32Next.KERNEL32(00000000,00000128), ref: 02D2498D
CloseHandle.KERNEL32(00000000), ref: 02D24998

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: 70b478d2a8c6464d02f581c1e525c602cc254ef5aa1c99b6318404035a9a6b99
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 23018431501224AFE7215B61DC89FFA777EEB44B55F00119CF905A6190EFB49944CFB1

Function 004246A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246B9
Process32First.KERNEL32(00000000,00000128), ref: 004246C9
Process32Next.KERNEL32(00000000,00000128), ref: 004246DB
StrCmpCA.SHLWAPI(?,?), ref: 004246ED
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424702
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424711
CloseHandle.KERNEL32(00000000), ref: 00424718
Process32Next.KERNEL32(00000000,00000128), ref: 00424726
CloseHandle.KERNEL32(00000000), ref: 00424731

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: c0af82d2220ffa974d571ce9e7a5dccbaa51854a96d9eb04d24fe49588ec8ce6
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 4101A1316012246BE7205B60AC88FFB777DEB85B41F00009DF90592180EFB899408EB4

Function 02D14D90 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14DB8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14DDB
lstrcat.KERNEL32(00000000,00000000), ref: 02D14DE6
lstrlen.KERNEL32(00434CA4), ref: 02D14DF1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14E0E
lstrcat.KERNEL32(00000000,00434CA4), ref: 02D14E1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14E45
FindFirstFileA.KERNEL32(00000000,?), ref: 02D14E61

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: 0c8f911dd7eb7d508db889a4e1b985111a9b4ff907de9bb3503cd3c6a71a84cd
Instruction ID: 015277de4d726edafe1297d325c4d57dea27add49f5e8276044731d55f06ee35
Opcode Fuzzy Hash: 0c8f911dd7eb7d508db889a4e1b985111a9b4ff907de9bb3503cd3c6a71a84cd
Instruction Fuzzy Hash: 2A31F775502656ABCB21AF68EDCCF9EB7A6EF40718F104124AC0497BA0DB74AC05CFA4

Function 02D22FC7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27447: lstrcpy.KERNEL32(00000000,ERROR), ref: 02D27465

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02D23002
LocalAlloc.KERNEL32(00000040,00000000), ref: 02D23014
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02D23021
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02D23053
LocalFree.KERNEL32(00000000), ref: 02D23231

Strings

/ , xrefs: 02D23066

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 6caac9e4e9da962acb08f16bfc44d7664d89c46914e57893374660aea1a7ed6d
Instruction ID: 7b516c50dbb34e1eeb9391203164d97e84b5af2e30969a00b176ed626a1e1434
Opcode Fuzzy Hash: 6caac9e4e9da962acb08f16bfc44d7664d89c46914e57893374660aea1a7ed6d
Instruction Fuzzy Hash: 21B1F570900225CFD755CF58C948B99B7B2EF5432CF29C1A9D409AB3A1D77A9C8ACF90

Function 02D0EC97 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D0ECC2
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 02D0ECDD
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 02D0ECE5
memcpy.MSVCRT(?,?,?), ref: 02D0ED58
lstrcat.KERNEL32(0042CFEC,0042CFEC), ref: 02D0ED8E
lstrcat.KERNEL32(0042CFEC,0042CFEC), ref: 02D0EDB0

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: aa36a3f23f2687ea5df4b75ef2fc322e42229470604d0d62d71fbb8e12f4794b
Instruction ID: 1553256280f630f8a80da501b9e969f6b773187843ebe4682c9c11c630c79caf
Opcode Fuzzy Hash: aa36a3f23f2687ea5df4b75ef2fc322e42229470604d0d62d71fbb8e12f4794b
Instruction Fuzzy Hash: 1031A475B00229ABDB109B98EC85FEE777AEF44705F044169F909E2280DBB45A04CBE5

Function 02D24877 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 02D2488F
Process32First.KERNEL32(00000000,00000128), ref: 02D2489F
Process32Next.KERNEL32(00000000,00000128), ref: 02D248B1
StrCmpCA.SHLWAPI(?,0043507C), ref: 02D248C7
Process32Next.KERNEL32(00000000,00000128), ref: 02D248D9
CloseHandle.KERNEL32(00000000), ref: 02D248E4

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: bc1922ece39328686c400ed79e45fdf5ef3b47e6cc89be6fbc9388eb7eed7652
Instruction ID: 1df102aa448c2c9ab2cc6560fff2d8bd47e788a6d80a0bbc50d28fd79598377e
Opcode Fuzzy Hash: bc1922ece39328686c400ed79e45fdf5ef3b47e6cc89be6fbc9388eb7eed7652
Instruction Fuzzy Hash: E4014F316112249BE7249B60EC89FEA77BDEF08754F040199FD08D2140EFB49E94CEE1

Function 02D22E77 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02D22EA9
RtlAllocateHeap.NTDLL(00000000), ref: 02D22EB0
GetTimeZoneInformation.KERNEL32(?), ref: 02D22EBF
wsprintfA.USER32 ref: 02D22EEA

Strings

wwww, xrefs: 02D22ED0

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: b0b5cb2ad12498860437fa942ab6e36db069a5d5969e1f97bbf7c175483cae77
Instruction ID: 8a1cf52a8dc03177e526e6eabc9d55337e1979569f45fb36e22fe0f34e62a082
Opcode Fuzzy Hash: b0b5cb2ad12498860437fa942ab6e36db069a5d5969e1f97bbf7c175483cae77
Instruction Fuzzy Hash: F901F771A04614ABC71C8B58DC4AB69B76AEB85721F10432AFD16DB7C0D7B419048AE1

Function 02D27E01 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02D28669
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02D2867E
UnhandledExceptionFilter.KERNEL32(0042C290), ref: 02D28689
GetCurrentProcess.KERNEL32(C0000409), ref: 02D286A5
TerminateProcess.KERNEL32(00000000), ref: 02D286AC

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 350a76b45aa3cd29fb9261b8fc249a567e8dcfeae3210acc4a4a42ce054e5037
Instruction ID: c1ed57a612ff655be3e0c3ff447a98db8a372f320039deee5bda3688e6c4cd22
Opcode Fuzzy Hash: 350a76b45aa3cd29fb9261b8fc249a567e8dcfeae3210acc4a4a42ce054e5037
Instruction Fuzzy Hash: C921CFB5900306DFD761DF14F984A48BBB4FB28304F50606EF41887762EBB069898F6D

Function 02D079B7 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 02D079C5
RtlAllocateHeap.NTDLL(00000000), ref: 02D079CC
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D079F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02D07A14
LocalFree.KERNEL32(?), ref: 02D07A1E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
Instruction ID: de6554a03a95df3dd1ce4d32b5484571b8cad502c041f7fc484e00e9de037cef
Opcode Fuzzy Hash: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
Instruction Fuzzy Hash: 6C011E75B44318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D7B0A900CBE4

Function 00407750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
HeapAlloc.KERNEL32(00000000), ref: 00407765
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
LocalFree.KERNEL32(?), ref: 004077B7

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
Instruction ID: 1a725d20c68c60ec7f3e027db1d0bf620a8c7a6af013d4c7a88df0b6a2bd9b64
Opcode Fuzzy Hash: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
Instruction Fuzzy Hash: 6A011275B44318BBEB14DB949C4AFAA7B79EB44B15F104159FA05EB2C0D6B0A900CBE4

Function 02D24317 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 02D24334
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 02D24343
RtlAllocateHeap.NTDLL(00000000), ref: 02D2434A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 02D2437A

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: 9cf95839dd4be05ce61ee8e1a0198f7e13ee521eccca6e1aa218e53a61b86d89
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 74011A70600215ABDB14DFA5ED89BAABBADEF95315F105059FD4987340DB70DD40CBA0

Function 004240B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240CD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240DC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240E3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00424113

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: 804da95bf751652d27495f4eafff97b2fff01ecd0487fb5237b818349f7ed981
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: FD011A70600215ABDB149FA5EC89BABBBAEEF85311F108159BE0987340DA719980CBA4

Function 02D09DE7 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02D09E06
LocalAlloc.KERNEL32(00000040,?), ref: 02D09E1A
memcpy.MSVCRT(00000000,?), ref: 02D09E31
LocalFree.KERNEL32(?), ref: 02D09E3E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: 0cec3629af7e5eeb222207818d72ea4aaa81c732c6ac071d10e233a860a446b6
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: AB011D75A41305AFD711DBA4DC59FAEB779EB44B00F108168FA04AB380DBB09E01CBE4

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B9F
LocalAlloc.KERNEL32(00000040,?), ref: 00409BB3
memcpy.MSVCRT(00000000,?), ref: 00409BCA
LocalFree.KERNEL32(?), ref: 00409BD7

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: a8d62dfbe6203375accfd57a9289b477ef975779ddea21d9cd908cb540d9be87
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 3101FB75A41309ABD7109BA4DC45BABB779EB44700F104169FA04AB381EBB4AE008BE5

Function 02D09D87 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D09DA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 02D09DB1
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D09DC8
LocalFree.KERNEL32 ref: 02D09DD7

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: 80f527f2d7d150f283a23ed55f9f06f66d49c1b58795d18fab6341af8209118c
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 8DF0D0703843126BF7305F65AC99FA67BA9EF04B51F240414FA49EA2D0D7F49840CBB4

Function 00409B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B3B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B4A
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B61
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B70

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: fdb19b52b522e7fb6258fb386c859728d3eb4189d8c812c623f7d3b132898295
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 89F0BD703443126BE7305F65AC49F577BA9EF04B61F240515FA45EA2D0D7B49C40CAA4

Function 00423E70 Relevance: 4.6, APIs: 3, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00423EA5
lstrcpy.KERNEL32(00000000,02E197B0), ref: 00423ECF
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404DFA,?,00000014), ref: 00423ED9

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID:
API String ID: 684065273-0
Opcode ID: 421262a5a8aa129839359d508a513974bb3d6816a57e51372254cceb0e03aba1
Instruction ID: 22c005709d4f2ae5032b08e3382f49270a6c1388142e8724bcd7648d8fda4ab7
Opcode Fuzzy Hash: 421262a5a8aa129839359d508a513974bb3d6816a57e51372254cceb0e03aba1
Instruction Fuzzy Hash: 3441AE30A012158FCB14CF25E988666BBF5FF04315B4A84AEE845DB3A2C379DD42CB94

Function 02D1CD47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B110,00000000,00000001,0042B100,?), ref: 02D1CD6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 02D1CDAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 02D1CE30

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 356407dd27f615bd9d7e1c9fd377e8c2577ed93a8701771f82fb0a3cc92fc221
Instruction ID: 0082ced4cf98b3ede1f74d86239eb76902c53104a996643504929ca6169bcb5c
Opcode Fuzzy Hash: 356407dd27f615bd9d7e1c9fd377e8c2577ed93a8701771f82fb0a3cc92fc221
Instruction Fuzzy Hash: C0315071A40614BFD710DB98DC81FAAB7B9EB88B14F504185BA04EB2D0D7B0AE45CFA1

Function 02D0092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 02D0095F
GetProcAddress., xrefs: 02D009DC, 02D009DF, 02D009E4
l, xrefs: 02D00966

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8e308a592e0139ca1871c63a3890020d4a3436b4e2796f7a3645a016a0327c96
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 5A3149B6900609DFDB10CF99D880BAEBBF9FF48325F19404AD441A7360D7B1EA45CBA4

Function 02D299E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00429737), ref: 02D299E5

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 252c4f8589a9a0e2aa22d50a9ad3e56f841633f2a9f172e4c294358fbd6cbf60
Instruction ID: 87004856bd4916a3ff6221c23c88c6e19af1225d76bc7fe4a43c408fdd2626b1
Opcode Fuzzy Hash: 252c4f8589a9a0e2aa22d50a9ad3e56f841633f2a9f172e4c294358fbd6cbf60
Instruction Fuzzy Hash: 429002B03613108646111B706C0D506A7A09A88762FD108B56055C4094DB645445565D

Function 02DF992B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651990781.0000000002DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df9000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e52be9ed110a430dc578652f980294a7236f586a6c1a40ec08391051687d8f11
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D4117C72740100AFDB84DE55DC90FE673EAEB89220B1A8065EE08CB316E676EC01CB60

Function 02D00D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: e2b61c1dee467ded115664e0f08e156543bd28ca4518cb7d8a21f224583c208f
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 6601A776A106049FDF21CF24C844BAE33E5EB85217F4544A5D506973D2E774AD41CBA0

Function 02D29A63 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 02D29A77
free.MSVCRT ref: 02D29A7F
free.MSVCRT ref: 02D29A87
free.MSVCRT ref: 02D29A8F
free.MSVCRT ref: 02D29A97
free.MSVCRT ref: 02D29A9F
free.MSVCRT ref: 02D29AA6
free.MSVCRT ref: 02D29AAE
free.MSVCRT ref: 02D29AB6
free.MSVCRT ref: 02D29ABE
free.MSVCRT ref: 02D29AC6
free.MSVCRT ref: 02D29ACE
free.MSVCRT ref: 02D29AD6
free.MSVCRT ref: 02D29ADE
free.MSVCRT ref: 02D29AE6
free.MSVCRT ref: 02D29AEE
free.MSVCRT ref: 02D29AF9
free.MSVCRT ref: 02D29B01
free.MSVCRT ref: 02D29B09
free.MSVCRT ref: 02D29B11
free.MSVCRT ref: 02D29B19
free.MSVCRT ref: 02D29B21
free.MSVCRT ref: 02D29B29
free.MSVCRT ref: 02D29B31
free.MSVCRT ref: 02D29B39
free.MSVCRT ref: 02D29B41
free.MSVCRT ref: 02D29B49
free.MSVCRT ref: 02D29B51
free.MSVCRT ref: 02D29B59
free.MSVCRT ref: 02D29B61
free.MSVCRT ref: 02D29B69
free.MSVCRT ref: 02D29B71
free.MSVCRT ref: 02D29B7F
free.MSVCRT ref: 02D29B8A
free.MSVCRT ref: 02D29B95
free.MSVCRT ref: 02D29BA0
free.MSVCRT ref: 02D29BAB
free.MSVCRT ref: 02D29BB6
free.MSVCRT ref: 02D29BC1
free.MSVCRT ref: 02D29BCC
free.MSVCRT ref: 02D29BD7
free.MSVCRT ref: 02D29BE2
free.MSVCRT ref: 02D29BED
free.MSVCRT ref: 02D29BF8
free.MSVCRT ref: 02D29C03
free.MSVCRT ref: 02D29C0E
free.MSVCRT ref: 02D29C19
free.MSVCRT ref: 02D29C24
free.MSVCRT ref: 02D29C32
free.MSVCRT ref: 02D29C3D
free.MSVCRT ref: 02D29C48
free.MSVCRT ref: 02D29C53
free.MSVCRT ref: 02D29C5E
free.MSVCRT ref: 02D29C69
free.MSVCRT ref: 02D29C74
free.MSVCRT ref: 02D29C7F
free.MSVCRT ref: 02D29C8A
free.MSVCRT ref: 02D29C95
free.MSVCRT ref: 02D29CA0
free.MSVCRT ref: 02D29CAB
free.MSVCRT ref: 02D29CB6
free.MSVCRT ref: 02D29CC1
free.MSVCRT ref: 02D29CCC
free.MSVCRT ref: 02D29CD7
free.MSVCRT ref: 02D29CE5
free.MSVCRT ref: 02D29CF0
free.MSVCRT ref: 02D29CFB
free.MSVCRT ref: 02D29D06
free.MSVCRT ref: 02D29D11
free.MSVCRT ref: 02D29D1C
free.MSVCRT ref: 02D29D27
free.MSVCRT ref: 02D29D32
free.MSVCRT ref: 02D29D3D
free.MSVCRT ref: 02D29D48
free.MSVCRT ref: 02D29D53
free.MSVCRT ref: 02D29D5E
free.MSVCRT ref: 02D29D69
free.MSVCRT ref: 02D29D74
free.MSVCRT ref: 02D29D7F
free.MSVCRT ref: 02D29D8A
free.MSVCRT ref: 02D29D98
free.MSVCRT ref: 02D29DA3
free.MSVCRT ref: 02D29DAE
free.MSVCRT ref: 02D29DB9
free.MSVCRT ref: 02D29DC4
free.MSVCRT ref: 02D29DCF

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 4f1a5a5fb74b7302a0a361009b0ff83bd11e3cd6a29ce37baf92db9de409389a
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 12710631010B249BE7723B31DD01A6DF6BBFF22308F14691495D6227BC8A226D69DF71

Function 02D188DF Relevance: 66.4, APIs: 44, Instructions: 386stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?), ref: 02D18911

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

StrStrA.SHLWAPI(?,00638C08), ref: 02D18936
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18955
lstrlen.KERNEL32(?), ref: 02D18968
wsprintfA.USER32 ref: 02D18978
lstrcpy.KERNEL32(?,?), ref: 02D1898E
StrStrA.SHLWAPI(?,00638C94), ref: 02D189BB
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D189E2
lstrlen.KERNEL32(?), ref: 02D189F5
wsprintfA.USER32 ref: 02D18A05
lstrcpy.KERNEL32(?,006393D0), ref: 02D18A1B
StrStrA.SHLWAPI(?,00638C5C), ref: 02D18A48
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18A67
lstrlen.KERNEL32(?), ref: 02D18A7A
wsprintfA.USER32 ref: 02D18A8A
lstrcpy.KERNEL32(?,?), ref: 02D18AA0
StrStrA.SHLWAPI(?,00638ABC), ref: 02D18ACD
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18AEC
lstrlen.KERNEL32(?), ref: 02D18AFF
wsprintfA.USER32 ref: 02D18B0F
lstrcpy.KERNEL32(?,?), ref: 02D18B25
StrStrA.SHLWAPI(?,00638AD0), ref: 02D18B52
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18B79
lstrlen.KERNEL32(?), ref: 02D18B8C
wsprintfA.USER32 ref: 02D18B9C
lstrcpy.KERNEL32(?,006393D0), ref: 02D18BB2
StrStrA.SHLWAPI(?,0063891C), ref: 02D18BDF
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18BFE
lstrlen.KERNEL32(?), ref: 02D18C11
wsprintfA.USER32 ref: 02D18C21
lstrcpy.KERNEL32(?,?), ref: 02D18C37
StrStrA.SHLWAPI(?,00638D3C), ref: 02D18C64
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18C83
lstrlen.KERNEL32(?), ref: 02D18C96
wsprintfA.USER32 ref: 02D18CA6
lstrcpy.KERNEL32(?,?), ref: 02D18CBC
StrStrA.SHLWAPI(?,00638B34), ref: 02D18CE9
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02D18D10
lstrlen.KERNEL32(?), ref: 02D18D23
wsprintfA.USER32 ref: 02D18D33
lstrcpy.KERNEL32(?,006393D0), ref: 02D18D49
lstrlen.KERNEL32(?), ref: 02D18D6E
lstrcpy.KERNEL32(00000000,?), ref: 02D18DA3
strtok_s.MSVCRT ref: 02D18EC1

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcpynwsprintf$FolderPathstrtok_s
String ID:
API String ID: 2042561329-0
Opcode ID: 18514cee2498f856c707f44b31815a1ad9abd94cfb5832b68fa0a969b094c959
Instruction ID: 7eadd26b02ac06841b6ab90e27a0a3a32547df27429a747a6bb40bec33ed53ff
Opcode Fuzzy Hash: 18514cee2498f856c707f44b31815a1ad9abd94cfb5832b68fa0a969b094c959
Instruction Fuzzy Hash: E5E16FB1A05614AFDB10DB64DD48ADAB7BAEF88300F144199F909E7350DBB0AE05CFB0

