Edit tour

Windows Analysis Report
aspweb88.exe

Overview

General Information

Sample name:	aspweb88.exe
Analysis ID:	1559305
MD5:	8ae129a3f1e337c110ce61578a61e48c
SHA1:	c8d1561e246de145755ca3958b969dc2691ba64c
SHA256:	14171cd5c9cf431e852aac991007c403b0d667b7b58750a1855d09bfd7dcee96
Tags:	exeopendiruser-Joker
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious URL

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to detect virtual machines (SIDT)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

aspweb88.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\aspweb88.exe" MD5: 8AE129A3F1E337C110CE61578A61E48C)

chrome.exe (PID: 7692 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://127.0.0.1:88/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,16356890671198062281,12564807779130480005,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
aspweb88.exe	CN_Honker_Injection_transit	Sample from CN Honker Pentest Toolset - file Injection_transit.exe	Florian Roth	0x9e028:$s0: <description>Your app description here</description> 0x9dda4:$s4: Copyright (C) 2003 ZYDSoft Corp. 0x7df1b:$s5: ScriptnackgBun

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.aspweb88.exe.400000.0.unpack	CN_Honker_Injection_transit	Sample from CN Honker Pentest Toolset - file Injection_transit.exe	Florian Roth	0x195c28:$s0: <description>Your app description here</description> 0x1959a4:$s4: Copyright (C) 2003 ZYDSoft Corp. 0x175b1b:$s5: ScriptnackgBun

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109008217X-BM-CBT: 1696494873X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 229C124F14F843F693B4EF574DFCAAABX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109008217X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=7A0479E0E07C4D7D91A8C7552F34E6D4&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&LUT=1696493908190&IPMH=7bc3b11d&IPMID=1696494873321&HV=1696494765; MUID=4E6D5F19647E45969740B90CC0355D4C; _SS=SID=1F4D6C7F4B26664337657FDE4A3767CB&CPID=1696494874312&AC=1&CPH=893a1c21; _EDGE_S=SID=1F4D6C7F4B26664337657FDE4A3767CB

Source: aspweb88.exe, 00000000.00000002.3250136792.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, aspweb88.exe, 00000000.00000003.1444785432.000000000277C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/$F
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/Gz_
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/n
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/o
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88/v
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:88R
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aspweb88.exe, chromecache_143.5.dr	String found in binary or memory: http://www.netbox.cn
Source: aspweb88.exe, aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: LICENSE.txt.3.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.3.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: LICENSE.txt.3.dr	String found in binary or memory: https://easylist.to/)
Source: LICENSE.txt.3.dr	String found in binary or memory: https://github.com/easylist)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63748
Source: unknown	Network traffic detected: HTTP traffic on port 51900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51898
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51899
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51897
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 63748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.3.187.198:443 -> 192.168.2.8:51897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:51898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:51899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:51900 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: aspweb88.exe, type: SAMPLE	Matched rule: Sample from CN Honker Pentest Toolset - file Injection_transit.exe Author: Florian Roth
Source: 0.0.aspweb88.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Sample from CN Honker Pentest Toolset - file Injection_transit.exe Author: Florian Roth

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0041F4F0 PostQuitMessage,GetSystemMenu,GetMenuItemCount,DeleteMenu,InsertMenuA,InsertMenuA,InsertMenuA,InsertMenuA,InsertMenuA,InsertMenuA,SetTimer,QueryPerformanceCounter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PostMessageA,PostMessageA,KillTimer,Shell_NotifyIcon,NtdllDefWindowProc_A,NtdllDefWindowProc_A,NtdllDefWindowProc_A,PostMessageA,NtdllDefWindowProc_A,QueryPerformanceCounter,FindWindowA,Shell_NotifyIcon,QueryPerformanceCounter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCursorPos,SetForegroundWindow,PostMessageA,Shell_NotifyIcon,QueryPerformanceCounter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,NtdllDefWindowProc_A,TrackPopupMenu,Shell_NotifyIcon,GetCursorPos,QueryPerformanceCounter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetDoubleClickTime,PostMessageA,GetCursorPos,SetForegroundWindow,PostMessageA,GetCursorPos,SetForegroundWindow,PostMessageA,PostMessageA,	0_2_0041F4F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00455310 NtdllDefWindowProc_A,	0_2_00455310
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00521612 NtdllDefWindowProc_A,CallWindowProcA,	0_2_00521612
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00456130 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalLock,GlobalUnlock,CreateStreamOnHGlobal,lstrlen,SetWindowLongA,NtdllDefWindowProc_A,	0_2_00456130
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00456380 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalLock,GlobalUnlock,CreateStreamOnHGlobal,lstrlen,SysFreeString,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A,	0_2_00456380
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00522697 NtdllDefWindowProc_A,	0_2_00522697
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00452F30 GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,	0_2_00452F30
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_005230C9 NtdllDefWindowProc_A,	0_2_005230C9
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004575A0 NtdllDefWindowProc_A,VariantInit,InterlockedExchange,GetCurrentThreadId,GetTopWindow,GetWindowThreadProcessId,IsWindowEnabled,IsWindowVisible,GetWindow,SetForegroundWindow,SendMessageA,	0_2_004575A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0044FE50 NtdllDefWindowProc_A,GetSysColor,	0_2_0044FE50

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0046D400: DeviceIoControl,DeviceIoControl,

0_2_0046D400

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0041E750 OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,RegOpenKeyA,RegDeleteValueA,RegCloseKey,

0_2_0041E750

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_00434820 ExitWindowsEx,ExitWindowsEx,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,InitiateSystemShutdownA,ExitWindowsEx,ExitWindowsEx,

0_2_00434820

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_7692_1161933658

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00435800	0_2_00435800
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004881F0	0_2_004881F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E41F4	0_2_004E41F4
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E8190	0_2_004E8190
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D8250	0_2_004D8250
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00480300	0_2_00480300
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E8324	0_2_004E8324
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004B03D0	0_2_004B03D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E438F	0_2_004E438F
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D84F0	0_2_004D84F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BC480	0_2_004BC480
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D8670	0_2_004D8670
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D0600	0_2_004D0600
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E46E0	0_2_004E46E0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D08B0	0_2_004D08B0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00468960	0_2_00468960
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00428910	0_2_00428910
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E49A0	0_2_004E49A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004B4A70	0_2_004B4A70
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00424AC0	0_2_00424AC0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00480AD0	0_2_00480AD0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E4B50	0_2_004E4B50
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D8F90	0_2_004D8F90
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E5050	0_2_004E5050
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004ED0D0	0_2_004ED0D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004950A0	0_2_004950A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004991F0	0_2_004991F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BD19C	0_2_004BD19C
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E9245	0_2_004E9245
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004913A0	0_2_004913A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004A1470	0_2_004A1470
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004F9434	0_2_004F9434
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004994D0	0_2_004994D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004ED4EB	0_2_004ED4EB
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E5640	0_2_004E5640
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004916D0	0_2_004916D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E5900	0_2_004E5900
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004F99C0	0_2_004F99C0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00489AC0	0_2_00489AC0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EDAD0	0_2_004EDAD0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048DAE0	0_2_0048DAE0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00485CF0	0_2_00485CF0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EDD90	0_2_004EDD90
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00499DA0	0_2_00499DA0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00515EC0	0_2_00515EC0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048DF20	0_2_0048DF20
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E6070	0_2_004E6070
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EA0C8	0_2_004EA0C8
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EE0B0	0_2_004EE0B0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EA1EC	0_2_004EA1EC
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048E210	0_2_0048E210
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004AE430	0_2_004AE430
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004FE560	0_2_004FE560
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EE510	0_2_004EE510
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EA670	0_2_004EA670
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004DE7D8	0_2_004DE7D8
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E6950	0_2_004E6950
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EA930	0_2_004EA930
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048E9F0	0_2_0048E9F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00492A70	0_2_00492A70
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EEA30	0_2_004EEA30
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00462AC0	0_2_00462AC0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EAAE0	0_2_004EAAE0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048EBB0	0_2_0048EBB0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EACE0	0_2_004EACE0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EECA0	0_2_004EECA0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EEE45	0_2_004EEE45
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E6E60	0_2_004E6E60
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004CAE30	0_2_004CAE30
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E7010	0_2_004E7010
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004CB0D0	0_2_004CB0D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D70F0	0_2_004D70F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048F0A0	0_2_0048F0A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EB182	0_2_004EB182
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EF200	0_2_004EF200
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E7210	0_2_004E7210
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00487380	0_2_00487380
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D73A0	0_2_004D73A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D7500	0_2_004D7500
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E7500	0_2_004E7500
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0049B590	0_2_0049B590
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00483630	0_2_00483630
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_005036B0	0_2_005036B0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004B7700	0_2_004B7700
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0048B7D0	0_2_0048B7D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EB7F0	0_2_004EB7F0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D77A0	0_2_004D77A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BF82A	0_2_004BF82A
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004AB820	0_2_004AB820
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D7940	0_2_004D7940
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00497910	0_2_00497910
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00503990	0_2_00503990
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004EBAB0	0_2_004EBAB0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004E7B00	0_2_004E7B00
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0046BB90	0_2_0046BB90
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004D7C10	0_2_004D7C10
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00523E4D	0_2_00523E4D
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0049FF20	0_2_0049FF20