Function 02D021E0 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D02206
lstrlen.KERNEL32(006389F0), ref: 02D02215
lstrcpy.KERNEL32(00000000,?), ref: 02D02242
lstrcat.KERNEL32(00000000,?), ref: 02D0224A
lstrlen.KERNEL32(00431794), ref: 02D02255
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02275
lstrcat.KERNEL32(00000000,00431794), ref: 02D02281
lstrcpy.KERNEL32(00000000,?), ref: 02D022A9
lstrcat.KERNEL32(00000000,00000000), ref: 02D022B4
lstrlen.KERNEL32(00431794), ref: 02D022BF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D022DC
lstrcat.KERNEL32(00000000,00431794), ref: 02D022E8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02313
lstrlen.KERNEL32(?), ref: 02D0234B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0236B
lstrcat.KERNEL32(00000000,?), ref: 02D02379
lstrcpy.KERNEL32(00000000,00000000), ref: 02D023A0
lstrlen.KERNEL32(00431794), ref: 02D023B2
lstrcpy.KERNEL32(00000000,00000000), ref: 02D023D2
lstrcat.KERNEL32(00000000,00431794), ref: 02D023DE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02404
lstrcat.KERNEL32(00000000,00000000), ref: 02D0240F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0243B
lstrlen.KERNEL32(?), ref: 02D02451
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02471
lstrcat.KERNEL32(00000000,?), ref: 02D0247F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D024A9
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D024E6
lstrlen.KERNEL32(00638CA4), ref: 02D024F4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02518
lstrcat.KERNEL32(00000000,00638CA4), ref: 02D02520
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0255E
lstrcat.KERNEL32(00000000), ref: 02D0256B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02594
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D025BD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D025E9
lstrcpy.KERNEL32(00000000,00000000), ref: 02D02626
DeleteFileA.KERNEL32(00000000), ref: 02D0265E
FindNextFileA.KERNEL32(00000000,?), ref: 02D026AB
FindClose.KERNEL32(00000000), ref: 02D026BA

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
String ID:
API String ID: 2857443207-0
Opcode ID: 3ef745759e559b95ce9c0926d959cffad3ceca5b2ca35f7e6a40af200e4673fc
Instruction ID: af2e557a049e9e0c6683ef9ad933807efe08e84d18c2991df26d292e8b7109e9
Opcode Fuzzy Hash: 3ef745759e559b95ce9c0926d959cffad3ceca5b2ca35f7e6a40af200e4673fc
Instruction Fuzzy Hash: B9E1E575A026569BCB11AFB4CDCCB9EB7AAEF44308F148424AC05A73A0DB74DD05CFA4

Function 00401190 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004011AA

Part of subcall function 00401120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
Part of subcall function 00401120: HeapAlloc.KERNEL32(00000000), ref: 0040113C
Part of subcall function 00401120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
Part of subcall function 00401120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
Part of subcall function 00401120: RegCloseKey.ADVAPI32(?), ref: 0040117D

lstrcatA.KERNEL32(?,00000000), ref: 004011C0
lstrlenA.KERNEL32(?), ref: 004011CD
lstrcatA.KERNEL32(?,.keys), ref: 004011E8
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 0040121F
lstrlenA.KERNEL32(02E175E8), ref: 0040122D
lstrcpy.KERNEL32(00000000,?), ref: 00401251
lstrcatA.KERNEL32(00000000,02E175E8), ref: 00401259
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401264
lstrcpy.KERNEL32(00000000,00000000), ref: 00401288
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401294
lstrcpy.KERNEL32(00000000,00000000), ref: 004012BA
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 004012FF
lstrlenA.KERNEL32(02E1E008), ref: 0040130E
lstrcpy.KERNEL32(00000000,?), ref: 00401335
lstrcatA.KERNEL32(00000000,?), ref: 0040133D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401378
lstrcatA.KERNEL32(00000000), ref: 00401385
lstrcpy.KERNEL32(00000000,00000000), ref: 004013AC
CopyFileA.KERNEL32(?,?,00000001), ref: 004013D5
lstrcpy.KERNEL32(00000000,?), ref: 00401401
lstrcpy.KERNEL32(00000000,?), ref: 0040143D

Part of subcall function 0041EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0041EE12

DeleteFileA.KERNEL32(?), ref: 00401471
memset.MSVCRT ref: 0040148E

Strings

\Monero\wallet.keys, xrefs: 0040125F, 0040128E
.keys, xrefs: 004011DC

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: d193e21760b913851f032afc158483612852c13e12e6026be582793bec16aa20
Instruction ID: 5b1f9cedebb7301d79ff4b17b31e59388bd9e0eda9de9398fffc4fbee8d4e41d
Opcode Fuzzy Hash: d193e21760b913851f032afc158483612852c13e12e6026be582793bec16aa20
Instruction Fuzzy Hash: CBA15C71B102059BCB21ABB9DD89A9F77B9AF44304F04107AF905F72E1DB78DD058BA8

Function 02D15A07 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D15A3C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02D15A6B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15A9C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15AC4
lstrcat.KERNEL32(00000000,00000000), ref: 02D15ACF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15AF7
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15B2F
lstrcat.KERNEL32(00000000,00000000), ref: 02D15B3A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15B5F
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D15B95
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15BBD
lstrcat.KERNEL32(00000000,00000000), ref: 02D15BC8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15BEF
lstrlen.KERNEL32(00431794), ref: 02D15C01
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15C20
lstrcat.KERNEL32(00000000,00431794), ref: 02D15C2C
lstrlen.KERNEL32(00638DD8), ref: 02D15C3B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15C5E
lstrcat.KERNEL32(00000000,00000000), ref: 02D15C69
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15C93
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15CBF
GetFileAttributesA.KERNEL32(00000000), ref: 02D15CC6
lstrcpy.KERNEL32(00000000,?), ref: 02D15D1E
lstrcpy.KERNEL32(00000000,?), ref: 02D15D94
lstrcpy.KERNEL32(00000000,?), ref: 02D15DBD
lstrcpy.KERNEL32(00000000,?), ref: 02D15DF0
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15E1C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D15E56
lstrcpy.KERNEL32(00000000,?), ref: 02D15EB3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D15ED7

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: eca8acabcf741f8b3cf38b95802c8dd6a918646a14f7c24f35edd9d23cabb5b5
Instruction ID: 4edd79c7d453743d102c633c0f622176ad91bddcaa91505a0bf4d683f1fc4927
Opcode Fuzzy Hash: eca8acabcf741f8b3cf38b95802c8dd6a918646a14f7c24f35edd9d23cabb5b5
Instruction Fuzzy Hash: 87026371A01246ABCB21AF74EDCCA9EBBB6EF44304F544428E80597790DB78DD45CFA4

Function 02D16677 Relevance: 43.9, APIs: 29, Instructions: 438stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D166AC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D166E7
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D16711
lstrcpy.KERNEL32(00000000,00000000), ref: 02D16748
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1676D
lstrcat.KERNEL32(00000000,00000000), ref: 02D16775
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1679E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 5065eb540a5537ba5602e15ae87ae4d3f8e8da563b7481b3c869affb913a7e6a
Instruction ID: 2d30d751c2b5c41e12ae4e65473e460c4216260001032d7fe555c94f77ce42fa
Opcode Fuzzy Hash: 5065eb540a5537ba5602e15ae87ae4d3f8e8da563b7481b3c869affb913a7e6a
Instruction Fuzzy Hash: 68F16270A01656ABCB11AF74DC8CBADBBAAEF04304F148468E81597BA4DB74DC45CFE0

Function 02D21E57 Relevance: 43.7, APIs: 29, Instructions: 218stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02D26650
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02D26669
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 02D26681
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 02D26699
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 02D266B2
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 02D266CA
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02D266E2
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 02D266FB
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02D26713
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 02D2672B
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02D26744
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 02D2675C
Part of subcall function 02D265F7: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 02D26774

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D21E96
ExitProcess.KERNEL32 ref: 02D21ECE
GetSystemInfo.KERNEL32(?), ref: 02D21ED8
ExitProcess.KERNEL32 ref: 02D21EE6

Part of subcall function 02D01297: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02D012AD
Part of subcall function 02D01297: VirtualAllocExNuma.KERNEL32(00000000), ref: 02D012B4
Part of subcall function 02D01297: ExitProcess.KERNEL32 ref: 02D012BF

Part of subcall function 02D01327: GlobalMemoryStatusEx.KERNEL32 ref: 02D01351
Part of subcall function 02D01327: ExitProcess.KERNEL32 ref: 02D0137B

GetUserDefaultLangID.KERNEL32 ref: 02D21EF6
ExitProcess.KERNEL32 ref: 02D21F48

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtuallstrcpy
String ID:
API String ID: 1589815927-0
Opcode ID: c9abc042eacc02d025ee3f4a719d2fd45bea0eec9f21e56f57314178547b8acb
Instruction ID: af2b5010ecf5eb82460b63f4535fed43ef37ea43121c2a55b00fc1fecfd94412
Opcode Fuzzy Hash: c9abc042eacc02d025ee3f4a719d2fd45bea0eec9f21e56f57314178547b8acb
Instruction Fuzzy Hash: 21718F315012269BDB20ABB0DD8CBAE7AABEF55749F145028F905972A4DF74DC09CFB0

Function 004092B0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090C0: InternetOpenA.WININET(Function_0002CFEC,00000001,00000000,00000000,00000000), ref: 004090DF
Part of subcall function 004090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
Part of subcall function 004090C0: InternetCloseHandle.WININET(00000000), ref: 00409109
Part of subcall function 004090C0: strlen.MSVCRT ref: 00409125

strlen.MSVCRT ref: 004092E1
strlen.MSVCRT ref: 004092FA

Part of subcall function 00417E30: memchr.MSVCRT ref: 00417E6F
Part of subcall function 00417E30: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417E89
Part of subcall function 00417E30: memchr.MSVCRT ref: 00417EA8

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

memset.MSVCRT ref: 00409341
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
lstrcatA.KERNEL32(?,00000000), ref: 00409372
strlen.MSVCRT ref: 00409399
strlen.MSVCRT ref: 004093E6
memcmp.MSVCRT(?,Function_0002CFEC,?), ref: 0040940B
memset.MSVCRT ref: 00409532
lstrcatA.KERNEL32(?,cookies), ref: 00409547
lstrcatA.KERNEL32(?,00431794), ref: 00409559
lstrcatA.KERNEL32(?,?), ref: 0040956A
lstrcatA.KERNEL32(?,00434B98), ref: 0040957C
lstrcatA.KERNEL32(?,?), ref: 0040958D
lstrcatA.KERNEL32(?,.txt), ref: 0040959F
lstrlenA.KERNEL32(?), ref: 004095B6
lstrlenA.KERNEL32(?), ref: 004095DB
lstrcpy.KERNEL32(00000000,?), ref: 00409614
memset.MSVCRT ref: 0040965C

Strings

/devtools, xrefs: 004092F5, 00409300
.txt, xrefs: 00409593
localhost, xrefs: 004092CA, 004092E8
ws://localhost:9229, xrefs: 00409350
cookies, xrefs: 0040953B

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: d48637b6719d8f96c9213796787e210675e0996336a527ebb663fddc1dbdf154
Instruction ID: 14f5b6a0603da56145a1f149ec3f4ec4d562d20c5ba75c6a8b5cb729d4dfbb0d
Opcode Fuzzy Hash: d48637b6719d8f96c9213796787e210675e0996336a527ebb663fddc1dbdf154
Instruction Fuzzy Hash: 53E11771E00218DBDF14DFA9D984ADEBBB5BF48304F10446AE509B7281DB78AE45CF98

Function 02D145D7 Relevance: 39.3, APIs: 26, Instructions: 334stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1460A
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1463D
lstrcpy.KERNEL32(00000000,?), ref: 02D14665
lstrcat.KERNEL32(00000000,00000000), ref: 02D14670
lstrlen.KERNEL32(00434CF0), ref: 02D1467B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14698
lstrcat.KERNEL32(00000000,00434CF0), ref: 02D146A4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D146CD
lstrcat.KERNEL32(00000000,00000000), ref: 02D146D8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D146FF
lstrcpy.KERNEL32(00000000,?), ref: 02D1473E
lstrcat.KERNEL32(00000000,?), ref: 02D14746
lstrlen.KERNEL32(00431794), ref: 02D14751
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1476E
lstrcat.KERNEL32(00000000,00431794), ref: 02D1477A
lstrlen.KERNEL32(00434D04), ref: 02D14785
lstrcpy.KERNEL32(00000000,00000000), ref: 02D147A2
lstrcat.KERNEL32(00000000,00434D04), ref: 02D147AE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D147D5
lstrcpy.KERNEL32(00000000,?), ref: 02D14807
GetFileAttributesA.KERNEL32(00000000), ref: 02D1480E
lstrcpy.KERNEL32(00000000,?), ref: 02D14868
lstrcpy.KERNEL32(00000000,?), ref: 02D14891
lstrcpy.KERNEL32(00000000,?), ref: 02D148BA
lstrcpy.KERNEL32(00000000,?), ref: 02D148E2
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14916

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
String ID:
API String ID: 1033685851-0
Opcode ID: 0ad0913afd8c1328d1a6b66bdd8b7e16a2ecb3d1e858f4ecd6d31718e7f09922
Instruction ID: ddbf29b244aa2c15a6a303edf433bdbfd688e75e0ebbee821de8ee77bac8aec8
Opcode Fuzzy Hash: 0ad0913afd8c1328d1a6b66bdd8b7e16a2ecb3d1e858f4ecd6d31718e7f09922
Instruction Fuzzy Hash: 0DB14175A02696ABCB11AF74DD8CAAE77AAEF04708F144524E805E77A0DB74DC04CFA4

Function 02D1AE19 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 02D1AE36
lstrlen.KERNEL32(00638DD4), ref: 02D1AE4C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AE74
lstrcat.KERNEL32(00000000,00000000), ref: 02D1AE7F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AEA8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AEEB
lstrcat.KERNEL32(00000000,00000000), ref: 02D1AEF5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AF1E
lstrlen.KERNEL32(00434AD4), ref: 02D1AF38
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AF5A
lstrcat.KERNEL32(00000000,00434AD4), ref: 02D1AF66
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AF8F
lstrlen.KERNEL32(00434AD4), ref: 02D1AFA1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AFC3
lstrcat.KERNEL32(00000000,00434AD4), ref: 02D1AFCF
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1AFF8
lstrlen.KERNEL32(00638DB8), ref: 02D1B00E
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1B036
lstrcat.KERNEL32(00000000,00000000), ref: 02D1B041
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1B06A
lstrcpy.KERNEL32(00000000,?), ref: 02D1B0A6
lstrcat.KERNEL32(00000000,00000000), ref: 02D1B0B0
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1B0D6
lstrlen.KERNEL32(00000000), ref: 02D1B0EC
lstrcpy.KERNEL32(00000000,00638A98), ref: 02D1B11F

Strings

f, xrefs: 02D1AE19

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID: f
API String ID: 2762123234-1993550816
Opcode ID: 188521429213a4490580d65eede3cbdd68b32f9f61f7551c6e75461d2c3815fe
Instruction ID: 01b25f54037ecf90d3e0c31ad58fdbb1e368ff75a7d59dc8a96ba93377d82051
Opcode Fuzzy Hash: 188521429213a4490580d65eede3cbdd68b32f9f61f7551c6e75461d2c3815fe
Instruction Fuzzy Hash: F6B13C75902616ABCB11AF64DC8CBAEB7B6EF45308F144525E814A7BA0EB74DD04CFA0

Function 02D099D3 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 236stringsleepprocessCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 02D09A07
lstrcat.KERNEL32(?,?), ref: 02D09A18
lstrcat.KERNEL32(?,00434BA4), ref: 02D09A2A

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

wsprintfA.USER32 ref: 02D09A6D
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02D09A8E
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02D09AAB

Part of subcall function 02D24907: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 02D24920
Part of subcall function 02D24907: Process32First.KERNEL32(00000000,00000128), ref: 02D24930
Part of subcall function 02D24907: Process32Next.KERNEL32(00000000,00000128), ref: 02D24942
Part of subcall function 02D24907: StrCmpCA.SHLWAPI(?,?), ref: 02D24954
Part of subcall function 02D24907: OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24969
Part of subcall function 02D24907: TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24978
Part of subcall function 02D24907: CloseHandle.KERNEL32(00000000), ref: 02D2497F
Part of subcall function 02D24907: Process32Next.KERNEL32(00000000,00000128), ref: 02D2498D
Part of subcall function 02D24907: CloseHandle.KERNEL32(00000000), ref: 02D24998

memset.MSVCRT ref: 02D09AC9
lstrcat.KERNEL32(00000000,?), ref: 02D09ADF
lstrcat.KERNEL32(00000000,?), ref: 02D09AF0
lstrcat.KERNEL32(00000000,00434B60), ref: 02D09B02
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02D09B3B
lstrcpy.KERNEL32(00000000,?), ref: 02D09B6A
StrStrA.SHLWAPI(00000000,00638C5C), ref: 02D09B80
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 02D09B9F
lstrlen.KERNEL32(?), ref: 02D09BB2
wsprintfA.USER32 ref: 02D09BC2
lstrcpy.KERNEL32(?,00000000), ref: 02D09BD8
memset.MSVCRT ref: 02D09BED
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 02D09C3F
Sleep.KERNEL32(00001388), ref: 02D09C4E

Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01802
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01866

Part of subcall function 02D249A7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 02D249C0
Part of subcall function 02D249A7: Process32First.KERNEL32(00000000,00000128), ref: 02D249D0
Part of subcall function 02D249A7: Process32Next.KERNEL32(00000000,00000128), ref: 02D249E2
Part of subcall function 02D249A7: OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24A03
Part of subcall function 02D249A7: TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24A12
Part of subcall function 02D249A7: CloseHandle.KERNEL32(00000000), ref: 02D24A19
Part of subcall function 02D249A7: Process32Next.KERNEL32(00000000,00000128), ref: 02D24A27
Part of subcall function 02D249A7: CloseHandle.KERNEL32(00000000), ref: 02D24A32

CloseDesktop.USER32(?), ref: 02D09C83

Strings

D, xrefs: 02D09C00

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32lstrcat$CloseProcess$CreateHandleNext$DesktopOpen$FirstSnapshotTerminateToolhelp32memsetwsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: D
API String ID: 3267785154-2746444292
Opcode ID: ffa00ccfa7c873f4eaa158a8fcc16a514a9672285c81674f977830100ce25e53
Instruction ID: c33423bb84e334d5b70a7a060ed6121c1eb3d649d1238ed4a0fa1a67e802db85
Opcode Fuzzy Hash: ffa00ccfa7c873f4eaa158a8fcc16a514a9672285c81674f977830100ce25e53
Instruction Fuzzy Hash: 54915375900218AFDB14DB64DC89FDEB7B9EF48704F108599FA0997290DBB0AE44CFA4

Function 02D099D7 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 233stringsleepprocessCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 02D09A07
lstrcat.KERNEL32(?,?), ref: 02D09A18
lstrcat.KERNEL32(?,00434BA4), ref: 02D09A2A

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

wsprintfA.USER32 ref: 02D09A6D
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02D09A8E
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02D09AAB