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 0040E1F0 appears 69 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004CB2C0 appears 131 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004BDF70 appears 69 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004CB6A0 appears 156 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004BB47E appears 45 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004921B0 appears 39 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004BDE24 appears 38 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004E0060 appears 32 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 004BD0A0 appears 335 times
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: String function: 00492310 appears 81 times

Source: Google.Widevine.CDM.dll.3.dr

Static PE information: Number of sections : 12 > 10

Source: aspweb88.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: aspweb88.exe, type: SAMPLE	Matched rule: CN_Honker_Injection_transit date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file Injection_transit.exe, score = f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.aspweb88.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_Honker_Injection_transit date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file Injection_transit.exe, score = f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal80.evad.winEXE@23/19@5/5

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_00434820

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: OpenSCManagerA,CreateServiceA,GetModuleHandleA,GetProcAddress,StartServiceA,CloseServiceHandle,CloseServiceHandle,RegOpenKeyA,RegSetValueExA,RegCloseKey,WinExec,

0_2_0041E430

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_004CB880 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,Heap32ListFirst,Heap32First,Heap32Next,Heap32ListNext,Process32First,FreeLibrary,CloseHandle,FreeLibrary,

0_2_004CB880

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_004106A0 CoGetObjectContext,CoCreateInstance,

0_2_004106A0

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_00403210 FindResourceA,

0_2_00403210

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0041E430 OpenSCManagerA,CreateServiceA,GetModuleHandleA,GetProcAddress,StartServiceA,CloseServiceHandle,CloseServiceHandle,RegOpenKeyA,RegSetValueExA,RegCloseKey,WinExec,

0_2_0041E430

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0041ED80 StartServiceCtrlDispatcherA,

0_2_0041ED80

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspweb88.exe, aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table';

Source: aspweb88.exe

ReversingLabs: Detection: 50%

Source: aspweb88.exe	String found in binary or memory: -stop
Source: aspweb88.exe	String found in binary or memory: -install
Source: aspweb88.exe	String found in binary or memory: -start
Source: aspweb88.exe	String found in binary or memory: set-addPolicy
Source: aspweb88.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\aspweb88.exe

File read: C:\Users\user\Desktop\aspweb88.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aspweb88.exe "C:\Users\user\Desktop\aspweb88.exe"
Source: C:\Users\user\Desktop\aspweb88.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://127.0.0.1:88/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,16356890671198062281,12564807779130480005,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\aspweb88.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://127.0.0.1:88/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,16356890671198062281,12564807779130480005,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source:	Binary string: d:\My Documents\Visual Studio Projects\NetBox2\NetBox2\Release\NetBox2.pdb source: aspweb88.exe, aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.3.dr
Source:	Binary string: d:\My Documents\Visual Studio Projects\NetBox2\NetBox2\Release\NetBox2.pdbt source: aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0046F030 GetSystemDefaultLangID,VerLanguageNameA,LoadLibraryA,GetProcAddress,GetProcAddress,NetWkstaGetInfo,FreeLibrary,FreeLibrary,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetWindowsDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetTimeZoneInformation,GetIpAddrTable,GetIpAddrTable,

0_2_0046F030

Source: initial sample

Static PE information: section where entry point is pointing to: data

Source: aspweb88.exe	Static PE information: section name: test
Source: Google.Widevine.CDM.dll.3.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.3.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.3.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.3.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.3.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BD0A0 push eax; ret	0_2_004BD0B4
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BD0A0 push eax; ret	0_2_004BD0DC
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BDE24 push eax; ret	0_2_004BDE42
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004BDFAB push ecx; ret	0_2_004BDFBB
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0045E280 push ecx; mov dword ptr [esp], 00000000h	0_2_0045E296
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004066F0 push ecx; mov dword ptr [esp], 00000000h	0_2_00406706
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0045F680 push ecx; mov dword ptr [esp], 00000000h	0_2_0045F696
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0045F7C0 push ecx; mov dword ptr [esp], 00000000h	0_2_0045F7D6

Source: aspweb88.exe

Static PE information: section name: data entropy: 7.923240590050918

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\LICENSE.txt

Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\aspweb88.exe	Window found: window name: progman			Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Window found: window name: progman			Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0041E430 OpenSCManagerA,CreateServiceA,GetModuleHandleA,GetProcAddress,StartServiceA,CloseServiceHandle,CloseServiceHandle,RegOpenKeyA,RegSetValueExA,RegCloseKey,WinExec,

0_2_0041E430

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004B9A9C IsIconic,GetWindowPlacement,GetWindowRect,		0_2_004B9A9C
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0044E370 IsWindow,IsIconic,		0_2_0044E370

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_004CB880

Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_004CB770 rdtsc

0_2_004CB770

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_004CB880

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0046D640 sidt fword ptr [esp-02h]

0_2_0046D640

Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

API coverage: 6.4 %

Source: C:\Users\user\Desktop\aspweb88.exe TID: 7640	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00520980 __EH_prolog,GetFullPathNameA,lstrcpyn,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,lstrcpy,	0_2_00520980
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0040B360 FindFirstFileA,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindNextFileA,FindClose,	0_2_0040B360
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0040C0D0 FindFirstFileA,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,FindNextFileA,FindClose,PathIsDirectoryA,RemoveDirectoryA,DeleteFileA,	0_2_0040C0D0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004609E0 FindFirstFileW,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,FindNextFileW,FindClose,	0_2_004609E0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0051DB26 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	0_2_0051DB26
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0045E380 FindFirstFileA,	0_2_0045E380
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_0045E7F0 SysFreeString,FindFirstFileW,SysFreeString,FindClose,FindFirstFileA,SysFreeString,FindClose,SysFreeString,	0_2_0045E7F0

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0046FB20 GetSystemInfo,GlobalMemoryStatus,

0_2_0046FB20

Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: aspweb88.exe, 00000000.00000002.3249298909.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000832000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\aspweb88.exe	API call chain: ExitProcess graph end node			graph_0-119409
Source: C:\Users\user\Desktop\aspweb88.exe	API call chain: ExitProcess graph end node			graph_0-120330

Source: C:\Users\user\Desktop\aspweb88.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_004CB770 rdtsc

0_2_004CB770

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_004CB880

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_0046F030

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_0044EFA0 GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,FlushInstructionCache,

0_2_0044EFA0

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00435800 WSAStartup,InterlockedExchange,InterlockedExchange,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,CoCreateInstance,CoCreateInstance,InterlockedExchange,CoInternetGetSession,CoCreateInstance,InterlockedExchange,GetCommandLineA,GetMessageA,SetEvent,TranslateMessage,DispatchMessageA,SetEvent,TranslateMessage,DispatchMessageA,GetMessageA,GetCommandLineA,WinExec,ExitProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,SetUnhandledExceptionFilter,InterlockedExchange,InterlockedExchange,	0_2_00435800
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004C291B SetUnhandledExceptionFilter,	0_2_004C291B
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_004C292F SetUnhandledExceptionFilter,	0_2_004C292F