Part of subcall function 02D24907: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 02D24920
Part of subcall function 02D24907: Process32First.KERNEL32(00000000,00000128), ref: 02D24930
Part of subcall function 02D24907: Process32Next.KERNEL32(00000000,00000128), ref: 02D24942
Part of subcall function 02D24907: StrCmpCA.SHLWAPI(?,?), ref: 02D24954
Part of subcall function 02D24907: OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24969
Part of subcall function 02D24907: TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24978
Part of subcall function 02D24907: CloseHandle.KERNEL32(00000000), ref: 02D2497F
Part of subcall function 02D24907: Process32Next.KERNEL32(00000000,00000128), ref: 02D2498D
Part of subcall function 02D24907: CloseHandle.KERNEL32(00000000), ref: 02D24998

memset.MSVCRT ref: 02D09AC9
lstrcat.KERNEL32(00000000,?), ref: 02D09ADF
lstrcat.KERNEL32(00000000,?), ref: 02D09AF0
lstrcat.KERNEL32(00000000,00434B60), ref: 02D09B02
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02D09B3B
lstrcpy.KERNEL32(00000000,?), ref: 02D09B6A
StrStrA.SHLWAPI(00000000,00638C5C), ref: 02D09B80
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 02D09B9F
lstrlen.KERNEL32(?), ref: 02D09BB2
wsprintfA.USER32 ref: 02D09BC2
lstrcpy.KERNEL32(?,00000000), ref: 02D09BD8
memset.MSVCRT ref: 02D09BED
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 02D09C3F
Sleep.KERNEL32(00001388), ref: 02D09C4E

Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01802
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01866

Part of subcall function 02D249A7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 02D249C0
Part of subcall function 02D249A7: Process32First.KERNEL32(00000000,00000128), ref: 02D249D0
Part of subcall function 02D249A7: Process32Next.KERNEL32(00000000,00000128), ref: 02D249E2
Part of subcall function 02D249A7: OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24A03
Part of subcall function 02D249A7: TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24A12
Part of subcall function 02D249A7: CloseHandle.KERNEL32(00000000), ref: 02D24A19
Part of subcall function 02D249A7: Process32Next.KERNEL32(00000000,00000128), ref: 02D24A27
Part of subcall function 02D249A7: CloseHandle.KERNEL32(00000000), ref: 02D24A32

CloseDesktop.USER32(?), ref: 02D09C83

Strings

D, xrefs: 02D09C00

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32lstrcat$CloseProcess$CreateHandleNext$DesktopOpen$FirstSnapshotTerminateToolhelp32memsetwsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: D
API String ID: 3267785154-2746444292
Opcode ID: c8b9cdd6addf4576e781366e8a69b0aa9a5a56e3c77a009e668f4170de131511
Instruction ID: 31577c939870a2a584cf1c83b0c6234ef87840896bde7b16d8550a910c594abe
Opcode Fuzzy Hash: c8b9cdd6addf4576e781366e8a69b0aa9a5a56e3c77a009e668f4170de131511
Instruction Fuzzy Hash: 13914375900218AFDB10DB64DC89FDEB7B9EF48704F108199F50997290DBB1AE44CFA4

Function 00421820 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042184F
lstrlenA.KERNEL32(02DF40E0,00000000,00000000,?,?,00421B81), ref: 00421860
lstrcpy.KERNEL32(00000000,00000000), ref: 00421887
lstrcatA.KERNEL32(00000000,00000000), ref: 00421892
lstrcpy.KERNEL32(00000000,00000000), ref: 004218C1
lstrlenA.KERNEL32(00434F9C,?,?,00421B81), ref: 004218D3
lstrcpy.KERNEL32(00000000,00000000), ref: 004218F4
lstrcatA.KERNEL32(00000000,00434F9C,?,?,00421B81), ref: 00421900
lstrcpy.KERNEL32(00000000,00000000), ref: 0042192F
lstrlenA.KERNEL32(02DF4100,?,?,00421B81), ref: 00421945
lstrcpy.KERNEL32(00000000,00000000), ref: 0042196C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421977
lstrcpy.KERNEL32(00000000,00000000), ref: 004219A6
lstrlenA.KERNEL32(00434F9C,?,?,00421B81), ref: 004219B8
lstrcpy.KERNEL32(00000000,00000000), ref: 004219D9
lstrcatA.KERNEL32(00000000,00434F9C,?,?,00421B81), ref: 004219E5
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A14
lstrlenA.KERNEL32(02DF4120,?,?,00421B81), ref: 00421A2A
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A51
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A5C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A8B
lstrlenA.KERNEL32(02DF4080,?,?,00421B81), ref: 00421AA1
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC8
lstrcatA.KERNEL32(00000000,00000000), ref: 00421AD3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421B02

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 2e7111f3e1e8d831c03b92a1e92bedf09d5f685c95c5d4d8b02b1b18e4c2687d
Instruction ID: 3fd8cf0d8fe79b35c8f59d64ffc5d3ace3c11d514ec93a2171918c99a43e8bb8
Opcode Fuzzy Hash: 2e7111f3e1e8d831c03b92a1e92bedf09d5f685c95c5d4d8b02b1b18e4c2687d
Instruction Fuzzy Hash: 979120B07017039BD720AFB9DD88A17B7E9AF14344B54543EB886D33A1DB78D845CB64

Function 02D013F7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D01411

Part of subcall function 02D01387: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D0139C
Part of subcall function 02D01387: RtlAllocateHeap.NTDLL(00000000), ref: 02D013A3
Part of subcall function 02D01387: RegOpenKeyExA.ADVAPI32(80000001,00431754,00000000,00020119,?), ref: 02D013C0
Part of subcall function 02D01387: RegQueryValueExA.ADVAPI32(?,00431748,00000000,00000000,00000000,000000FF), ref: 02D013DA
Part of subcall function 02D01387: RegCloseKey.ADVAPI32(?), ref: 02D013E4

lstrcat.KERNEL32(?,00000000), ref: 02D01427
lstrlen.KERNEL32(?), ref: 02D01434
lstrcat.KERNEL32(?,00431778), ref: 02D0144F
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01486
lstrlen.KERNEL32(006389F0), ref: 02D01494
lstrcpy.KERNEL32(00000000,?), ref: 02D014B8
lstrcat.KERNEL32(00000000,006389F0), ref: 02D014C0
lstrlen.KERNEL32(00431780), ref: 02D014CB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D014EF
lstrcat.KERNEL32(00000000,00431780), ref: 02D014FB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01521
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D01566
lstrlen.KERNEL32(00638CA4), ref: 02D01575
lstrcpy.KERNEL32(00000000,?), ref: 02D0159C
lstrcat.KERNEL32(00000000,?), ref: 02D015A4
lstrcpy.KERNEL32(00000000,00000000), ref: 02D015DF
lstrcat.KERNEL32(00000000), ref: 02D015EC
lstrcpy.KERNEL32(00000000,00000000), ref: 02D01613
CopyFileA.KERNEL32(?,?,00000001), ref: 02D0163C
lstrcpy.KERNEL32(00000000,?), ref: 02D01668
lstrcpy.KERNEL32(00000000,?), ref: 02D016A4

Part of subcall function 02D1F047: lstrcpy.KERNEL32(00000000,?), ref: 02D1F079

DeleteFileA.KERNEL32(?), ref: 02D016D8
memset.MSVCRT ref: 02D016F5

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 4c77c06fc6bfbf7e2885e90edbd79799df700ef0be800a0fa542113122d01cbf
Instruction ID: 267c81aed942a854308250a0bbff6f458a40c118d9e1b96e194db39145e87146
Opcode Fuzzy Hash: 4c77c06fc6bfbf7e2885e90edbd79799df700ef0be800a0fa542113122d01cbf
Instruction Fuzzy Hash: 4DA11B75A012569BCB11ABB4CDCCB9EBBBAEF44304F544428E909A73A0DB74DD05CFA4

Function 00418CA0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,00000000,?,?,0042079B), ref: 00418CBA
ExitProcess.KERNEL32 ref: 00418CC7
strtok_s.MSVCRT ref: 00418CD9

Strings

block, xrefs: 00418CAB

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 3389e23817480750e9328c393260997ebb1d046b1e32a7a93ed99d3895b4b957
Instruction ID: 8a8c59f1aab1cb96be6784030a5ca16aa0355bed4485c802314b17a26c7986f2
Opcode Fuzzy Hash: 3389e23817480750e9328c393260997ebb1d046b1e32a7a93ed99d3895b4b957
Instruction Fuzzy Hash: CD518A70A00701EFCB209F75DD88AAB77F4BB55B05B10182EE442D6650DBBCE6818FA9

Function 02D21A87 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D21AB6
lstrlen.KERNEL32(00638DEC), ref: 02D21AC7
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21AEE
lstrcat.KERNEL32(00000000,00000000), ref: 02D21AF9
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B28
lstrlen.KERNEL32(00434F9C), ref: 02D21B3A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B5B
lstrcat.KERNEL32(00000000,00434F9C), ref: 02D21B67
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B96
lstrlen.KERNEL32(00638B1C), ref: 02D21BAC
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21BD3
lstrcat.KERNEL32(00000000,00000000), ref: 02D21BDE
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21C0D
lstrlen.KERNEL32(00434F9C), ref: 02D21C1F
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21C40
lstrcat.KERNEL32(00000000,00434F9C), ref: 02D21C4C
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21C7B
lstrlen.KERNEL32(00638D70), ref: 02D21C91
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21CB8
lstrcat.KERNEL32(00000000,00000000), ref: 02D21CC3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21CF2
lstrlen.KERNEL32(00638D6C), ref: 02D21D08
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21D2F
lstrcat.KERNEL32(00000000,00000000), ref: 02D21D3A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21D69

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 8da9be1777f01efb1075c843e8ebc578fd0baf71eb8635b7467494a2e4d9551d
Instruction ID: 6d6e4f5ccb26d9555ed102974d2b207a5acc8e2f2207e6876a6ded03ed224ac7
Opcode Fuzzy Hash: 8da9be1777f01efb1075c843e8ebc578fd0baf71eb8635b7467494a2e4d9551d
Instruction Fuzzy Hash: 8B912CB46017439BD7209FB9CCC8A56B7EAEF14308F149829A885D33A1DB74EC44DF60

Function 02D149C7 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D149FA
LocalAlloc.KERNEL32(00000040,?), ref: 02D14A2C
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14A79
lstrlen.KERNEL32(00434B60), ref: 02D14A84
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14AA1
lstrcat.KERNEL32(00000000,00434B60), ref: 02D14AAD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14AD2
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14AFF
lstrcat.KERNEL32(00000000,00000000), ref: 02D14B0A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D14B31
StrStrA.SHLWAPI(?,00000000), ref: 02D14B43
lstrlen.KERNEL32(?), ref: 02D14B57
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D14B98
lstrcpy.KERNEL32(00000000,?), ref: 02D14C1F
lstrcpy.KERNEL32(00000000,?), ref: 02D14C48
lstrcpy.KERNEL32(00000000,?), ref: 02D14C71
lstrcpy.KERNEL32(00000000,?), ref: 02D14C97
lstrcpy.KERNEL32(00000000,?), ref: 02D14CC4

Strings

moz-extension+++, xrefs: 02D14B9E
^userContextId=4294967295, xrefs: 02D14BBB

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$AllocLocal
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 4107348322-3310892237
Opcode ID: e6b0a6810cf6c4817a04f1c06385c3c7de7a39cac9f460d4a23f626d9d261afc
Instruction ID: 9a4fabc628c16b9468b1625ff09152db42e3f2b8f967874ef06cc61e9c1057be
Opcode Fuzzy Hash: e6b0a6810cf6c4817a04f1c06385c3c7de7a39cac9f460d4a23f626d9d261afc
Instruction Fuzzy Hash: 46B15375A012469BCB21EF74DD8CAAEB7A6EF44308F154528EC05A77A0DB74EC05CFA4

Function 02D1F55F Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00638DB4), ref: 02D1F57C
lstrcpy.KERNEL32(00000000,?), ref: 02D1F60A
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1F62E
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1F6E2
lstrcpy.KERNEL32(00000000,00638DB4), ref: 02D1F722
lstrcpy.KERNEL32(00000000,00638C7C), ref: 02D1F751
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1F805
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 02D1F883
lstrcpy.KERNEL32(00000000,?), ref: 02D1F8B3
lstrcpy.KERNEL32(00000000,?), ref: 02D1F901
StrCmpCA.SHLWAPI(?,ERROR), ref: 02D1F97F
lstrlen.KERNEL32(00638DBC), ref: 02D1F9AD
lstrcpy.KERNEL32(00000000,00638DBC), ref: 02D1F9D8
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1F9FA
lstrcpy.KERNEL32(00000000,?), ref: 02D1FA4B
StrCmpCA.SHLWAPI(?,ERROR), ref: 02D1FC99
lstrlen.KERNEL32(00638BB0), ref: 02D1FCC7
lstrcpy.KERNEL32(00000000,00638BB0), ref: 02D1FCF2
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1FD14
lstrcpy.KERNEL32(00000000,?), ref: 02D1FD65

Strings

ERROR, xrefs: 02D1F979, 02D1FC93, 02D1FFB7

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ERROR
API String ID: 367037083-2861137601
Opcode ID: 78d466b8400d021d7ee17127ce33daffecfa7c9ea5ffd4626243dbc5c437b959
Instruction ID: b4f33a4c607ad154d795bcd1ee5f614069eba257fb0aa22d45b05f4ba7592f38
Opcode Fuzzy Hash: 78d466b8400d021d7ee17127ce33daffecfa7c9ea5ffd4626243dbc5c437b959
Instruction Fuzzy Hash: D3F13F70901301AFDB24DF29E988B69B7E6BF44318B1980ADD8099BBA5D775DC41CF90

Function 02D06EA7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229networkstringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D06ED6
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D06F29
InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 02D06F3C
StrCmpCA.SHLWAPI(?,00638C80), ref: 02D06F54
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D06F7C
HttpOpenRequestA.WININET(00000000,00434AB8,?,00638AB4,00000000,00000000,-00400100,00000000), ref: 02D06FB7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02D06FDE
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02D06FED
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02D0700C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02D07066
lstrcpy.KERNEL32(00000000,?), ref: 02D070C2
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 02D070E4
InternetCloseHandle.WININET(00000000), ref: 02D070F5
InternetCloseHandle.WININET(?), ref: 02D070FF
InternetCloseHandle.WININET(00000000), ref: 02D07109
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0712A

Strings

ERROR, xrefs: 02D07019

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR
API String ID: 3687753495-2861137601
Opcode ID: be4a6029b89d9d25312199273e0c195fbbd3ab5660e111022585323f103fa897
Instruction ID: 95eaeef9641c7e211f65f8354cd493f8a1dcad4ddbba3907d675fc3b472d3792
Opcode Fuzzy Hash: be4a6029b89d9d25312199273e0c195fbbd3ab5660e111022585323f103fa897
Instruction Fuzzy Hash: 98814F71A41215ABEB20DFA4DC89FAEB7B9EB44704F144158F904EB3D0DB74AD05CBA4

Function 02D1C087 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C0BA
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C0ED
lstrlen.KERNEL32(00434E0C), ref: 02D1C0F8
lstrcpy.KERNEL32(00000000,?), ref: 02D1C118
lstrcat.KERNEL32(00000000,00434E0C), ref: 02D1C124
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C147
lstrcat.KERNEL32(00000000,00000000), ref: 02D1C152
lstrlen.KERNEL32(00434E44), ref: 02D1C15D
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C17A
lstrcat.KERNEL32(00000000,00434E44), ref: 02D1C186
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C1AD
lstrlen.KERNEL32(00434E48), ref: 02D1C1CD
lstrcpy.KERNEL32(00000000,?), ref: 02D1C1EF
lstrcat.KERNEL32(00000000,00434E48), ref: 02D1C1FB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C221
ShellExecuteEx.SHELL32(?), ref: 02D1C273

Strings

<, xrefs: 02D1C254

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
String ID: <
API String ID: 4016326548-4251816714
Opcode ID: bd190b5355103f1feb2b178c731c226eef8df389d1643616fb22025323836631
Instruction ID: fd693c1f7ca96c760d6f28edd25ccc4ec94ad0c90649df64cd938beee11811d0
Opcode Fuzzy Hash: bd190b5355103f1feb2b178c731c226eef8df389d1643616fb22025323836631
Instruction Fuzzy Hash: 8761B371A51256ABCB11AFB49CCCB9EBBAAEF04708F14442AE805E3750DB74CD05CFA5

Function 004090C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Function_0002CFEC,00000001,00000000,00000000,00000000), ref: 004090DF
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
InternetCloseHandle.WININET(00000000), ref: 00409109
strlen.MSVCRT ref: 00409125
InternetReadFile.WININET(?,?,?,00000000), ref: 00409166
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409197
InternetCloseHandle.WININET(00000000), ref: 004091A2
InternetCloseHandle.WININET(00000000), ref: 004091A9
strlen.MSVCRT ref: 004091BA
strlen.MSVCRT ref: 004091ED
strlen.MSVCRT ref: 0040922E

Part of subcall function 00417E30: memchr.MSVCRT ref: 00417E6F
Part of subcall function 00417E30: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417E89
Part of subcall function 00417E30: memchr.MSVCRT ref: 00417EA8

strlen.MSVCRT ref: 0040924C

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

Strings

"ws://, xrefs: 00409229, 00409234
"webSocketDebuggerUrl":, xrefs: 004091B5, 004091C0
http://localhost:9229/json, xrefs: 004090F6

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: f484861ef0c5ede018d2fa63b64603f0a41ca3c7f998b9b087b6275257805ea8
Instruction ID: e08c98b3f93959a00be7363e8d9b96c6255ff75e03ad9d626c644cea6eb1cb17
Opcode Fuzzy Hash: f484861ef0c5ede018d2fa63b64603f0a41ca3c7f998b9b087b6275257805ea8
Instruction Fuzzy Hash: 4251A571700205ABE720DBA5DC45BDEF7FADB48710F14016AF905E72C1DBB8AA448BA9

Function 02D0B570 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0B597
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B5E5
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B610
lstrcat.KERNEL32(00000000,00000000), ref: 02D0B618
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B640
lstrlen.KERNEL32(00434C4C), ref: 02D0B6B7
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B6DB
lstrcat.KERNEL32(00000000,00434C4C), ref: 02D0B6E7
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B710
lstrlen.KERNEL32(00000000), ref: 02D0B794
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B7BE
lstrcat.KERNEL32(00000000,00000000), ref: 02D0B7C6
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B7EE
lstrlen.KERNEL32(00434AD4), ref: 02D0B865
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B889
lstrcat.KERNEL32(00000000,00434AD4), ref: 02D0B895
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0B8C5
lstrlen.KERNEL32(?), ref: 02D0B9CE
lstrlen.KERNEL32(?), ref: 02D0B9DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0BA05

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: fdf8d0f52e33b711e37481372eefa1157b80fc976de2044a8c928680ebf86210
Instruction ID: dd652433174cf26c3a3f8d0f5a43c99de4c0a46e5c15520d91d2c6f1053ac4f1
Opcode Fuzzy Hash: fdf8d0f52e33b711e37481372eefa1157b80fc976de2044a8c928680ebf86210
Instruction Fuzzy Hash: CB02F770A052068FCB25DF69D9C8B69BBA6EF4430DF18806AD8099B3B1D775DC42CF94

Function 02D1DBE7 Relevance: 24.3, APIs: 16, Instructions: 292stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1DC42
lstrcpy.KERNEL32(00000000,?), ref: 02D1DC75
lstrcat.KERNEL32(?,00000000), ref: 02D1DC83
lstrcat.KERNEL32(?,00638B0C), ref: 02D1DC9D
lstrcat.KERNEL32(?,?), ref: 02D1DCB1
lstrcat.KERNEL32(?,00638DD8), ref: 02D1DCC5
lstrcpy.KERNEL32(00000000,?), ref: 02D1DCF5
GetFileAttributesA.KERNEL32(00000000), ref: 02D1DCFC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1DD65

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: 30b76ee9403a79d3d69e95f151e3111db70670f2e28169058c7bccd52e540d17
Instruction ID: 55524e7b3e0520d8bb1ed8b75de0272ff5327b34b80ad9f4f091411129a468cd
Opcode Fuzzy Hash: 30b76ee9403a79d3d69e95f151e3111db70670f2e28169058c7bccd52e540d17
Instruction Fuzzy Hash: FEB161B1900259AFDB10EF64DC88AEEB7BAFF48304F144969E945A7350DB749E44CFA0