Source: C:\Users\user\Desktop\aspweb88.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://127.0.0.1:88/

Jump to behavior

Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanom_
Source: aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: RprogmanRestart ServicePause ServiceStart ServiceOnServiceTimerOnServiceResumeOnServicePauseOnServiceStopOnServiceStartKERNEL32.DLLRegisterServiceProcessEventMessageFileSYSTEM\CurrentControlSet\Services\Eventlog\Application\ADVAPI32.DLLChangeServiceConfig2A -AutoRun -Dispatch "SOFTWARE\Microsoft\Windows\CurrentVersion\RunSOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-restart-stop-start-remove-installhRT
Source: aspweb88.exe, aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp, aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: progman
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanemA
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanlmZ
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanvmP
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmansmS
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progman}mi
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanXmF
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanbm\
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanimU
Source: aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanzmd

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: lstrcpy,LoadLibraryA,GetLocaleInfoA,	0_2_00528755
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_004016A0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: GetLocaleInfoA,	0_2_004C5D91

Source: C:\Users\user\Desktop\aspweb88.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_00430220 GetSystemTime,SystemTimeToFileTime,InterlockedDecrement,

0_2_00430220

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_0046F030

Source: C:\Users\user\Desktop\aspweb88.exe

0_2_0046F030

Source: C:\Users\user\Desktop\aspweb88.exe

Code function: 0_2_005287EA GetModuleHandleA,GetModuleHandleA,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetVersion,RegOpenKeyExA,RegQueryValueExA,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleHandleA,ConvertDefaultLocale,RegCloseKey,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleHandleA,ConvertDefaultLocale,

0_2_005287EA

Source: C:\Users\user\Desktop\aspweb88.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00421EB0 closesocket,socket,setsockopt,htons,bind,listen,		0_2_00421EB0
Source: C:\Users\user\Desktop\aspweb88.exe	Code function: 0_2_00472CC0 bind,		0_2_00472CC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	14 Windows Service	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	1 Browser Extensions	14 Windows Service	1 Software Packing	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	12 Process Injection	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	35 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
aspweb88.exe	50%	ReversingLabs	Win32.PUA.Presenoker
aspweb88.exe	100%	Avira	TR/AVI.Agent.cxicq
aspweb88.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://127.0.0.1:88/$F	0%	Avira URL Cloud	safe
http://127.0.0.1:88	0%	Avira URL Cloud	safe
http://www.netbox.cn	0%	Avira URL Cloud	safe
http://127.0.0.1:88/o	0%	Avira URL Cloud	safe
http://127.0.0.1:88/Gz_	0%	Avira URL Cloud	safe
http://127.0.0.1:88/n	0%	Avira URL Cloud	safe
http://127.0.0.1:88R	0%	Avira URL Cloud	safe
http://127.0.0.1:88/v	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.netbox.cn	39.100.111.248	true	false	unknown
www.google.com	216.58.206.36	true	false	high
198.187.3.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:88/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:88/$F	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/easylist)	LICENSE.txt.3.dr	false		high
http://127.0.0.1:	aspweb88.exe, 00000000.00000002.3250136792.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, aspweb88.exe, 00000000.00000003.1444785432.000000000277C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:88/o	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://creativecommons.org/.	LICENSE.txt.3.dr	false		high
http://127.0.0.1:88/n	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html....................	aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://127.0.0.1:88R	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netbox.cn	aspweb88.exe, chromecache_143.5.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:88/Gz_	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://easylist.to/)	LICENSE.txt.3.dr	false		high
http://127.0.0.1:88	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:88/v	aspweb88.exe, 00000000.00000002.3249298909.0000000000849000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	aspweb88.exe, aspweb88.exe, 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559305
Start date and time:	2024-11-20 12:18:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aspweb88.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@23/19@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 104 Number of non-executed functions: 231
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 142.250.184.206, 142.251.5.84, 34.104.35.123, 192.229.221.95, 142.250.185.195, 216.58.206.46
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: aspweb88.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	WSock.dll	Get hash	malicious	Ramnit	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	https://forms.office.com/e/sx5d94wMnA	Get hash	malicious	Unknown	Browse
	https://lmmoye.org/file/oL/xzw/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	https://orbistravelassistance.page/app/pages/login.php	Get hash	malicious	Unknown	Browse
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.netbox.cn	aspnet80.exe	Get hash	malicious	Unknown	Browse	39.100.111.248
	aspweb88.exe	Get hash	malicious	Unknown	Browse	39.100.111.248
	aspweb88.exe	Get hash	malicious	Unknown	Browse	39.100.111.248