Function 02D239C7 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27447: lstrcpy.KERNEL32(00000000,ERROR), ref: 02D27465

RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 02D23A24
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 02D23A5E
wsprintfA.USER32 ref: 02D23A89
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02D23AA7
RegCloseKey.ADVAPI32(?), ref: 02D23AB5
RegCloseKey.ADVAPI32(?), ref: 02D23ABF
RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 02D23B08
lstrlen.KERNEL32(?), ref: 02D23B1D
RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 02D23B8E
RegCloseKey.ADVAPI32(?), ref: 02D23BD9
RegCloseKey.ADVAPI32(?), ref: 02D23BF0

Strings

- , xrefs: 02D23B98
?, xrefs: 02D23A05

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
String ID: - $?
API String ID: 13140697-712516993
Opcode ID: 4016e62cd5e4081b712305953adacc26fe1bd5c79a6d3b08d2639c726e80a781
Instruction ID: da377eb523093c50ff447850d37f6eedd860d5241480737d1d2e87679c2a62b9
Opcode Fuzzy Hash: 4016e62cd5e4081b712305953adacc26fe1bd5c79a6d3b08d2639c726e80a781
Instruction Fuzzy Hash: 85913B72D002599FCB10DF94D984EEEB7BAFB48318F1481A9E509AB350D7359D4ACFA0

Function 004077D0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
strlen.MSVCRT ref: 0040787E
StrStrA.SHLWAPI(?,Password), ref: 004078B8
strlen.MSVCRT ref: 0040794D

Part of subcall function 00407750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
Part of subcall function 00407750: HeapAlloc.KERNEL32(00000000), ref: 00407765
Part of subcall function 00407750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
Part of subcall function 00407750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
Part of subcall function 00407750: LocalFree.KERNEL32(?), ref: 004077B7

strcpy_s.MSVCRT ref: 004078E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
HeapFree.KERNEL32(00000000), ref: 004078F3
strlen.MSVCRT ref: 00407900
strcpy_s.MSVCRT ref: 0040792A
strlen.MSVCRT ref: 00407974
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407A35

Strings

Password, xrefs: 004078AC

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: 19d1acf34d1d55cb27fc19c5038643c5c3c088594c890ae25d8ed9645abd8a83
Instruction ID: 521b7978b4fa7da916788c019a5619d9e52cd0612810612fc0d5a06b32f827bb
Opcode Fuzzy Hash: 19d1acf34d1d55cb27fc19c5038643c5c3c088594c890ae25d8ed9645abd8a83
Instruction Fuzzy Hash: 8A81FBB1D0021DAFDB10DF95DC84ADEBBB9EB48300F10416AE509B7250EB75AA85CBA5

Function 02D218C7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 02D21908
lstrcpy.KERNEL32(00000000,00638C44), ref: 02D21933
lstrlen.KERNEL32(?), ref: 02D21940
lstrcpy.KERNEL32(00000000,00000000), ref: 02D2195D
lstrcat.KERNEL32(00000000,?), ref: 02D2196B
lstrcpy.KERNEL32(00000000,00000000), ref: 02D21991
lstrlen.KERNEL32(00638AA8), ref: 02D219A6
lstrcpy.KERNEL32(00000000,?), ref: 02D219C9
lstrcat.KERNEL32(00000000,00638AA8), ref: 02D219D1
lstrcpy.KERNEL32(00000000,00000000), ref: 02D219F9
ShellExecuteEx.SHELL32(?), ref: 02D21A34
ExitProcess.KERNEL32 ref: 02D21A6A

Strings

<, xrefs: 02D21A15

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 3579039295-4251816714
Opcode ID: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
Instruction ID: c4cbb5b0b8de2d2b719e117e0a3fc07ad600d2b3f42849362429262e2f7a33a9
Opcode Fuzzy Hash: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
Instruction Fuzzy Hash: B051407190125AAFDB11DFA4CC88A9EBBFAEF54308F105525E919A3351DB70DE05CFA0

Function 02D1F217 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D1F24B
lstrcpy.KERNEL32(00000000,?), ref: 02D1F279
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 02D1F28D
lstrlen.KERNEL32(00000000), ref: 02D1F29C
LocalAlloc.KERNEL32(00000040,00000001), ref: 02D1F2BA
StrStrA.SHLWAPI(00000000,?), ref: 02D1F2E8
lstrlen.KERNEL32(?), ref: 02D1F2FB
strtok.MSVCRT(00000001,?), ref: 02D1F30D
lstrlen.KERNEL32(00000000), ref: 02D1F319
lstrcpy.KERNEL32(00000000,ERROR), ref: 02D1F366
lstrcpy.KERNEL32(00000000,ERROR), ref: 02D1F3A6

Strings

ERROR, xrefs: 02D1F287, 02D1F326, 02D1F360, 02D1F3A0

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 80c59eac5cf80d4bda51df79fd555529898d75ccb9dc590c0e6f2a1c13b73da1
Instruction ID: 34d1e21e3cc6c1d2aeb4f9798faa4e02318eeaeaec95b8284d005563727aa60a
Opcode Fuzzy Hash: 80c59eac5cf80d4bda51df79fd555529898d75ccb9dc590c0e6f2a1c13b73da1
Instruction Fuzzy Hash: 83515D759012456FCB21AF78DC8CBAEB7A6EF44708F148558EC899BB60DB34DC05CBA4

Function 0041EFB0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EFE4
lstrcpy.KERNEL32(00000000,?), ref: 0041F012
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F026
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F035
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F053
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F081
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F094
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F0A6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F50B), ref: 0041F0B2
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F0FF
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F13F

Strings

ERROR, xrefs: 0041F020, 0041F0BF, 0041F0F9, 0041F139

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: aee0a447b126d5442498dd6ab1b5a1e15419bdb4c4a5a02f30999648276342be
Instruction ID: b66d57a13ea8b35d4419c4896a523d09ee5fec8b855b61de0e243a190c349dae
Opcode Fuzzy Hash: aee0a447b126d5442498dd6ab1b5a1e15419bdb4c4a5a02f30999648276342be
Instruction Fuzzy Hash: 27519231B101019FCB21AF79DD49AAB77A5AF44304F04517EFC49AB392DB78DC468B98

Function 02D0A277 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 02D0A28D
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0A2BA
lstrlen.KERNEL32(00639BD8), ref: 02D0A2C7
lstrcpy.KERNEL32(00000000,00639BD8), ref: 02D0A2F1
lstrlen.KERNEL32(00434C48), ref: 02D0A2FC
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0A319
lstrcat.KERNEL32(00000000,00434C48), ref: 02D0A325
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0A34B
lstrcat.KERNEL32(00000000,00000000), ref: 02D0A356
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0A37B
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 02D0A396
LoadLibraryA.KERNEL32(00638D78), ref: 02D0A3AA

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: d5838a98076a4314607f5b8b080eb43809f35224ac66107b4721e3277f40d57d
Instruction ID: 7b1bb6b8d64b1fabafec272e3e0f38ab2f51b0c12d97ed41399d3461995dc125
Opcode Fuzzy Hash: d5838a98076a4314607f5b8b080eb43809f35224ac66107b4721e3277f40d57d
Instruction Fuzzy Hash: A991A171600B018FD7209BA8DCC8BA637A6EB48709F515029EA058B7F1EBB5DD80CFD5

Function 0040A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02E17688,00639BD8,0000FFFF), ref: 0040A026
lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 0040A053
lstrlenA.KERNEL32(00639BD8), ref: 0040A060
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A08A
lstrlenA.KERNEL32(00434C48), ref: 0040A095
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0B2
lstrcatA.KERNEL32(00000000,00434C48), ref: 0040A0BE
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0E4
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A0EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A114
SetEnvironmentVariableA.KERNEL32(02E17688,00000000), ref: 0040A12F
LoadLibraryA.KERNEL32(02E1EE40), ref: 0040A143

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: a6335b5ca9e3af42653246851d915c54898d5c05ebadd1edfc0ea2bda3610dce
Instruction ID: fd8e0b6dfd8c84f88a2374f5ea427055120ed7aee70c2e2ccb2c7cc6d95f7f07
Opcode Fuzzy Hash: a6335b5ca9e3af42653246851d915c54898d5c05ebadd1edfc0ea2bda3610dce
Instruction Fuzzy Hash: 759190306007009FD7319FA4DC88AA736A6AB94705F50507AF405AB3E1EFBDDD508BD6

Function 0040BBF9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,Function_0002CFEC), ref: 0040BC1F
lstrlenA.KERNEL32(00000000), ref: 0040BC52
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BC7C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BC84
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BCAC
lstrlenA.KERNEL32(00434AD4), ref: 0040BD23

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: fac31dfb3169ff9f0701dee9c43aeca8a3b6f737986b5852a9285ffc591dca09
Instruction ID: 37072dd1b280c51efd76c48aba3edd40c61a6322b10c9e257032049fce7c4c6e
Opcode Fuzzy Hash: fac31dfb3169ff9f0701dee9c43aeca8a3b6f737986b5852a9285ffc591dca09
Instruction Fuzzy Hash: 5AA13D30A012058FDB25DF69D949A9AB7B1EF44308F14907EE806A73E1DB79DC45CF98

Function 02D07A37 Relevance: 18.2, APIs: 12, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02D07A6C
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 02D07AB1
strlen.MSVCRT ref: 02D07AE5
StrStrA.SHLWAPI(?,00434AC4), ref: 02D07B1F
strlen.MSVCRT ref: 02D07BB4

Part of subcall function 02D079B7: GetProcessHeap.KERNEL32(00000008,00000400), ref: 02D079C5
Part of subcall function 02D079B7: RtlAllocateHeap.NTDLL(00000000), ref: 02D079CC
Part of subcall function 02D079B7: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D079F4
Part of subcall function 02D079B7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02D07A14
Part of subcall function 02D079B7: LocalFree.KERNEL32(?), ref: 02D07A1E

strcpy_s.MSVCRT ref: 02D07B48
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07B53
HeapFree.KERNEL32(00000000), ref: 02D07B5A
strlen.MSVCRT ref: 02D07B67
strcpy_s.MSVCRT ref: 02D07B91
strlen.MSVCRT ref: 02D07BDB
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 02D07C9C

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
String ID:
API String ID: 225686516-0
Opcode ID: 19d1acf34d1d55cb27fc19c5038643c5c3c088594c890ae25d8ed9645abd8a83
Instruction ID: b26978f7af3fcacc864183f88fa16c99f55fa828d94a4a1b8ec068db2befca00
Opcode Fuzzy Hash: 19d1acf34d1d55cb27fc19c5038643c5c3c088594c890ae25d8ed9645abd8a83
Instruction Fuzzy Hash: 0C81FEB1D00219AFDB10DF95DC84ADEFBB9EF48300F10416AE509E7250EB75AA85CFA5

Function 02D1E987 Relevance: 18.2, APIs: 12, Instructions: 199stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 02D1E9D0
lstrcpy.KERNEL32(00000000,?), ref: 02D1EA06
lstrcat.KERNEL32(?,00000000), ref: 02D1EA14
lstrcat.KERNEL32(?,00434F1C), ref: 02D1EA2D
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 02D1EA94
lstrcpy.KERNEL32(00000000,?), ref: 02D1EAC6
lstrcat.KERNEL32(?,00000000), ref: 02D1EAD4
lstrcat.KERNEL32(?,00434F3C), ref: 02D1EAED
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02D1EB58
lstrcpy.KERNEL32(00000000,?), ref: 02D1EB87
lstrcat.KERNEL32(?,00000000), ref: 02D1EB95
lstrcat.KERNEL32(?,00434F50), ref: 02D1EBAE

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 33d5853ba2b6a6b5c09b916741b0fb70bb188368c97d93c4101cbcdbd7af0f89
Instruction ID: d74745b3f61ef6cf6fc7bfe546dd97bb2069ba90566a1bf4878a7c21a1faf3ca
Opcode Fuzzy Hash: 33d5853ba2b6a6b5c09b916741b0fb70bb188368c97d93c4101cbcdbd7af0f89
Instruction Fuzzy Hash: DA710870E40219ABD724EB60DC89FEC7775EF48700F144498BA199B2D0DBB49E44CFA8

Function 004181B0 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004181D3
lstrlenA.KERNEL32(00000000,?), ref: 0041820C
lstrcpy.KERNEL32(00000000,00000000), ref: 00418243
lstrlenA.KERNEL32(00000000), ref: 00418260
lstrcpy.KERNEL32(00000000,00000000), ref: 00418297
lstrlenA.KERNEL32(00000000), ref: 004182B4
lstrcpy.KERNEL32(00000000,00000000), ref: 004182EB
lstrlenA.KERNEL32(00000000), ref: 00418308
lstrcpy.KERNEL32(00000000,00000000), ref: 00418337
lstrlenA.KERNEL32(00000000), ref: 00418351
lstrcpy.KERNEL32(00000000,00000000), ref: 00418380
strtok_s.MSVCRT ref: 0041839A

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 28a6eb865cf9a12f804becf526d45632e747f4c2bdadd9976b0f78d6b0d65d59
Instruction ID: 39a53bccff0fa6c14695067a9bdcdbd60e04f939df08b113d3ee61ac42a1e5cc
Opcode Fuzzy Hash: 28a6eb865cf9a12f804becf526d45632e747f4c2bdadd9976b0f78d6b0d65d59
Instruction Fuzzy Hash: CA518C71A006069BDB14DF29D958AABB7A4EF00700F04412AED16EB384DF78E990CBE4

Function 02D22667 Relevance: 16.7, APIs: 11, Instructions: 229stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,00000000), ref: 02D22678
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D226B3
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02D226C4
memset.MSVCRT ref: 02D226EC
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 02D22743
lstrlen.KERNEL32(00000000), ref: 02D22750
lstrcpy.KERNEL32(00000000,00000000), ref: 02D227D7
lstrlen.KERNEL32(00000000), ref: 02D227DE
strlen.MSVCRT ref: 02D22802
memset.MSVCRT ref: 02D2288C
??_V@YAXPAX@Z.MSVCRT(?), ref: 02D228D9

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Processlstrcpylstrlenmemset$MemoryOpenReadstrlen
String ID:
API String ID: 311138045-0
Opcode ID: 7306e6e81be679546469bf31094129e18bcf2938b5562a65fbea43237994e1b0
Instruction ID: 787beb5217178615a8d5d391cd1ddad2d436ab7d0b32b538d80196253dec3835
Opcode Fuzzy Hash: 7306e6e81be679546469bf31094129e18bcf2938b5562a65fbea43237994e1b0
Instruction Fuzzy Hash: AE81A171E042159BDB24CF94DC48BAEF7B6EF94308F148069E904A7380DB759D4ACFA5

Function 02D24447 Relevance: 16.7, APIs: 11, Instructions: 177COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,02D20F57), ref: 02D244DD
GetDesktopWindow.USER32 ref: 02D244E7
GetWindowRect.USER32(00000000,?), ref: 02D244F4
SelectObject.GDI32(00000000,00000000), ref: 02D24526
GetHGlobalFromStream.COMBASE(02D20F57,?), ref: 02D2459D
GlobalLock.KERNEL32(?), ref: 02D245A7
GlobalSize.KERNEL32(?), ref: 02D245B4

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: 4df049b90167f18abc31d218c70bb12806ecc89bd0e67f63d31103b3401f95cd
Instruction ID: a3b14111646ffd1fb3c4ca946588c366e15bb52d5ecd1c2de6781d8d24f84f1f
Opcode Fuzzy Hash: 4df049b90167f18abc31d218c70bb12806ecc89bd0e67f63d31103b3401f95cd
Instruction Fuzzy Hash: B1510CB5A00219AFDB10DFA4DD88EEEBBBAEF48714F104519F905A3250DB74AD05CFA1

Function 02D1E207 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 02D1E274
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1E29E
lstrcpy.KERNEL32(00000000,?), ref: 02D1E2D6
lstrcat.KERNEL32(?,00000000), ref: 02D1E2E4
lstrcat.KERNEL32(?,?), ref: 02D1E2FF
lstrcat.KERNEL32(?,?), ref: 02D1E313
lstrcat.KERNEL32(?,00638A84), ref: 02D1E327
lstrcat.KERNEL32(?,?), ref: 02D1E33B
lstrcat.KERNEL32(?,00638AC8), ref: 02D1E34E
lstrcpy.KERNEL32(00000000,?), ref: 02D1E386
GetFileAttributesA.KERNEL32(00000000), ref: 02D1E38D

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: ad19b1581edb05993551cdc68ca35f4d831bd1402a2252a48962e02a2718f3cf
Instruction ID: a34b80c3daa3fd6182d11afc77f7e4aba6944a3cf37ad1be799f7d725f91419c
Opcode Fuzzy Hash: ad19b1581edb05993551cdc68ca35f4d831bd1402a2252a48962e02a2718f3cf
Instruction Fuzzy Hash: 3A61537590111CABCB54DB64DC88BDDB7B5FF48300F1489A9AA49A3390EB709F85CFA0

Function 02D06D37 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D06D66
InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 02D06D93
StrCmpCA.SHLWAPI(?,00638C80), ref: 02D06DB1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 02D06DD1
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02D06DEF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02D06E08
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02D06E2D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02D06E57
CloseHandle.KERNEL32(00000000), ref: 02D06E77
InternetCloseHandle.WININET(00000000), ref: 02D06E7E
InternetCloseHandle.WININET(?), ref: 02D06E88

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 9f9d22ed5160631bbb7f1e9ca936ac56629dc2d30d68bc754a948f84c579ac4c
Instruction ID: 2e4a4a3bdba3b6ef05a59d59b670850ddff551520309ff5191977c782a7eb534
Opcode Fuzzy Hash: 9f9d22ed5160631bbb7f1e9ca936ac56629dc2d30d68bc754a948f84c579ac4c
Instruction Fuzzy Hash: 71414BB1A00315ABDB20DB64DC89FAE77A9EB44744F108558FA05E72D0EF70EE44CBA4

Function 00406AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406AFF
InternetOpenA.WININET(Function_0002CFEC,00000001,00000000,00000000,00000000), ref: 00406B2C
StrCmpCA.SHLWAPI(?,02E1FEC0), ref: 00406B4A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406B6A
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406B88
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BA1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406BC6
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BF0
CloseHandle.KERNEL32(00000000), ref: 00406C10
InternetCloseHandle.WININET(00000000), ref: 00406C17
InternetCloseHandle.WININET(?), ref: 00406C21

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: b945eee94cec13ce41296d715729208f43379ab5552c35fbddc9baa2424bf0da
Instruction ID: c5ad55131c4ce7db38fffddb58cb683fbd38acd074282c5770988a30aae92a0f
Opcode Fuzzy Hash: b945eee94cec13ce41296d715729208f43379ab5552c35fbddc9baa2424bf0da
Instruction Fuzzy Hash: 734171B1600215ABDB24DF64DC89FAE77B9EB44704F004469FA06E72C0DF74AE448BA8

Function 02D24A47 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00435174,?,02D1750B), ref: 02D24A4D
GetProcAddress.KERNEL32(00000000,00435180), ref: 02D24A63
GetProcAddress.KERNEL32(00000000,00435188), ref: 02D24A74
GetProcAddress.KERNEL32(00000000,00435194), ref: 02D24A85
GetProcAddress.KERNEL32(00000000,004351A0), ref: 02D24A96
GetProcAddress.KERNEL32(00000000,004351A8), ref: 02D24AA7
GetProcAddress.KERNEL32(00000000,004351B4), ref: 02D24AB8
GetProcAddress.KERNEL32(00000000,004351BC), ref: 02D24AC9
GetProcAddress.KERNEL32(00000000,004351C4), ref: 02D24ADA
GetProcAddress.KERNEL32(00000000,004351D4), ref: 02D24AEB
GetProcAddress.KERNEL32(00000000,004351E0), ref: 02D24AFC