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	LummaC	Browse	23.206.229.226
	Reminder.exe	Get hash	malicious	PureCrypter	Browse	23.206.229.226
	https://orbistravelassistance.page/app/pages/login.php	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://load.webdatahoster.com	Get hash	malicious	Unknown	Browse	23.206.229.226
	file.exe	Get hash	malicious	LummaC	Browse	23.206.229.226
	file.exe	Get hash	malicious	LummaC	Browse	23.206.229.226
	Employee-SSN.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	file.exe	Get hash	malicious	LummaC	Browse	23.206.229.226
	https://mkwomens.com/iuefoiuherjhkjf/iuyrijkfjkoifjoijreiwiw/e9c4710345f07b1cf048900d092f8cdc/YW5nZWxhLnN1bW1lcnNieUBhc2h1cnN0LmNvbQ==	Get hash	malicious	Unknown	Browse	23.206.229.226
	file.exe	Get hash	malicious	LummaC	Browse	23.206.229.226
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	LummaC	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	https://forms.office.com/e/sx5d94wMnA	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	https://lmmoye.org/file/oL/xzw/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	740d3a.msi	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50
	740d3a.msi	Get hash	malicious	PureCrypter	Browse	4.245.163.56 184.28.90.27 20.3.187.198 20.12.23.50

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse
	217469812STM.pdf	Get hash	malicious	ScreenConnect Tool, Phisher	Browse
	NW_EmployerNewsletter_11142024_pdf.html	Get hash	malicious	Unknown	Browse
	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse
	11sds_Invoice_9334749.html	Get hash	malicious	WinSearchAbuse	Browse
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse
	Must-School-Districts-In-California-Offer-Free-Healthcare-For-Employees.exe	Get hash	malicious	Unknown	Browse
	E7X-XIZ5.eml	Get hash	malicious	Unknown	Browse
	Eversheds-sutherland-INV39212-3_230470352.doc	Get hash	malicious	Unknown	Browse
	THE COSTS INCURRED PENDING (1).pdf	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 10:19:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.971451794170073
Encrypted:	false
SSDEEP:	48:8Xc0dfTXnrHridAKZdA1oehwiZUklqehoxy+3:8sQT4zy
MD5:	D4CDA0D691CD415C991482B82E2BB918
SHA1:	FBC4FB19283C9ED232667E9BA58013B3CF8D3E66
SHA-256:	717FC7F72514A3916B44E982D193E797721005D3F2D77B3472987167DAAFE194
SHA-512:	F588CE2E79556807EE4D20D44AE3C7B7CD49A0AB7AFC3A1D5492CA7D8DF3BBF70B2F068A4B4293D4CF04B75B995DBFEE226D5A96221DA59ADBCF01901D295A20
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........>;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtYcZ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 10:19:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9843443485927406
Encrypted:	false
SSDEEP:	48:8+0dfTXnrHridAKZdA1leh/iZUkAQkqehZxy+2:8+QTy9QCy
MD5:	168CE92A7075DE1C45A596629C9F2058
SHA1:	2187CD18B57A54FAAFA410554DF8D5648BE62610
SHA-256:	2DA48F176732C4FFCE5F00915276F12932A63D1EC0D7906E281283728BF216D6
SHA-512:	7833B4B738BFA635105C32ED8C16885C49C511101EC3AC3970C3EB11A3AC8D22520917758AA3222635F06C3A8DBD41FD85DC83F16E01BE02080E7C141CBE1273
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....0...>;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtYcZ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	3.999357895772621
Encrypted:	false
SSDEEP:	48:8+0dfTXnbHridAKZdA14t5eh7sFiZUkmgqeh7sXxy+BX:8+QT6n3y
MD5:	C7380427BB5560FC1E75A88DCC9C949F
SHA1:	3DD7AA71581DCF6CA8BB512B8A7FCB4143321CD3
SHA-256:	99CFA0F79A12E0B86525725D6ED89BE71B4CB231327C9B2CF3CCA53FC23293B9
SHA-512:	1F2D3B4F083E3DD55F9DE0C85FB23193BC9C09A5512E453C9B468166A9158C33331E8F835804279DA9D36A85561AE83DB909EDC5A6F5B51BDEAE89914ED94E2C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....C..b...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VEW.@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 10:19:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9850224493238353
Encrypted:	false
SSDEEP:	48:8d0dfTXnrHridAKZdA16ehDiZUkwqehdxy+R:8dQTppy
MD5:	CE2ED458E66834048571473663079364
SHA1:	93D301F82CB43772944FF499DCFFBF7C00FC6BE5
SHA-256:	7DBDB107DF24D2E1C1CC48FE0B72CA43F94A6B0A93CDB7DFAE48A1C76BCAEDB0
SHA-512:	1CF60B52F91EA227C0080ECAFF5EDE8D3B0A5EFC1BBD4BB900C72CDEB806F1756FF72664E2D8FB39D1D35FFE30D88D84D7A17B4C88D43733B60002073F3F5016
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........>;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtYcZ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 10:19:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.973267730312063
Encrypted:	false
SSDEEP:	48:8r0dfTXnrHridAKZdA1UehBiZUk1W1qehTxy+C:8rQT59ly
MD5:	9EDC5993F13D5F3ECC4AE7732CFB899E
SHA1:	ED6BBC04700B915A2383333843B1A013416B7EA8
SHA-256:	E2595F11718253709B25FC3AA72507E530C9F5D134B7DF79414A3F6CBE6D75B0
SHA-512:	8D849B718240BA002747A08CF12C688952436A8A39DB03DDB7CE50E71B610B822482FD0258B6601E9856735C146A9905D12D725AD96CA03AB636E9686DD46735
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........>;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtYcZ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 10:19:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.983993589214819
Encrypted:	false
SSDEEP:	48:8H0dfTXnrHridAKZdA1duTrehOuTbbiZUk5OjqehOuTblxy+yT+:8HQTmTYTbxWOvTb3y7T
MD5:	FB67879173225CB1E8486F5577F1A73C
SHA1:	32C96A20817963165E36A557C3628EAC3E6701BB
SHA-256:	8DD50C312EDDE5F2C72F603E68B335A942D49FEC3ABE166AC091A5FA47AE06C0
SHA-512:	D5DD9CD814357A15EAA7E01EA3E4F03E3BF99C60AC5489DB726F263B7D964D83B771AFB3A4E3B66852ED4A78E6C7D9F6E91E48BF8E87B5D616A6B6EC39EF9313
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......>;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ItYaZ....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtYaZ....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtYaZ....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtYaZ..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtYcZ...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\Filtering Rules

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	74598
Entropy (8bit):	5.5368864380577545
Encrypted:	false
SSDEEP:	1536:7geXUzNNSGg1dSkNp+z55w4kgNmmO6I7kWvQFlGlHUvkS6xt/GL95vkdwz:sDRNfgr9NpK5wl+1O6IoWQFlGlHLS6xQ
MD5:	C6AF15DA82A8A9172FC9CAFC969DE4F9
SHA1:	81F477E181036D551EF6F09CB875C6B280BEBE00
SHA-256:	782009D9765C6104A1B4D1EAC553834E7E399D749A082EAD42BB47ABB42895B5
SHA-512:	F541CB1703A0BD31FCB6E293ACBC6E20F73B365FF8D2270A6D44780E9D5731B8D7803AECACD49D73E0DA065DD1026C9FA95F9CAD2BF0776CE1E2C3C9FCA052C6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.just-news.pro^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.thubanoa.com^..........0.8.@.R.abh.jp^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^..........0.8.@.R..ar/ads/.,........0.8.@.R.mysmth.net/nForum//ADAgent_.>...........worldstar.com0.8.@.R.js.assemblyexchange.com/wana..(........0.8.@.R.ogads-pa.googleapis.com^..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./banner.cgi?..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^..........0.8.@.R./300-250-.2........0.8.@.R"cloud