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f5155ff952da553fc3a3bff4ab4fb1888bde0f0d590b6b3d85c4f9227467158f
Instruction ID: 652adc7be33a4b97ce8d11ffbe83cc07f174413d7f107738e2cce12cdd1e1363
Opcode Fuzzy Hash: f5155ff952da553fc3a3bff4ab4fb1888bde0f0d590b6b3d85c4f9227467158f
Instruction Fuzzy Hash: 6311D376D52720AF8B149BA5AD0DB963ABABA0A70A718381BF051D3160DBF84000DFE4

Function 00407A60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
Part of subcall function 004077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
Part of subcall function 004077D0: strlen.MSVCRT ref: 0040787E
Part of subcall function 004077D0: StrStrA.SHLWAPI(?,Password), ref: 004078B8
Part of subcall function 004077D0: strcpy_s.MSVCRT ref: 004078E1
Part of subcall function 004077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
Part of subcall function 004077D0: HeapFree.KERNEL32(00000000), ref: 004078F3
Part of subcall function 004077D0: strlen.MSVCRT ref: 00407900

lstrcatA.KERNEL32(00000000,00434AD4), ref: 00407A90
lstrcatA.KERNEL32(00000000,?), ref: 00407ABD
lstrcatA.KERNEL32(00000000, : ), ref: 00407ACF
lstrcatA.KERNEL32(00000000,?), ref: 00407AF0
wsprintfA.USER32 ref: 00407B10
lstrcpy.KERNEL32(00000000,?), ref: 00407B39
lstrcatA.KERNEL32(00000000,00000000), ref: 00407B47
lstrcatA.KERNEL32(00000000,00434AD4), ref: 00407B60

Strings

: , xrefs: 00407AC9

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: e565b7c4b7521a58f45a601299f64ae2030a9f6bfe604a6b94189d29f23ce9d1
Instruction ID: 4a0270a12d15eba44ba155fce02676c7c42fa7ad0357aa4cf213092b6f362f58
Opcode Fuzzy Hash: e565b7c4b7521a58f45a601299f64ae2030a9f6bfe604a6b94189d29f23ce9d1
Instruction Fuzzy Hash: CA319572E04214AFCB14DB64DC449ABB77AEB88704F14552EF605A3390DB78F941CBA5

Function 02D0BE60 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D0BE86
lstrlen.KERNEL32(00000000), ref: 02D0BEB9
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0BEE3
lstrcat.KERNEL32(00000000,00000000), ref: 02D0BEEB
lstrcpy.KERNEL32(00000000,00000000), ref: 02D0BF13
lstrlen.KERNEL32(00434AD4), ref: 02D0BF8A

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 8c7ae8d9145d9521553447a705b0b53fd086f1c9fe675d944289f12c0e91ea3f
Instruction ID: 06715d3600e30aab4288546b5ad938d5c4870aab145c7b1d6d0e9a57f40dc74d
Opcode Fuzzy Hash: 8c7ae8d9145d9521553447a705b0b53fd086f1c9fe675d944289f12c0e91ea3f
Instruction Fuzzy Hash: 67A12C74A012058FCB14DF68D988BADB7B6EF44309F24816AE809973B0DB76DC45CFA0

Function 02D1C8D2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 129stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27577: lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
Part of subcall function 02D27577: lstrcpy.KERNEL32(00000000), ref: 02D275A6
Part of subcall function 02D27577: lstrcat.KERNEL32(?,------), ref: 02D275B0

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

lstrcpy.KERNEL32(00000000,?), ref: 02D1C919
lstrcpy.KERNEL32(00000000,?), ref: 02D1C942
ShellExecuteEx.SHELL32(0000003C), ref: 02D1CA36

Strings

/passive, xrefs: 02D1C9BD
.msi, xrefs: 02D1C8D2
<, xrefs: 02D1C9F7
/i ", xrefs: 02D1C950
`KC, xrefs: 02D1C999

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteShelllstrcatlstrlen
String ID: /i "$ /passive$.msi$<$`KC
API String ID: 619169029-1717736166
Opcode ID: 8d3998ff0bfdfd48114819656236ab29d70c29e1842c8ff8d6cb25bed2f5cfd7
Instruction ID: 11c66a5e8ccbb29b49f4a196dc4174ab77144aad01758546a9c54843c9ab5607
Opcode Fuzzy Hash: 8d3998ff0bfdfd48114819656236ab29d70c29e1842c8ff8d6cb25bed2f5cfd7
Instruction Fuzzy Hash: 99416B71D0125A8BCB20EF68D888A9CB7A2EF54318F248469D805E7760DB30ED4ACF90

Function 02D294D4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02D294E0

Part of subcall function 02D28A66: __getptd_noexit.LIBCMT ref: 02D28A69
Part of subcall function 02D28A66: __amsg_exit.LIBCMT ref: 02D28A76

__amsg_exit.LIBCMT ref: 02D29500
__lock.LIBCMT ref: 02D29510
InterlockedDecrement.KERNEL32(?), ref: 02D2952D
free.MSVCRT ref: 02D29540
InterlockedIncrement.KERNEL32(XuC), ref: 02D29558

Strings

XuC, xrefs: 02D29546, 02D2954E, 02D29557
XuC, xrefs: 02D29537

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID: XuC$XuC
API String ID: 634100517-965221565
Opcode ID: 186becff79528f6b03c02cc740923384a5e3405ce73508090363fc677966f78f
Instruction ID: 9b808b06e3d6ac6319017bb4db1090889c03aa07444b33785dcd078dbcce4b45
Opcode Fuzzy Hash: 186becff79528f6b03c02cc740923384a5e3405ce73508090363fc677966f78f
Instruction Fuzzy Hash: EE01C471E0AB31ABD731AF29984479DB3A5FF24728F251115D804A3390D734AE49CFE9

Function 00409DE0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E04
memcmp.MSVCRT(?,v10,00000003), ref: 00409E42
memset.MSVCRT ref: 00409E6F
LocalAlloc.KERNEL32(00000040), ref: 00409EA7

Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE

lstrcpy.KERNEL32(00000000,00434C44), ref: 00409FB2

Strings

@, xrefs: 00409E88
v10, xrefs: 00409E3C
v20, xrefs: 00409DFE

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 62fc78b8687b5e8bdbb6318462315b1f03bf1334cbc6fabd5c242cce61d92248
Instruction ID: d6fed50945dbe67a18552329cc40c0b8136d71c8f17330be27d8feaef36422da
Opcode Fuzzy Hash: 62fc78b8687b5e8bdbb6318462315b1f03bf1334cbc6fabd5c242cce61d92248
Instruction Fuzzy Hash: C651AC31B002099BDB10EF69DC45B9E77A4AF40318F15503AF909AB2D2DBB8ED058BD8

Function 02D1E2B0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D1E2D6
lstrcat.KERNEL32(?,00000000), ref: 02D1E2E4
lstrcat.KERNEL32(?,?), ref: 02D1E2FF
lstrcat.KERNEL32(?,?), ref: 02D1E313
lstrcat.KERNEL32(?,00638A84), ref: 02D1E327
lstrcat.KERNEL32(?,?), ref: 02D1E33B
lstrcat.KERNEL32(?,00638AC8), ref: 02D1E34E
lstrcpy.KERNEL32(00000000,?), ref: 02D1E386
GetFileAttributesA.KERNEL32(00000000), ref: 02D1E38D

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 48df637f5adf256f89f33124bfa96c9134e1575a9771df776a95f89c303645bd
Instruction ID: 50d9f91b64ad5160e12531737592bcfca702cb698250c33bf17f3f60927daa6b
Opcode Fuzzy Hash: 48df637f5adf256f89f33124bfa96c9134e1575a9771df776a95f89c303645bd
Instruction Fuzzy Hash: F9417275901118ABCB15EB64DC88BDDB7B5FF48300F1485A9E949937A0EB709F85CFA0

Function 02D1C6EF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27577: lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
Part of subcall function 02D27577: lstrcpy.KERNEL32(00000000), ref: 02D275A6
Part of subcall function 02D27577: lstrcat.KERNEL32(?,------), ref: 02D275B0

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

lstrcpy.KERNEL32(00000000,?), ref: 02D1C7EB
lstrcpy.KERNEL32(00000000,?), ref: 02D1C814
ShellExecuteEx.SHELL32(0000003C), ref: 02D1C876

Strings

.dll, xrefs: 02D1C6EF
<, xrefs: 02D1C837
`KC, xrefs: 02D1C75F
LLC, xrefs: 02D1C783

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: .dll$<$LLC$`KC
API String ID: 3031569214-3802841039
Opcode ID: 606c41999c6aac6bee80e96302b770951e0b65f61f9a381296699d4c489133f8
Instruction ID: 525bd910d6e2ee7b93c9c6132b38766dff8b8ff7122ef7d826b638803df9276c
Opcode Fuzzy Hash: 606c41999c6aac6bee80e96302b770951e0b65f61f9a381296699d4c489133f8
Instruction Fuzzy Hash: 26515171D102568BCB20EFA4DCC8A9CF7B6EF44318F259469D505A7760DB349D4ACFA0

Function 02D1C552 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27577: lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
Part of subcall function 02D27577: lstrcpy.KERNEL32(00000000), ref: 02D275A6
Part of subcall function 02D27577: lstrcat.KERNEL32(?,------), ref: 02D275B0

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

lstrcpy.KERNEL32(00000000,?), ref: 02D1C640
lstrcpy.KERNEL32(00000000,?), ref: 02D1C669
ShellExecuteEx.SHELL32(0000003C), ref: 02D1C6CA

Strings

`KC, xrefs: 02D1C5BA
"" , xrefs: 02D1C59C
`KC, xrefs: 02D1C5FA
<, xrefs: 02D1C689

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $<$`KC$`KC
API String ID: 3031569214-938110770
Opcode ID: 8b08d70dfb265bcf26dcc510f6809d8a0279fc7ebcafee22a942fb21449ba233
Instruction ID: fdde0de05d7fec643feef345968ed1b5998866ab93448b1027a8e0bc3ce2b9d7
Opcode Fuzzy Hash: 8b08d70dfb265bcf26dcc510f6809d8a0279fc7ebcafee22a942fb21449ba233
Instruction Fuzzy Hash: 35515C71D1129A8BCB20EFB8DCC8A9CF7B2EF54318F245469D505A7760DA30AD4ACF90

Function 02D229A7 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 02D229E2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,02D1961D,00000000,00000000,00000000,00000000), ref: 02D22A13
GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D22A76
RtlAllocateHeap.NTDLL(00000000), ref: 02D22A7D
wsprintfA.USER32 ref: 02D22AA2

Strings

:\, xrefs: 02D229FC
C, xrefs: 02D229EC

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 2572753744-3309953409
Opcode ID: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
Instruction ID: 3c815d1c9ce45e8409f7264a62d37f2f457df1405bdb7fefc3170a9b663d7d5b
Opcode Fuzzy Hash: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
Instruction Fuzzy Hash: 54317CB1D082599FDB14CFA88989AEEFFB9EB58704F00416AF505E7650E2748A40CBB1

Function 00401120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
HeapAlloc.KERNEL32(00000000), ref: 0040113C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
RegCloseKey.ADVAPI32(?), ref: 0040117D

Strings

SOFTWARE\monero-project\monero-core, xrefs: 0040114F
wallet_path, xrefs: 0040116D

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
Instruction ID: 383e7467a56373d6d0d7d4512f8a3326ad796bb69a11dfcae5090baa37e7c7c5
Opcode Fuzzy Hash: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
Instruction Fuzzy Hash: 23F06D75A40308BFD7049BA09C8DFEA7B7DEB04755F100059BE05E2290EAB05A448BE0

Function 02D09327 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 02D09346
InternetOpenUrlA.WININET(00000000,00434B24,00000000,00000000,80000000,00000000), ref: 02D09363
InternetCloseHandle.WININET(00000000), ref: 02D09370

Part of subcall function 02D18097: memchr.MSVCRT ref: 02D180D6
Part of subcall function 02D18097: memcmp.MSVCRT(00000000,?,?,?,00434B40,00000000), ref: 02D180F0
Part of subcall function 02D18097: memchr.MSVCRT ref: 02D1810F

Part of subcall function 02D08BE7: std::_Xinvalid_argument.LIBCPMT ref: 02D08BFD

strlen.MSVCRT ref: 02D0938C
InternetReadFile.WININET(?,?,?,00000000), ref: 02D093CD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 02D093FE
InternetCloseHandle.WININET(00000000), ref: 02D09409
InternetCloseHandle.WININET(00000000), ref: 02D09410

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: aa43ee7c0b556feb97ab861848f3baad4bb609c9c6839326e9c857c0b64dd1d7
Instruction ID: adc4a79cae7d5dc271ac47011a031d497c78adb41b4369306e26924ef34186bc
Opcode Fuzzy Hash: aa43ee7c0b556feb97ab861848f3baad4bb609c9c6839326e9c857c0b64dd1d7
Instruction Fuzzy Hash: 60518271A00209ABD720DBA4DC85BDEF7EADB48714F14416AF505E32D0DBB4EA44CBA5

Function 02D249A7 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 02D249C0
Process32First.KERNEL32(00000000,00000128), ref: 02D249D0
Process32Next.KERNEL32(00000000,00000128), ref: 02D249E2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02D24A03
TerminateProcess.KERNEL32(00000000,00000000), ref: 02D24A12
CloseHandle.KERNEL32(00000000), ref: 02D24A19
Process32Next.KERNEL32(00000000,00000128), ref: 02D24A27
CloseHandle.KERNEL32(00000000), ref: 02D24A32

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 150f9452b616bb426675a9d768240fd0637b0d0d9877689a69c8adbc3622d0c9
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 440192716412246FE7215B609C89FEA777DEB48759F001198FD09A2291EFB08D84CAE4

Function 00424740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424759
Process32First.KERNEL32(00000000,00000128), ref: 00424769
Process32Next.KERNEL32(00000000,00000128), ref: 0042477B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042479C
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247AB
CloseHandle.KERNEL32(00000000), ref: 004247B2
Process32Next.KERNEL32(00000000,00000128), ref: 004247C0
CloseHandle.KERNEL32(00000000), ref: 004247CB

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 2796138e49d57b0afb57703697c4648b669f32e79a409fcda75587c3eb52ce3c
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 3E019271601224AFE7215B70ACC9FEB77BDEB88791F401189F90592290EFB48D808AA4

Function 02D223F7 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 02D2240A
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,02D22706,00000000,00000000,00000000), ref: 02D22438
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 02D22488
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02D224E9

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 0f886d65332f8fbf52c22fc51f68d7eba78b0d5b2c0050cfdc4bf87beff49f9b
Instruction ID: bba89f5f2b25133df47f19be557bbd1941598e14999e5312536c6bcf555a1571
Opcode Fuzzy Hash: 0f886d65332f8fbf52c22fc51f68d7eba78b0d5b2c0050cfdc4bf87beff49f9b
Instruction Fuzzy Hash: 5471C371A001299BDB14CFA8D898AAF77BAEF98718F148129FD45E7380D734DD45CBA0

Function 0040D900 Relevance: 10.7, APIs: 7, Instructions: 200stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00434AD4), ref: 0040D90A
lstrcpy.KERNEL32(00000000), ref: 0040D92A
lstrcatA.KERNEL32(00000000,00434AD4), ref: 0040D936
lstrcpy.KERNEL32(00000000,00000000), ref: 0040D95F

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 5b00cf6fe486de35be42e57c9bc7a6d7644a4f9237187232f888188bb7919442
Instruction ID: fd79f64981e394aa1f2c29a473bce4c2f29cda6348de706d311ec5c033d013d3
Opcode Fuzzy Hash: 5b00cf6fe486de35be42e57c9bc7a6d7644a4f9237187232f888188bb7919442
Instruction Fuzzy Hash: DE713D70B102058FCB25EF69D94965A77A1AF44318B18907EF806AB3E2DB79DC45CF88

Function 02D07457 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 02D074A5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 02D074E0
RtlAllocateHeap.NTDLL(00000000), ref: 02D074E7
memcpy.MSVCRT(00000000,?), ref: 02D07514
GetProcessHeap.KERNEL32(00000000,?), ref: 02D0752A
HeapFree.KERNEL32(00000000), ref: 02D07531
GetProcAddress.KERNEL32(00000000,?), ref: 02D07590

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: ea2c9e8e8750691eca5fd149e9b76b3522f32bdac43262a25892f6cea234e11c
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 2D412F71B017059BE724CF69D8887AAF7E9EB84319F1445A9E949CB3A0E771ED00CB50

Function 004071F0 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040723E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 00407279
HeapAlloc.KERNEL32(00000000), ref: 00407280
memcpy.MSVCRT(00000000,?), ref: 004072AD
GetProcessHeap.KERNEL32(00000000,?), ref: 004072C3
HeapFree.KERNEL32(00000000), ref: 004072CA
GetProcAddress.KERNEL32(00000000,?), ref: 00407329

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 5c04f978e963cdea92a01edc1f3ad230323f660b4d2968f88ba47752cd35672e
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 35416B71B046069BEB20CF69DC84BAAB3E9FB84305F1445BAEC49D7380E635F900DB65

Function 00409C70 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409CA8
LocalAlloc.KERNEL32(00000040,?), ref: 00409CDA
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D03
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D3C

Strings

, xrefs: 00409D65
DPAPI, xrefs: 00409D36
"encrypted_key":", xrefs: 00409CFD

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: b9d0b58e172b2588348979975f5dd8183a5d6399ff73fee5fa6a6ea10174c86d
Instruction ID: c8b8885e5d777158b5f49cc3b9a5757fa26b25cb8b928796afc525f1858c9096
Opcode Fuzzy Hash: b9d0b58e172b2588348979975f5dd8183a5d6399ff73fee5fa6a6ea10174c86d
Instruction Fuzzy Hash: 6F417B31B0020A9BDB21EF69D9456AF77B4AF54308F04407AED15B72E3DA78AD04CB98

Function 00417EE0 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F04
lstrlenA.KERNEL32(00000000), ref: 00417F31
lstrcpy.KERNEL32(00000000,00000000), ref: 00417F60
strtok_s.MSVCRT ref: 00417F71
StrCmpCA.SHLWAPI(00000000,00431C70), ref: 00417FA5
StrCmpCA.SHLWAPI(00000000,00431C70), ref: 00417FD3
StrCmpCA.SHLWAPI(00000000,00431C70), ref: 00418007

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: cfdd6ca7b6e63bea9f0c686285741a3f25d0c319cebbca4477aaf79dd9a5e9c5
Instruction ID: 2436ff4e6ee227030948b1fe2db7e6733daf726be61a52efa26c24c8a2a8d093
Opcode Fuzzy Hash: cfdd6ca7b6e63bea9f0c686285741a3f25d0c319cebbca4477aaf79dd9a5e9c5
Instruction Fuzzy Hash: A5416070604116DFCB21DF68D884AEB77B4FF59300F11419AE8059B350DB74AAA6CF95

Function 02D182B7 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 02D182DC
lstrlen.KERNEL32(00000000), ref: 02D18322
lstrcpy.KERNEL32(00000000,00000000), ref: 02D18351
StrCmpCA.SHLWAPI(00000000,00431C70), ref: 02D18369
lstrlen.KERNEL32(00000000), ref: 02D183A7
lstrcpy.KERNEL32(00000000,00000000), ref: 02D183D6
strtok_s.MSVCRT ref: 02D183E6