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\LICENSE.txt

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24623
Entropy (8bit):	4.588307081140814
Encrypted:	false
SSDEEP:	384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
MD5:	D33AAA5246E1CE0A94FA15BA0C407AE2
SHA1:	11D197ACB61361657D638154A9416DC3249EC9FB
SHA-256:	1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
SHA-512:	98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
Malicious:	false
Preview:	EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1529
Entropy (8bit):	5.97509175092227
Encrypted:	false
SSDEEP:	24:pZRj/flTHY4NukYbKcFjeT3U8zkaoX+UqiF46u9ILn9oXUMzniumZ39TzIS/Xre:p/h44SbKcETEwkakBa6F9kUpumZR/Xi
MD5:	951BA6192A41622EC0E04174E1EFA31C
SHA1:	2C63243A5589671BF649FA049542308D3D7EB40E
SHA-256:	EA426C8FDAFABF1B3162C206175A17100613C85A0C30DDCDC0A3434232B69D59
SHA-512:	F9C612AA2848C01C2A3294378E6707AE92638FC5EF4C6C911D400AA981418AEF0334DBFAB1D954E0666ECDD5AB8B1506354D9C6DCF6D3D1459FAC2AD06F9E23E
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJ1VkRrWHp2UWlFeHdiRGtPWHNQdWtuXzI3ZGdIbGhPdDRQeENEZ0JnUXhRIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IlhiOTU4SjJabnFtQzJRMzBYclJFNl9acURIQU9VZFRKaFdyNzV6SnVuV2sifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuNTIuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"534ZoaSA4vZpcy0b1OYq4wgLlduJCzBpUCZnNXyx3UoH1ihy6uYapK85BVjJa1ptpN9OiT86GN1r8DNZlX69tLTIyTb7lSKoX31Sef3uvZpSLJBlIGI1173pGoj52Eu77I4DraCiKTVQ4mtVLBee579FqGijozIApfrepXVZeIes4wac06yB06DuFkdEg_jnCv3xR2twcNzidsDVTw7W-VOezjdZgjousBDON_Pumwd7_4ze5

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.8945408555413215
Encrypted:	false
SSDEEP:	3:SjWMQ0GiUVfkCzNMEkDRApvTD:SjWR/3tkNApvTD
MD5:	87190EF44A670A5418E7E6B26DA5CF02
SHA1:	7F24A0F6E188CA285526C968359D5DEEB0CA3F1C
SHA-256:	B9C7B754CFFECA3981CA26BCFEC1FA9988070C8657AE9DA3CA2EA7944E16AB00
SHA-512:	2980EBB51CCEE91B7F887A49D495BA9E3F4D0274AA6D4D0A3E8E4D3E3661815FB825C6D44DAFA34285E3625F979084FFAD5D54E8AE0B9E12ABFEF5C2F71E568C
Malicious:	false
Preview:	1.b48b30af5ce18c96128bfff9d2755c7932a1f32adc66f68322f7dd505db9626f

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.547350270682037
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1HVgn:F6VlMZWuMt5SKPS16n
MD5:	3EE731D0E5BFB74CACB3D9E2DFDC7768
SHA1:	EE15CB60213BB402FD90308F0F67D7B6160C9751
SHA-256:	5DBF79F09D999EA982D90DF45EB444EBF66A0C700E51D4C9856AFBE7326E9D69
SHA-512:	F38E3FEDD392F9B273565CBE321A56051EDAF48DB75A0EBB539D57E8D1238D4BAC41E973F037395F9C5D4A189DF5E68726ED2C000134FC36BB7E7295C9A779C1
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.52.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2877728
Entropy (8bit):	6.868480682648069
Encrypted:	false
SSDEEP:	49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
MD5:	477C17B6448695110B4D227664AA3C48
SHA1:	949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
SHA-256:	CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
SHA-512:	1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: 217469812STM.pdf, Detection: malicious, Browse Filename: NW_EmployerNewsletter_