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 626126f7ae416f0d4c528e63a6bc51478b3236b041020af488acc39559d9fdc1
Instruction ID: b0cc9fea6ab684ac84a7fd6b8e8cc0e24718e313ad0697a11964a60afc8c454f
Opcode Fuzzy Hash: 626126f7ae416f0d4c528e63a6bc51478b3236b041020af488acc39559d9fdc1
Instruction Fuzzy Hash: 6641AE75600206AFDB21DF68E988BAABBF4EF44304F148119EC89D7754EB74ED41CBA0

Function 02D058A7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02D058C1
RtlAllocateHeap.NTDLL(00000000), ref: 02D058C8
InternetOpenA.WININET(0042CFEC,00000000,00000000,00000000,00000000), ref: 02D058DE
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 02D058F9
InternetReadFile.WININET(?,?,00000400,00000001), ref: 02D05923
InternetCloseHandle.WININET(?), ref: 02D05961
InternetCloseHandle.WININET(00000000), ref: 02D05968

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
Instruction ID: 364a075619c33e3295d97084086c161f0b93d9b23178b6b72ce8ba708dba4747
Opcode Fuzzy Hash: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
Instruction Fuzzy Hash: A2415B70E00305AFDB24CF54EC88BAAB7B5FF48714F5480A9E9199B3A0E7719941CFA4

Function 00418050 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418075
lstrlenA.KERNEL32(00000000), ref: 004180BB
lstrcpy.KERNEL32(00000000,00000000), ref: 004180EA
StrCmpCA.SHLWAPI(00000000,00431C70), ref: 00418102
lstrlenA.KERNEL32(00000000), ref: 00418140
lstrcpy.KERNEL32(00000000,00000000), ref: 0041816F
strtok_s.MSVCRT ref: 0041817F

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 678b0dbd26197ed6da7c709e455fb13d295555b99b1a01a9d333184e571a7f21
Instruction ID: cc2310a9154b9e7664668e181f723abbf99bb39c712426c9a1edb56d6e69f7d2
Opcode Fuzzy Hash: 678b0dbd26197ed6da7c709e455fb13d295555b99b1a01a9d333184e571a7f21
Instruction Fuzzy Hash: 5E414F75600206ABCB21DF68D948BEBBBB4EF44700F11815EA849D7254EF78D986CB94

Function 02D24767 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D24781
GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,02D151A0), ref: 02D247AC
RtlAllocateHeap.NTDLL(00000000), ref: 02D247B3
wsprintfW.USER32 ref: 02D247C2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 02D24831
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 02D24840
CloseHandle.KERNEL32(00000000,?,?), ref: 02D24847

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: c6061c17c14f2bf59568cb40a23737b7e44df780ea9a98ad1f2c030f43cf0d92
Instruction ID: e28724461e18b2d4cd907d581923510d96488dd2633d8265aa3e332f2464ec55
Opcode Fuzzy Hash: c6061c17c14f2bf59568cb40a23737b7e44df780ea9a98ad1f2c030f43cf0d92
Instruction Fuzzy Hash: C5317E71A00255ABDB20DBA0DC88FDEB77AEF44744F104059FA05A7280DBB4AA44CBA5

Function 00417D40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417D58

Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1D5
Part of subcall function 0042A1C0: __CxxThrowException@8.LIBCMT ref: 0042A1EA

std::_Xinvalid_argument.LIBCPMT ref: 00417D76
std::_Xinvalid_argument.LIBCPMT ref: 00417D91
memcpy.MSVCRT(?,?,?,00000000,?,?,00417C7A,00000000,?,?,00000000,?,00409186,?), ref: 00417DF4

Strings

invalid string position, xrefs: 00417D53
string too long, xrefs: 00417D71, 00417D8C

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: 7e47054b543add41ed036c20b3e7533534c3db14565d3586dec7f27f450a48db
Instruction ID: f15b76001c844ab4d3943bced7ba41bef4be345ab754cf2a4fc76cc1ef35ab8f
Opcode Fuzzy Hash: 7e47054b543add41ed036c20b3e7533534c3db14565d3586dec7f27f450a48db
Instruction Fuzzy Hash: 7C21D5313043044BD720DE2CE880ABAB7F5AF96764F204A6FE4528B381D774D89087A9

Function 02D23397 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D233CD
RtlAllocateHeap.NTDLL(00000000), ref: 02D233D4
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 02D233F3
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 02D2340E
RegCloseKey.ADVAPI32(?), ref: 02D23418

Strings

8LC, xrefs: 02D2343E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: 8LC
API String ID: 3225020163-1713405209
Opcode ID: a379eebdbbcec35e8ed859733ff2708c3a1330b01a2a2298d96069c18e9e916f
Instruction ID: d0b55769a3345278956eeb33fd98b1525b1ed423ca8ed2fd605d25fe2442db97
Opcode Fuzzy Hash: a379eebdbbcec35e8ed859733ff2708c3a1330b01a2a2298d96069c18e9e916f
Instruction Fuzzy Hash: 05118272A04249AFD714CB94DC45FABB7BDFB48B11F10411AFA05D3680DB7459048BE1

Function 02D22AE7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02D22AFC
RtlAllocateHeap.NTDLL(00000000), ref: 02D22B03

Part of subcall function 02D22B77: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02D22B8C
Part of subcall function 02D22B77: RtlAllocateHeap.NTDLL(00000000), ref: 02D22B93
Part of subcall function 02D22B77: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02D22B10), ref: 02D22BB2
Part of subcall function 02D22B77: RegQueryValueExA.ADVAPI32(02D22B10,00435094,00000000,00000000,00000000,000000FF), ref: 02D22BCC
Part of subcall function 02D22B77: RegCloseKey.ADVAPI32(02D22B10), ref: 02D22BD6

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02D19767), ref: 02D22B38
RegQueryValueExA.ADVAPI32(02D19767,00638C34,00000000,00000000,00000000,000000FF), ref: 02D22B53
RegCloseKey.ADVAPI32(02D19767), ref: 02D22B5D

Strings

Windows 11, xrefs: 02D22B17

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
Instruction ID: ca76990682a0314a86c4769ed70abb166501f70b52cc0075e3a0d24f8ce2d6e7
Opcode Fuzzy Hash: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
Instruction Fuzzy Hash: 4701AD71600318BFD7149BA4AC8DEEA777EEB44319F001159FE09D7294DAB09D488BE0

Function 02D07CC7 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D07A37: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02D07A6C
Part of subcall function 02D07A37: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 02D07AB1
Part of subcall function 02D07A37: strlen.MSVCRT ref: 02D07AE5
Part of subcall function 02D07A37: StrStrA.SHLWAPI(?,00434AC4), ref: 02D07B1F
Part of subcall function 02D07A37: strcpy_s.MSVCRT ref: 02D07B48
Part of subcall function 02D07A37: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07B53
Part of subcall function 02D07A37: HeapFree.KERNEL32(00000000), ref: 02D07B5A
Part of subcall function 02D07A37: strlen.MSVCRT ref: 02D07B67

lstrcat.KERNEL32(00638E68,00434AD4), ref: 02D07CF7
lstrcat.KERNEL32(00638E68,?), ref: 02D07D24
lstrcat.KERNEL32(00638E68,00434AD8), ref: 02D07D36
lstrcat.KERNEL32(00638E68,?), ref: 02D07D57
wsprintfA.USER32 ref: 02D07D77
lstrcpy.KERNEL32(00000000,?), ref: 02D07DA0
lstrcat.KERNEL32(00638E68,00000000), ref: 02D07DAE
lstrcat.KERNEL32(00638E68,00434AD4), ref: 02D07DC7

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 0e9693a24bed11132ccf272c91ee3e2d1e75641051f5d3aaf3441a98692b6c9b
Instruction ID: f916fad4f8e5c40cbe7104873f1025a7e7b04983e3aa514bcfa8d6ed020be2f7
Opcode Fuzzy Hash: 0e9693a24bed11132ccf272c91ee3e2d1e75641051f5d3aaf3441a98692b6c9b
Instruction Fuzzy Hash: B8315072A00214EFDB14DBA4DC84AEAF7BAEB88714F245519E605973A0DB74FD41CBB0

Function 02D26147 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02D26191
std::_Xinvalid_argument.LIBCPMT ref: 02D261B0
memmove.MSVCRT(FFFFFFFF,00000000,00000000,?,?,00000000), ref: 02D2620B
memcpy.MSVCRT(00000010,?,?), ref: 02D2622F
memcpy.MSVCRT(00000000,?,?), ref: 02D26244
std::_Xinvalid_argument.LIBCPMT ref: 02D26337

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy$memmove
String ID:
API String ID: 1795094292-0
Opcode ID: e6179c5956032c574cca8a21006d3bb142d8d43170353399e0bdbb27710f718b
Instruction ID: 0bb9f6e85c2372df3ac6d5a53f30061b0820239fbe27f7a5361f26ca9f609187
Opcode Fuzzy Hash: e6179c5956032c574cca8a21006d3bb142d8d43170353399e0bdbb27710f718b
Instruction Fuzzy Hash: DF614170B00364DBDB29CF5CC994A5EB7BAEF94708B648919E49287381D730ED48C7D4

Function 02D0A047 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D0A0D6
LocalAlloc.KERNEL32(00000040), ref: 02D0A10E

Part of subcall function 02D27447: lstrcpy.KERNEL32(00000000,ERROR), ref: 02D27465

lstrcpy.KERNEL32(00000000,00434C44), ref: 02D0A219

Strings

<LC, xrefs: 02D0A1BA
@, xrefs: 02D0A0EF

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocalmemset
String ID: <LC$@
API String ID: 4098468873-2262423216
Opcode ID: 6335f0d9757b7b5ca50d81dcc714d0bcf26536528517a69c20e34ba10e077ae9
Instruction ID: a6e7d0f3b3098486efd954f88679871b503b39c8b5f3e9d2c43f8c407fe6cf87
Opcode Fuzzy Hash: 6335f0d9757b7b5ca50d81dcc714d0bcf26536528517a69c20e34ba10e077ae9
Instruction Fuzzy Hash: C051B071A012599BDB10EF64DCC8BDDB7A5EF44318F254165EE08AB3A0DB70ED05CBA0

Function 02D1DA17 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1DA3D
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?), ref: 02D1DA5C
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,00000000,000000FF), ref: 02D1DA80
RegCloseKey.ADVAPI32(?), ref: 02D1DA8A
lstrcat.KERNEL32(?,00000000), ref: 02D1DAAF
lstrcat.KERNEL32(?,00638968), ref: 02D1DAC3

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: ac4654c9b423e5f92f1e0f5bbd4689b147bb9237eec9d2d29ba4c608ca516213
Instruction ID: 9584f88a94533b9f8ec8f44f25715d8483bc38b0666631c40ff9d153db4bc588
Opcode Fuzzy Hash: ac4654c9b423e5f92f1e0f5bbd4689b147bb9237eec9d2d29ba4c608ca516213
Instruction Fuzzy Hash: F041FB75A00249AFDB58EB64DC85FDDB776EF54304F108064A909973A0EB70AE89CFE1

Function 02D09ED7 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02D09F0F
LocalAlloc.KERNEL32(00000040,?), ref: 02D09F41
StrStrA.SHLWAPI(00000000,00434C20), ref: 02D09F6A
memcmp.MSVCRT(?,0042D674,00000005), ref: 02D09FA3

Strings

4LC, xrefs: 02D09F77
, xrefs: 02D09FCC

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $4LC
API String ID: 4154055062-3100163359
Opcode ID: 2ed3606612dab47c49cc27d7fca0ee64b50a397eb7eb53d0e2c7cd4a10305d8a
Instruction ID: 7dd8a3180f917dff43d164580547c14cd1ab4972b5d4670cea2c30f1746834df
Opcode Fuzzy Hash: 2ed3606612dab47c49cc27d7fca0ee64b50a397eb7eb53d0e2c7cd4a10305d8a
Instruction Fuzzy Hash: 55418F71A012459BCB10AF65CCD8BEEBBB5EF44708F148064ED05973E6EB30AD05CBA0

Function 02D1EC47 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1EC8B
lstrcpy.KERNEL32(00000000,?), ref: 02D1ECBA
lstrcat.KERNEL32(?,00000000), ref: 02D1ECC8
lstrcat.KERNEL32(?,00431794), ref: 02D1ECE1
lstrcat.KERNEL32(?,00638DF8), ref: 02D1ECF4
lstrcat.KERNEL32(?,00431794), ref: 02D1ED06

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 24efa4d62bf1b18e58e6653d9f447b2f22108c514c91e68fd26aaca9e1d00bc0
Instruction ID: 2750cb0ab0f7cb2de29a21fc7640a1eaba524c9df63400e8618385cab7f10211
Opcode Fuzzy Hash: 24efa4d62bf1b18e58e6653d9f447b2f22108c514c91e68fd26aaca9e1d00bc0
Instruction Fuzzy Hash: 3C416575A00159ABCB15EB64DC89FED77B6EF48300F1044A8BA1997390DF709E48CFA4

Function 02D09CE7 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,02D01675), ref: 02D09D01
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,02D01675), ref: 02D09D17
LocalAlloc.KERNEL32(00000040,?,?,?,?,02D01675), ref: 02D09D2E
ReadFile.KERNEL32(00000000,00000000,?,02D01675,00000000,?,?,?,02D01675), ref: 02D09D47
LocalFree.KERNEL32(?,?,?,?,02D01675), ref: 02D09D67
CloseHandle.KERNEL32(00000000,?,?,?,02D01675), ref: 02D09D6E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
Instruction ID: 86189a6b4af0d8fa39ca5b7a87b5624cb6f00d72078b49791a77f59fa063d131
Opcode Fuzzy Hash: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
Instruction Fuzzy Hash: 4C114C71640205AFE7109FA8DCD8BAA736EEB04B44F104119B915972E1EB70AD40CBB0

Function 00409A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0040140E), ref: 00409A9A
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040140E), ref: 00409AB0
LocalAlloc.KERNEL32(00000040,?,?,?,?,0040140E), ref: 00409AC7
ReadFile.KERNEL32(00000000,00000000,?,0040140E,00000000,?,?,?,0040140E), ref: 00409AE0
LocalFree.KERNEL32(?,?,?,?,0040140E), ref: 00409B00
CloseHandle.KERNEL32(00000000,?,?,?,0040140E), ref: 00409B07

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 8c3de4b5f7d7000f0aa90acc772a5ffcb979225bf9b87a846b24b1fb6ecb3daa
Instruction ID: e07bc1cf37077e01f74a08ddf4965744106ae1532c602a75826c3d4cb70f4bb0
Opcode Fuzzy Hash: 8c3de4b5f7d7000f0aa90acc772a5ffcb979225bf9b87a846b24b1fb6ecb3daa
Instruction Fuzzy Hash: 97115E71600209AFE710DFA9DDC8AAB737DFB44350F10016AF901A72C1EB74AD50CBA4

Function 02D234E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 02D23531
GetLastError.KERNEL32 ref: 02D2353B

Part of subcall function 02D24037: GetProcessHeap.KERNEL32(00000000,?,02D077DF), ref: 02D2403E
Part of subcall function 02D24037: HeapFree.KERNEL32(00000000), ref: 02D24045

wsprintfA.USER32 ref: 02D235D6

Strings

LC, xrefs: 02D2355F
LC, xrefs: 02D23580

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$ErrorFreeInformationLastLogicalProcessProcessorwsprintf
String ID: LC$LC
API String ID: 879827129-528129335
Opcode ID: 1ef1ddb4c12de8c9f3ef3063e2eee2503ff2e2806c72726b2705e383ada50cfd
Instruction ID: 622babe4e3a51fe72d2ffa5fd284e30de17f07f6050e08cc3a6a2fbe78d55679
Opcode Fuzzy Hash: 1ef1ddb4c12de8c9f3ef3063e2eee2503ff2e2806c72726b2705e383ada50cfd
Instruction Fuzzy Hash: 2B319071E006299BCB20CF99D940BAEFBB9FB44B58F10416AE909E3340D7399E05CBD1

Function 00408980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408996

Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1D5
Part of subcall function 0042A1C0: __CxxThrowException@8.LIBCMT ref: 0042A1EA

std::_Xinvalid_argument.LIBCPMT ref: 004089CD

Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
Part of subcall function 0042A173: __CxxThrowException@8.LIBCMT ref: 0042A19D

memcpy.MSVCRT(?,00000000,?,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408A2B

Strings

invalid string position, xrefs: 00408991
string too long, xrefs: 004089C8

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: 1264ccbffb2aa92ebc0bc6e859d9636bdb236cf983a90bf21c88a9af95831ad1
Instruction ID: 619a558a3a3e20f965be59c2784b6be23361322c52313efc36a838b10db45757
Opcode Fuzzy Hash: 1264ccbffb2aa92ebc0bc6e859d9636bdb236cf983a90bf21c88a9af95831ad1
Instruction Fuzzy Hash: 2621F8723006508BC720AA5CE940A6AF7A5DBA1761B10053FF1C1DB6C1CB75D851C7ED

Function 02D07157 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00407590,00000040,02D076F4), ref: 02D07167
memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 02D071A3
GetProcessHeap.KERNEL32(00000008,?), ref: 02D071DB
RtlAllocateHeap.NTDLL(00000000), ref: 02D071E2

Strings

@, xrefs: 02D07157

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateProcess
String ID: @
API String ID: 966719176-2766056989
Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction ID: 1352d9b4015152c2be4238c18aa1230a2f8f7f0f066698093fff67efc7662c2c
Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction Fuzzy Hash: C6216D706006019BEB248F65DC84BBAB3E4FB44705F84846CEA56CB794E7B8E945CB51

Function 02D2962F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02D29667
GetCPInfo.KERNEL32(?,?), ref: 02D2967A
memset.MSVCRT ref: 02D29692
setSBUpLow.LIBCMT ref: 02D29768

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 723d371ac7c3af6d3a7356f972ce84e78fe6a0c18b4a2c6fb9deb1576fde27db
Instruction ID: e95db60ca12fb5da23bb557667d239563f746849ff472d352f522c0cc6246d10
Opcode Fuzzy Hash: 723d371ac7c3af6d3a7356f972ce84e78fe6a0c18b4a2c6fb9deb1576fde27db
Instruction Fuzzy Hash: 4431E9709042A59EE7259F34C8A43F9BF909F6131DF2489AED891CB391C325CC0EC761

Function 02D21D87 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 02D21DD9

Part of subcall function 02D21A87: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D21AB6
Part of subcall function 02D21A87: lstrlen.KERNEL32(00638DEC), ref: 02D21AC7
Part of subcall function 02D21A87: lstrcpy.KERNEL32(00000000,00000000), ref: 02D21AEE
Part of subcall function 02D21A87: lstrcat.KERNEL32(00000000,00000000), ref: 02D21AF9
Part of subcall function 02D21A87: lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B28
Part of subcall function 02D21A87: lstrlen.KERNEL32(00434F9C), ref: 02D21B3A
Part of subcall function 02D21A87: lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B5B
Part of subcall function 02D21A87: lstrcat.KERNEL32(00000000,00434F9C), ref: 02D21B67
Part of subcall function 02D21A87: lstrcpy.KERNEL32(00000000,00000000), ref: 02D21B96

sscanf.NTDLL ref: 02D21E01
SystemTimeToFileTime.KERNEL32(?,?), ref: 02D21E1D
SystemTimeToFileTime.KERNEL32(?,?), ref: 02D21E2D
ExitProcess.KERNEL32 ref: 02D21E4A

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
Instruction ID: ee39088d26241bbd3eb14788514d785a3c5b8638b0351774d0128f0223f5eb81
Opcode Fuzzy Hash: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
Instruction Fuzzy Hash: 2B21C2B1508301AF8354DF69D88495BBBF9EED8314F409A1EF599C3260E770D9098FA6

Function 00421B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421EA0), ref: 00421B72

Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042184F
Part of subcall function 00421820: lstrlenA.KERNEL32(02DF40E0,00000000,00000000,?,?,00421B81), ref: 00421860
Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 00421887
Part of subcall function 00421820: lstrcatA.KERNEL32(00000000,00000000), ref: 00421892
Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 004218C1
Part of subcall function 00421820: lstrlenA.KERNEL32(00434F9C,?,?,00421B81), ref: 004218D3
Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 004218F4
Part of subcall function 00421820: lstrcatA.KERNEL32(00000000,00434F9C,?,?,00421B81), ref: 00421900
Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 0042192F

sscanf.NTDLL ref: 00421B9A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BB6
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BC6
ExitProcess.KERNEL32 ref: 00421BE3

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: 70fb3db3e554c7d51a6d87790ab4f5262d78885ef9ced18a5adf94f503b7bf3d
Instruction ID: 276e4b54b55f1c3fc1aac48e3fc79cc90fd1a426ff4117ad04e9df3e7fe316e2
Opcode Fuzzy Hash: 70fb3db3e554c7d51a6d87790ab4f5262d78885ef9ced18a5adf94f503b7bf3d
Instruction Fuzzy Hash: A72102B1508301AF8344EF69D88485BBBF9EED8304F409A1EF599C3220E774E508CFA6

Function 02D01297 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02D012AD
VirtualAllocExNuma.KERNEL32(00000000), ref: 02D012B4
ExitProcess.KERNEL32 ref: 02D012BF
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 02D012D3
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 02D01312

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID:
API String ID: 3477276466-0
Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction ID: 4816fa582618cd86ea22e5143b71f709bf4d26785cd47829bdeaa6e658b23f91
Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction Fuzzy Hash: 6901F4717403047BEB144AB56C5EF6B77EEA785B05F209019F708E73D0DAB1E9008AB8

Function 00406EF0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406F00
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
HeapAlloc.KERNEL32(00000000), ref: 00406F7B

Strings

@, xrefs: 00406EF0

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: e1db0f0f00307df363e64ad8a88bb248863c5a506cdc1b59983cb41b111b7395
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 92118E70600602CBDB258F60DD84BBB73A4EB40704F054839F946DB6C4FBB8E955CB68

Function 02D22B77 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02D22B8C
RtlAllocateHeap.NTDLL(00000000), ref: 02D22B93
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02D22B10), ref: 02D22BB2
RegQueryValueExA.ADVAPI32(02D22B10,00435094,00000000,00000000,00000000,000000FF), ref: 02D22BCC
RegCloseKey.ADVAPI32(02D22B10), ref: 02D22BD6

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
Instruction ID: 92bc4a846d80b726246669518c189db3c0907ca1bddda1b3e19e8f2f6d47b0e2
Opcode Fuzzy Hash: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
Instruction Fuzzy Hash: 7801B175A00358AFD714CFA49C49FEB7BBDEB48759F200098FE4597245EB715908CBA0

Function 02D01387 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D0139C
RtlAllocateHeap.NTDLL(00000000), ref: 02D013A3
RegOpenKeyExA.ADVAPI32(80000001,00431754,00000000,00020119,?), ref: 02D013C0
RegQueryValueExA.ADVAPI32(?,00431748,00000000,00000000,00000000,000000FF), ref: 02D013DA
RegCloseKey.ADVAPI32(?), ref: 02D013E4

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
Instruction ID: a44bee30cffa2d9f011aba8ab2c38c95b6acd9acb6add93cdb95d51ddc960e72
Opcode Fuzzy Hash: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
Instruction Fuzzy Hash: A7F01D75A40308BFD7149BA09C8DFEA7B7DEB04755F101159BE05E2290EBB05A448BE0

Function 02D29238 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02D29244

Part of subcall function 02D28A66: __getptd_noexit.LIBCMT ref: 02D28A69
Part of subcall function 02D28A66: __amsg_exit.LIBCMT ref: 02D28A76

__getptd.LIBCMT ref: 02D2925B
__amsg_exit.LIBCMT ref: 02D29269
__lock.LIBCMT ref: 02D29279
__updatetlocinfoEx_nolock.LIBCMT ref: 02D2928D

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 20008b949afe04f4c0db9c99c0ad443aa39e2c03d8264a222539faff6a2289d1
Instruction ID: 5d6559f070636aa549567d1b380699af9822e1bd8f8bb818cf8d63aa901a55e1
Opcode Fuzzy Hash: 20008b949afe04f4c0db9c99c0ad443aa39e2c03d8264a222539faff6a2289d1
Instruction Fuzzy Hash: DDF090339487309FEB31BB689805B8D73A2EF20B2CF604159E459A63D0DB645E48DE76

Function 00417C20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417C94
std::_Xinvalid_argument.LIBCPMT ref: 00417CAF
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,00409186,?,?,?,?,00000000,?,00001000,?), ref: 00417D04

Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D58
Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D76
Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D91
Part of subcall function 00417D40: memcpy.MSVCRT(?,?,?,00000000,?,?,00417C7A,00000000,?,?,00000000,?,00409186,?), ref: 00417DF4

Strings

string too long, xrefs: 00417C8F, 00417CAA

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: e41a4c39e7b4d0e0147c01b60b6cfe30a49696396de7ca50b3185aa1218136c2
Instruction ID: 7b95a4aced9dd860c02d356ce7332eab408be2573d525a5934f6cc14bc449fbc
Opcode Fuzzy Hash: e41a4c39e7b4d0e0147c01b60b6cfe30a49696396de7ca50b3185aa1218136c2
Instruction Fuzzy Hash: 3C31E7723082144BE7249E6CE9809ABF7F5EF91760B20452BF5428B741E7759CC183DC

Function 00408850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408883

Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
Part of subcall function 0042A173: __CxxThrowException@8.LIBCMT ref: 0042A19D

Strings

vector<T> too long, xrefs: 0040887E
yxxx, xrefs: 004088DA
yxxx, xrefs: 0040888D

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
Instruction ID: 7564ff16f4fded24fea60b23033fc6fb145d6f62840a653eb56d940b242daf0a
Opcode Fuzzy Hash: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
Instruction Fuzzy Hash: FD31B7B5E005159BCB08DF58C9906AEBBB6EB88350F14827EE905EB384DB34AD01CBD5

Function 02D1F0F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02D1F12A
StrCmpCA.SHLWAPI(?,ERROR), ref: 02D1F145
lstrcpy.KERNEL32(00000000,ERROR), ref: 02D1F1A6

Strings

ERROR, xrefs: 02D1F13F, 02D1F1A0

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: ce871ecde8db7cfc3056d6aeb74e55e33849ac66478390f3a1a41166bfceedc7
Instruction ID: d908ebdc9faaa285920105aa2dc68ccba5d6cf100ce313d6c0b99fbc3c6d8f11
Opcode Fuzzy Hash: ce871ecde8db7cfc3056d6aeb74e55e33849ac66478390f3a1a41166bfceedc7
Instruction Fuzzy Hash: 9921BFB56112865FDB10BF79DC8CB9977A5EF14308F108414AC49DBB61EB34EC54CBA4

Function 02D22F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?), ref: 02D22F6B
LocalAlloc.KERNEL32(00000040,00000005), ref: 02D22F79
CharToOemW.USER32(?,00000000), ref: 02D22F89

Strings

8LC, xrefs: 02D22FAF

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: AllocCharDefaultLocalLocaleNameUser
String ID: 8LC
API String ID: 2580910410-1713405209
Opcode ID: 8d1da2be3ba6f1f09b22f2d10e9c0f53e0352e1882bf407210536c68e11c4cf7
Instruction ID: 0c8c7f85c901027f0a707ee9241040d0c4b331b63748346a3836130a7307da10
Opcode Fuzzy Hash: 8d1da2be3ba6f1f09b22f2d10e9c0f53e0352e1882bf407210536c68e11c4cf7
Instruction Fuzzy Hash: 4001A272B44718ABD720CB59EC45FAAF7B8F744B21F0042AEFD09D3780D77959048AA1

Function 02D22D37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02D22D66
RtlAllocateHeap.NTDLL(00000000), ref: 02D22D6D
GetComputerNameA.KERNEL32(00000000,00000104), ref: 02D22D81

Strings

8LC, xrefs: 02D22DAB

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID: 8LC
API String ID: 1664310425-1713405209
Opcode ID: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
Instruction ID: 69fe2cf0e4db3b6f8317fecbd9417d00e25b0c9e03b198add71d18096c57f5c3
Opcode Fuzzy Hash: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
Instruction Fuzzy Hash: A901A272A44618ABC710CF99ED45B9DB7B8F744B21F00026AFD15D3780D77819048AE1

Function 00408710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408737

Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
Part of subcall function 0042A173: __CxxThrowException@8.LIBCMT ref: 0042A19D

Strings

yxxx, xrefs: 00408741
yxxx, xrefs: 00408719
vector<T> too long, xrefs: 00408732

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
Instruction ID: 6a050c7182ba86e4f9edcf12540e1962beac915d64326d2362294264bf04d6a9
Opcode Fuzzy Hash: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
Instruction Fuzzy Hash: F3F06D27B040210BC214643E9E8449EA94657E539037AD67AE89AFF399DC74EC8285D9

Function 02D1C2E7 Relevance: 6.4, APIs: 5, Instructions: 107stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C327

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 990b93a8a18fa2f5a96702095e37316979256c73fb938d0512626cd5623d606f
Instruction ID: f0e8ad70b0de0a83b710a0eceabd5931686554b1f5519c2a8ee10ab0fbb35489
Opcode Fuzzy Hash: 990b93a8a18fa2f5a96702095e37316979256c73fb938d0512626cd5623d606f
Instruction Fuzzy Hash: 5B319C71A11285ABCB11EBA4EC8CB6DB7BAEB40308F148466E804D7790DB749C05CFA6

Function 02D1EF17 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1EF46
lstrlen.KERNEL32(00000000), ref: 02D1EF5D
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1EF84
lstrlen.KERNEL32(00000000), ref: 02D1EF8B
lstrcpy.KERNEL32(00000000,00434F88), ref: 02D1EFB9

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: d1b9335e12789eaac1d9ee0706117bfeac593b198cce3fc6bdeff1fa0ee0b2ad
Instruction ID: 4e494f7805fb4eb120fe9d5ce61efcb54a48ceb5e0543b6237ea9ff1ff4d8862
Opcode Fuzzy Hash: d1b9335e12789eaac1d9ee0706117bfeac593b198cce3fc6bdeff1fa0ee0b2ad
Instruction Fuzzy Hash: 86313A75A025966BC711BB38EC8CE5DBBA6EF50308F158560BC049B7A1EB24DC09CFA5

Function 02D23CB7 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27447: lstrcpy.KERNEL32(00000000,ERROR), ref: 02D27465

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D23CFD
Process32First.KERNEL32(00000000,00000128), ref: 02D23D10
Process32Next.KERNEL32(00000000,00000128), ref: 02D23D26

Part of subcall function 02D27577: lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
Part of subcall function 02D27577: lstrcpy.KERNEL32(00000000), ref: 02D275A6
Part of subcall function 02D27577: lstrcat.KERNEL32(?,------), ref: 02D275B0

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

CloseHandle.KERNEL32(00000000), ref: 02D23E5E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 49579a6b685d4f0f0103baf5644634ac2fcfc3f96350a6441b66680175cd71cd
Instruction ID: 6117e57c0c4765ed873ad1d5ddaf1a5b00e25420fe94db5d2539e34915823dfe
Opcode Fuzzy Hash: 49579a6b685d4f0f0103baf5644634ac2fcfc3f96350a6441b66680175cd71cd
Instruction Fuzzy Hash: C081E170900225CFD765CF18D948B95B7B1FB54328F29C1E9D4099B3A2D77A9C8ACF90

Function 02D1E767 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1E7AB
lstrcpy.KERNEL32(00000000,?), ref: 02D1E7DA
lstrcat.KERNEL32(?,00000000), ref: 02D1E7E8
lstrcat.KERNEL32(?,00638B00), ref: 02D1E803

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 11d9f56744845d9c53a32895c8ee140a75e32675b654f084e6722e1bd12f0c18
Instruction ID: 148c1da2407feca340f40935b54fd07850a1de16f35ae55dad7f60f94cf7fd5c
Opcode Fuzzy Hash: 11d9f56744845d9c53a32895c8ee140a75e32675b654f084e6722e1bd12f0c18
Instruction Fuzzy Hash: D55161B5A00119AFDB15EB64DC85FFD777AEB48300F544499BA0997390EE70AE44CFA0

Function 02D224C3 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02D224E9
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D225C5
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 02D22627
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D22706), ref: 02D22639

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
Instruction ID: 713be16ff422f3d2e32fa28e8d41d4713416dd35fdffb3303649febd7b5fdfae
Opcode Fuzzy Hash: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
Instruction Fuzzy Hash: 7641CF71A002699BDB10CFA4D8A8BAE77BAFB94718F148129FD15D7340D370ED45CB90

Function 02D04CC7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 02D04D02
RtlAllocateHeap.NTDLL(00000000), ref: 02D04D09
strlen.MSVCRT ref: 02D04D96
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 02D04E17

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: 045d89fccd1938906dd098eb9d538f982648d72d25a4e93490e98aa75e76be42
Instruction ID: 34ed97c730631b1a3a37931faeb18e2c8d785e59664ed7a8294daaeed6a30b3d
Opcode Fuzzy Hash: 045d89fccd1938906dd098eb9d538f982648d72d25a4e93490e98aa75e76be42
Instruction Fuzzy Hash: 6A31E3A8B80228768620EBFB4C4BF9F7E55DFCC760F215097751857180C9A96681CBEA

Function 02D17FA7 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02D17FBF

Part of subcall function 02D2A427: std::exception::exception.LIBCMT ref: 02D2A43C
Part of subcall function 02D2A427: __CxxThrowException@8.LIBCMT ref: 02D2A451
Part of subcall function 02D2A427: std::exception::exception.LIBCMT ref: 02D2A462

std::_Xinvalid_argument.LIBCPMT ref: 02D17FDD
std::_Xinvalid_argument.LIBCPMT ref: 02D17FF8
memcpy.MSVCRT(?,?,?,00000000,?,?,02D17EE1,00000000,?,?,00000000,?,02D093ED,?), ref: 02D1805B

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: 7e47054b543add41ed036c20b3e7533534c3db14565d3586dec7f27f450a48db
Instruction ID: f7a4306eaeae522c158dae92c361614dd40b4f8a993d38109dcbc27da7a1a788
Opcode Fuzzy Hash: 7e47054b543add41ed036c20b3e7533534c3db14565d3586dec7f27f450a48db
Instruction Fuzzy Hash: E12195313006049FE324DE6CE880B2AF7E6EB95714F20462EE492CBB91D7B1DC44D764

Function 02D1EDD7 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D1EE1B
lstrcpy.KERNEL32(00000000,?), ref: 02D1EE4A
lstrcat.KERNEL32(?,00000000), ref: 02D1EE58
lstrcat.KERNEL32(?,00638930), ref: 02D1EE73

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: f44c8fe01b78bf9ffe9778e429b03f31e3d3676987f01a2fac21585407633bc3
Instruction ID: 585d9f7a0ece6e698bf8f90710197f6f317756f33bcb1ad204a07fd1abc0042c
Opcode Fuzzy Hash: f44c8fe01b78bf9ffe9778e429b03f31e3d3676987f01a2fac21585407633bc3
Instruction Fuzzy Hash: BA3141B5A01159ABCB14EF64DC89FED77B6EF48300F1044A9BA1997390DE70AE44CFA4

Function 02D1CAA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 02D1CACC
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1CB09
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1CB38

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: f6f4934636fa2bed32cbaac12c325caa80a576f0d73aa55247a7f522c4cf719a
Instruction ID: 028550fe392ce95cf5bda1e837c22cb8c707df5f5277ae62f7734857cafde2b3
Opcode Fuzzy Hash: f6f4934636fa2bed32cbaac12c325caa80a576f0d73aa55247a7f522c4cf719a
Instruction Fuzzy Hash: E921E471E50248AFCB11EFB4ED88BAEBBB9EB08304F154066E805E7381D7749D05CBA5

Function 02D182A3 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 02D182DC
lstrlen.KERNEL32(00000000), ref: 02D18322
lstrcpy.KERNEL32(00000000,00000000), ref: 02D18351
strtok_s.MSVCRT ref: 02D183E6

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 8091fbfbc130a8340db7cbb0d169d97da020a13851d1453df9935ab1b5c8b065
Instruction ID: dd888a8170c7f31b303232c2ddd212a31550df6bc73ab9ab9c254cade60b67f0
Opcode Fuzzy Hash: 8091fbfbc130a8340db7cbb0d169d97da020a13851d1453df9935ab1b5c8b065
Instruction Fuzzy Hash: 9731DF76904245AFD712CF68EC48BAABBB4EF04300F184199E889D7755EB31DD45CB90

Function 02D18097 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 02D180D6
memcmp.MSVCRT(00000000,?,?,?,00434B40,00000000), ref: 02D180F0
memchr.MSVCRT ref: 02D1810F

Strings

@KC, xrefs: 02D1809D, 02D180D4

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: memchr$memcmp
String ID: @KC
API String ID: 2210787808-1938018870
Opcode ID: b9d862aece4ee9677d3bc088a7b11a40e3bc3b419b4930aa2c22ba220a5863d1
Instruction ID: 2521f3ac681e5219c057d210d1fa4ee51e6466c1a653c2c4e3c88be56b1403ed
Opcode Fuzzy Hash: b9d862aece4ee9677d3bc088a7b11a40e3bc3b419b4930aa2c22ba220a5863d1
Instruction Fuzzy Hash: EC210873600214ABD715CF64EC849AB77AAEFC53247248669EC25CB745C731DD42C7E0

Function 02D18F07 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00434E00), ref: 02D18F21
ExitProcess.KERNEL32 ref: 02D18F2E
strtok_s.MSVCRT ref: 02D18F40

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: e00a129f6f00f9850b897fcb722e900ccc2381b3c59f46b44b003cbfcb553c26
Instruction ID: 78ccc4ba686536cb8f113dba51023ec4a78d9f4bd7c6ed959c59eb8794d0e4f5
Opcode Fuzzy Hash: e00a129f6f00f9850b897fcb722e900ccc2381b3c59f46b44b003cbfcb553c26
Instruction Fuzzy Hash: EC015276900209FBDB10DFA4EC848DE77BAEB88305F108479F919D7250E7749E858BA5

Function 02D23627 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D23656
RtlAllocateHeap.NTDLL(00000000), ref: 02D2365D
GlobalMemoryStatusEx.KERNEL32 ref: 02D23678
wsprintfA.USER32 ref: 02D2369E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
String ID:
API String ID: 2922868504-0
Opcode ID: fb51181e03ceb3a90fb71e1016e28f08c61a464ea28ebc853029e4ba336a3f6d
Instruction ID: 86bfe334aa5bf781ffce3090b40e9a77823fcc770c4ea5ed23cd60bd3daca477
Opcode Fuzzy Hash: fb51181e03ceb3a90fb71e1016e28f08c61a464ea28ebc853029e4ba336a3f6d
Instruction Fuzzy Hash: 4901F5B1A08258AFD708DB98DD49B6EB7BDFB44710F000129F906D7380D7B89C008AA5

Function 02D22DC7 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0042A3D0,000000FF), ref: 02D22DF6
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02D22DFD
GetLocalTime.KERNEL32(?,?,00000000,0042A3D0,000000FF), ref: 02D22E09
wsprintfA.USER32 ref: 02D22E35

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 1187c665280c0081dca809d70cdac0b9e14ddbc1924146aa472259be47c606b7
Instruction ID: 8c34349a47f058d6690e60c1733dac4b139ae13e761a6dd5b4e63d16ae77d0dd
Opcode Fuzzy Hash: 1187c665280c0081dca809d70cdac0b9e14ddbc1924146aa472259be47c606b7
Instruction Fuzzy Hash: A10140B2904628ABCB149BD9DD45FBEB7BDFB4CB11F00011AFA45A2290E7B85940C7B5

Function 02D1CBC4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00431C70), ref: 02D1CBCA
StrCmpCA.SHLWAPI(?,00434C3C,?,00431C70), ref: 02D1CBE1
StrCmpCA.SHLWAPI(?,00434C40,?,00434C3C,?,00431C70), ref: 02D1CBF8
strtok_s.MSVCRT ref: 02D1CCEE

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 50202650d3246678f72eb674bac2dd8d9b7eb456bd8fcee34b14de3847553133
Instruction ID: cdca5927061a68dc461894c246f3934a9ca107624fc4f0178f1bd352edb413fd
Opcode Fuzzy Hash: 50202650d3246678f72eb674bac2dd8d9b7eb456bd8fcee34b14de3847553133
Instruction Fuzzy Hash: CC01A271A81115A7CB219FA1ED88BADB765EF00705F105016E801E6350E7789E45CFA6

Function 02D246E7 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 02D246F9
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02D24714
CloseHandle.KERNEL32(00000000), ref: 02D2471B
lstrcpy.KERNEL32(00000000,?), ref: 02D2474E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
Instruction ID: ecb5349574e6ab3430faeabd208089a48b14a94017d0a26489ce723299fb8c83
Opcode Fuzzy Hash: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
Instruction Fuzzy Hash: 0EF0C8B09016252BE7219B749C8CBE5BAB9DB15708F1054A4EE54D7280DBF09C88CBE0

Function 02D27577 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
lstrcpy.KERNEL32(00000000), ref: 02D275A6
lstrcat.KERNEL32(?,------), ref: 02D275B0

Strings

------, xrefs: 02D27579, 02D275AE

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: ------
API String ID: 3050337572-882505780
Opcode ID: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
Instruction ID: 046c980960651320007adce3d36a0a168aa3ac921763db85dea9a2498bd18bda
Opcode Fuzzy Hash: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
Instruction Fuzzy Hash: 63F039B49013128FDB209F35D888922FBFAEF94708314982DA88AC3318EB30D840CF60

Function 02D13637 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01802
Part of subcall function 02D01797: lstrcpy.KERNEL32(00000000,?), ref: 02D01866

lstrcpy.KERNEL32(00000000,?), ref: 02D13689
lstrcpy.KERNEL32(00000000,?), ref: 02D136B2
lstrcpy.KERNEL32(00000000,?), ref: 02D136D8
lstrcpy.KERNEL32(00000000,?), ref: 02D136FE

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
Instruction ID: 8733b4894c9520e7c359e9210883678b3a29c7722adbb732042b369c135b8b91
Opcode Fuzzy Hash: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
Instruction Fuzzy Hash: 0712FC70A012019FDB98CF19E598B25B7E5AF44728B19C0EED809DB7A6D772DC42CF90

Function 00408780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004087DC
memcpy.MSVCRT(?,?,00000000,00000000,00407897), ref: 00408822

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

Strings

string too long, xrefs: 004087D7

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 20a0e1fa80b2d40189671086a8601b96c4190272eee8fccfd7a78e7d92450db4
Instruction ID: b799d092ef9cae65facd334a6b89e5ae18e89b85f7d552003ee478c73589ae49
Opcode Fuzzy Hash: 20a0e1fa80b2d40189671086a8601b96c4190272eee8fccfd7a78e7d92450db4
Instruction Fuzzy Hash: DD21AE213106508BDB259A6C8E80A2AB3E6AB85711B74097FE0D1D77C6DF79AC40879D

Function 02D08AB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02D08AEA

Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A3EF
Part of subcall function 02D2A3DA: __CxxThrowException@8.LIBCMT ref: 02D2A404
Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A415

Strings

yxxx, xrefs: 02D08B41
yxxx, xrefs: 02D08AF4

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
Instruction ID: 534af2d47becac3b0468074ca73c222f7a056d1899962472a08d6dec1dedcfe8
Opcode Fuzzy Hash: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
Instruction Fuzzy Hash: 5C3197B5E005199FCB08DF58C89079EBBB6EB88310F188269E915DB384D731AD01CBD1

Function 00408A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408A75

Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
Part of subcall function 0042A173: __CxxThrowException@8.LIBCMT ref: 0042A19D

memcpy.MSVCRT(?,?,?), ref: 00408ABF

Strings

string too long, xrefs: 00408A70

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: 2cecf57ea5af59452acfa892dcec981f503e4cb288e235a5eae741e3d1ec3341
Instruction ID: 3089fc7e7832a89005345014d0910da57ed2333d4baad04f32cbc36f091640d4
Opcode Fuzzy Hash: 2cecf57ea5af59452acfa892dcec981f503e4cb288e235a5eae741e3d1ec3341
Instruction Fuzzy Hash: DB21F5317046045BEB20CE6DDA4066FB7A6EBD5320F148A3FE881D33C1DF74A9448B98

Function 02D25B77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02D25B89

Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A3EF
Part of subcall function 02D2A3DA: __CxxThrowException@8.LIBCMT ref: 02D2A404
Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A415

std::_Xinvalid_argument.LIBCPMT ref: 02D25B9C

Strings

Sec-WebSocket-Version: 13, xrefs: 02D25B8E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 72ce411f60a9603ccc78830aed89491ef0d3d3f59f8d142ff26189d7cf510ab7
Instruction ID: 09a35d62de9a355948008bee0ca97877a028f4adff51dbcde9fc483d0755e8a7
Opcode Fuzzy Hash: 72ce411f60a9603ccc78830aed89491ef0d3d3f59f8d142ff26189d7cf510ab7
Instruction Fuzzy Hash: AB1170703047608BC3358A2CF940F1AB7E2EBE1718FA40B9DE09187784C762EC49C761

Function 02D04E27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02D04E86
InternetCrackUrlA.WININET(?,00000000), ref: 02D04E8E

Strings

<, xrefs: 02D04E4E

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
Instruction ID: 91548d5d8054d06df9d94939fcca87760467ac04117a51a674f7f63342aa4e9b
Opcode Fuzzy Hash: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
Instruction Fuzzy Hash: EB011771D00218AFDB10DFA8EC48B9EBBA9EB08360F00812AF954E7390EB7459058FD4

Function 00408B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408B8F

Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1D5
Part of subcall function 0042A1C0: __CxxThrowException@8.LIBCMT ref: 0042A1EA

memmove.MSVCRT(?,?,?,?,?,004089B2,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408BC5

Strings

invalid string position, xrefs: 00408B8A

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: ac6795f25ef18eeed2e13ecde80d8ae79474f4bb620a7c1820e729909ec2ccd9
Instruction ID: 53d9df9cfc3258e6a1c1fb5dc4ad9744160fc55fc09269fc7e45ec912c21b5c3
Opcode Fuzzy Hash: ac6795f25ef18eeed2e13ecde80d8ae79474f4bb620a7c1820e729909ec2ccd9
Instruction Fuzzy Hash: 1A0184703043004BD3258A6CEE9462AB7B6DBC5704B68493EE0D2D7785DBB8FC42879D

Function 02D08977 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02D0899E

Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A3EF
Part of subcall function 02D2A3DA: __CxxThrowException@8.LIBCMT ref: 02D2A404
Part of subcall function 02D2A3DA: std::exception::exception.LIBCMT ref: 02D2A415

Strings

yxxx, xrefs: 02D08980
yxxx, xrefs: 02D089A8

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
Instruction ID: c5b575d42cb8604a199626afec1da2d51b3e11a16d3e64c8df695f225632fe47
Opcode Fuzzy Hash: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
Instruction Fuzzy Hash: 82F0B423F040350F8314B43DADC869FA94797E425032AD722D956DF3E8E971EC82B5E6

Function 02D01327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02D01351
ExitProcess.KERNEL32 ref: 02D0137B

Strings

@, xrefs: 02D01349

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 803317263-2766056989
Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction ID: bfc378884462251a2a95c28da6887bb46c57b4d1d3e8c33008d791673b000a33
Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction Fuzzy Hash: 88F082B05083458BEF14A66498C972DB6D9DB02358F505A29DDDEC2BF0E770CC01C66B

Function 00427469 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::operator=.LIBCMT ref: 00427482

Part of subcall function 00427402: std::exception::_Tidy.LIBCMT ref: 00427412
Part of subcall function 00427402: std::exception::_Copy_str.LIBCMT ref: 00427422

Strings

HVC, xrefs: 0042746B
BtB, xrefs: 00427478

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: std::exception::_$Copy_strTidystd::exception::operator=
String ID: BtB$HVC
API String ID: 2698302428-2929062201
Opcode ID: 2064f9a79aefac47aea97d2be971b37e961745f4f53de9829b772e1ea93b53f3
Instruction ID: ca7befed4fc05bf215c2ccad8c7d361c703a10efed1f570164778f62d87aa29a
Opcode Fuzzy Hash: 2064f9a79aefac47aea97d2be971b37e961745f4f53de9829b772e1ea93b53f3
Instruction Fuzzy Hash: C8D0223220436467C3206A86E806B93FFC8DB413B6F44C02EF9CC47601C7B99810C7E8

Function 02D1C3DD Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTime
String ID:
API String ID: 1816220002-0
Opcode ID: be235fe9bebd4aed7a40114c52ea8964f9ede992816bb4da7868c9f3c889d5b2
Instruction ID: dcdbd683d11409a7141e0b48fc16a3d1c69a2b7c6b82ec0871bff6b5b2314905
Opcode Fuzzy Hash: be235fe9bebd4aed7a40114c52ea8964f9ede992816bb4da7868c9f3c889d5b2
Instruction Fuzzy Hash: 94319C71911295ABDB11EFA4ECC8BADB7B2EF40308F1484A5D804A7B90DB74AD05CFA1

Function 02D1C39E Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTime
String ID:
API String ID: 1816220002-0
Opcode ID: e439b13af971c91788a7f9ce98ef01b15bceb564fc4667b83cefc6f8dc24056b
Instruction ID: 6ac5c64afb354093caf34a9b6b095eaf9b3a6507f92c64430e07d11b4999efb9
Opcode Fuzzy Hash: e439b13af971c91788a7f9ce98ef01b15bceb564fc4667b83cefc6f8dc24056b
Instruction Fuzzy Hash: F3319C71911255EBCB11EFA4ECC8BADB7B6EF40308F1584A5E804A7B90DB74AD05CF62

Function 02D1C35F Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTime
String ID:
API String ID: 1816220002-0
Opcode ID: af8567e061a0f953413200cc3095a5a5c5af79d51d934afd5fcf18e0a3b63bae
Instruction ID: 6e8505e475e294dcd84c8aa7fc95537383981f9e6226d038852b2c7f145fb312
Opcode Fuzzy Hash: af8567e061a0f953413200cc3095a5a5c5af79d51d934afd5fcf18e0a3b63bae
Instruction Fuzzy Hash: 3B31A071D11255ABCB11EFA4DCC8BADB7B6EF40308F1484A5D804A7BA0DB74AD45CF61

Function 02D1C419 Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTime
String ID:
API String ID: 1816220002-0
Opcode ID: 84d2cc247a8b79976c523f9584967691d5091d9f9ac208a4f9fdd6843a9c4432
Instruction ID: dea5b48bc6e1e6844fad04ea2b56cf41ae05c44b80d8dd3a929943442b8552d4
Opcode Fuzzy Hash: 84d2cc247a8b79976c523f9584967691d5091d9f9ac208a4f9fdd6843a9c4432
Instruction Fuzzy Hash: CB319F71D11255ABCB11EFA4ECC8BADB7B6EF44308F248469D804A7790DB74AD05CF61

Function 02D217D7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02D21808
lstrcpy.KERNEL32(00000000,?), ref: 02D21840
lstrcpy.KERNEL32(00000000,?), ref: 02D21878
lstrcpy.KERNEL32(00000000,?), ref: 02D218B0

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
Instruction ID: 6150ab75559d1148eb91001969094b2f7b547fbac89fa3a46fea85473809b347
Opcode Fuzzy Hash: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
Instruction Fuzzy Hash: E421FAB4601B029BD724DF39C998B16F7E5EF54308B148A1C988AC7B51EB70E804CFA0

Function 02D01797 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D01877: lstrcpy.KERNEL32(00000000), ref: 02D01894
Part of subcall function 02D01877: lstrcpy.KERNEL32(00000000,?), ref: 02D018B6
Part of subcall function 02D01877: lstrcpy.KERNEL32(00000000,?), ref: 02D018D8
Part of subcall function 02D01877: lstrcpy.KERNEL32(00000000,?), ref: 02D018FA

lstrcpy.KERNEL32(00000000,?), ref: 02D017BE
lstrcpy.KERNEL32(00000000,?), ref: 02D017E0
lstrcpy.KERNEL32(00000000,?), ref: 02D01802
lstrcpy.KERNEL32(00000000,?), ref: 02D01866

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
Instruction ID: 38b5157921d73968c8daedb2110e155e16189e022e442cb66f1c1242eecaba2d
Opcode Fuzzy Hash: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
Instruction Fuzzy Hash: 5331C5B4A01B42AFC724DF3AC588A56BBE5FF48704700492DA896C3BA0DB70F810CF90

Function 02D1C449 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D242A7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02D242D4
Part of subcall function 02D242A7: lstrcpy.KERNEL32(00000000,?), ref: 02D24309

Part of subcall function 02D27527: lstrcpy.KERNEL32(00000000), ref: 02D27556
Part of subcall function 02D27527: lstrcat.KERNEL32(00000000), ref: 02D27562

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTime
String ID:
API String ID: 1816220002-0
Opcode ID: 61a541eaa0849ea2e0d5ce0af3ecbd6ad0c35d1f0af52485b42202bd9ae5cc02
Instruction ID: 3358ef4accb49d75aa4fa42779f62cdfbb68fbc49c2ccc1854ba0592d498f603
Opcode Fuzzy Hash: 61a541eaa0849ea2e0d5ce0af3ecbd6ad0c35d1f0af52485b42202bd9ae5cc02
Instruction Fuzzy Hash: FE31BF71D11259ABCB11EFA4DCC8BADB7B2EF40308F148465D804AB7A4DB74AD05CFA1

Function 00421570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 004215A1
lstrcpy.KERNEL32(00000000,?), ref: 004215D9
lstrcpy.KERNEL32(00000000,?), ref: 00421611
lstrcpy.KERNEL32(00000000,?), ref: 00421649

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 8561c450ff5806efa9328425447984e2dfc3d00f0a6d3cbe909e2d5d3455e04e
Instruction ID: d835a63f815e36da5ade85c26f075bb24775596f52dd66724b9a128e54fe9737
Opcode Fuzzy Hash: 8561c450ff5806efa9328425447984e2dfc3d00f0a6d3cbe909e2d5d3455e04e
Instruction Fuzzy Hash: 382127B0701B029BD724DF2AE998A17B7F5AF54700B44492EA486D7B90DB78E841CFA4

Function 00401530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401610: lstrcpy.KERNEL32(00000000), ref: 0040162D
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 0040164F
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 00401671
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,00420533), ref: 00401693

lstrcpy.KERNEL32(00000000,?), ref: 00401557
lstrcpy.KERNEL32(00000000,?), ref: 00401579
lstrcpy.KERNEL32(00000000,?), ref: 0040159B
lstrcpy.KERNEL32(00000000,?), ref: 004015FF

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 885b17a84b13c90da5186a49087c4ecc35c25859715a4917ce95556ed04e60e1
Instruction ID: 80b5f1fa651da611af66416e481b020f72ab7f98df4cd08dbf14573642dabe07
Opcode Fuzzy Hash: 885b17a84b13c90da5186a49087c4ecc35c25859715a4917ce95556ed04e60e1
Instruction Fuzzy Hash: 7931C674A01B02AFC724DF3AC988953B7E5BF48304704492EA896D7BA0DB74F811CF94

Function 02D1C33D Relevance: 5.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D27577: lstrlen.KERNEL32(------,02D05E52), ref: 02D27582
Part of subcall function 02D27577: lstrcpy.KERNEL32(00000000), ref: 02D275A6
Part of subcall function 02D27577: lstrcat.KERNEL32(?,------), ref: 02D275B0

Part of subcall function 02D274E7: lstrcpy.KERNEL32(00000000), ref: 02D27515

Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D2410C
Part of subcall function 02D240D7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02D24136
Part of subcall function 02D240D7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02D015B5,?,0000001A), ref: 02D24140

lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4B9
lstrcat.KERNEL32(00000000), ref: 02D1C4C3
lstrcpy.KERNEL32(00000000,00000000), ref: 02D1C4F1
lstrcpy.KERNEL32(00000000,0042CFEC), ref: 02D1C539

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 6395358b8028805ab7ed5dd252d1eb9a617b945a9a4610eb8dec3195b28e5f96
Instruction ID: 54b08f511908f7e47f6665bcc1c47e011bdc6eacb97bdbd15b390e46b42c2073
Opcode Fuzzy Hash: 6395358b8028805ab7ed5dd252d1eb9a617b945a9a4610eb8dec3195b28e5f96
Instruction Fuzzy Hash: D6218D71911245ABCB11EFA4E8C8BADB7B6EB44308F144469E404A77A0DB74AD05CFA1

Function 00406EF2 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406F00
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
HeapAlloc.KERNEL32(00000000), ref: 00406F7B

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 3489786ad6ffc592b33c98b5093e94c05e4d8cefe55189094fd4c73ee0e5810c
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 8B216D706106029BDB248B21DD84BBB73E8EB40704F44487DF946DBA84FBB9E956CB64

Function 02D01877 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02D01894
lstrcpy.KERNEL32(00000000,?), ref: 02D018B6
lstrcpy.KERNEL32(00000000,?), ref: 02D018D8
lstrcpy.KERNEL32(00000000,?), ref: 02D018FA

Memory Dump Source

Source File: 00000000.00000002.1651900103.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
Instruction ID: b071b6e49732d5c43a2aaa6ff6b74bf93f8890e17365951bc21d489e4c362106
Opcode Fuzzy Hash: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
Instruction Fuzzy Hash: 3D110074A117026BD7249F35D89CA26B7E9FF443057044A2C985AC3B90DB70E800CFA4

Function 00401610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040162D
lstrcpy.KERNEL32(00000000,?), ref: 0040164F
lstrcpy.KERNEL32(00000000,?), ref: 00401671
lstrcpy.KERNEL32(00000000,00420533), ref: 00401693

Memory Dump Source

Source File: 00000000.00000002.1650494052.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1650494052.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000493000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.00000000004F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000055D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650494052.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5yTEUojIn0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4ea391a1f9347acba3c00b5a2a9311a386dffa38b9385c59d5aa46518d5842b9
Instruction ID: 77a9aadbbd26ea48150a62d0fa0b2c9b2127a70dadc2ffa25d6a6684b0360a2a
Opcode Fuzzy Hash: 4ea391a1f9347acba3c00b5a2a9311a386dffa38b9385c59d5aa46518d5842b9
Instruction Fuzzy Hash: 291112B46117029BD7149F36D94C927B7F8BF44305704093EA496E3B90DB79E801CB94

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5yTEUojIn0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5yTEUojIn0.exe_218059f64b8ee559322c2d8a673d01e4d47cb61_b3b022df_521023f3-7559-411f-8d6c-0ec1fbcda460\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86CB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87C6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87F6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
5yTEUojIn0.exe

Function 004266E0 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696
libraryloaderCOMMON

Function 00404A60 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Function 00426390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Function 00421BF0 Relevance: 13.6, APIs: 9, Instructions: 129
COMMON

Function 00405640 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Function 00405790 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Function 0042658E Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 88
libraryloaderCOMMON

Function 02D0003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00422740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Function 00422910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Function 00422880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON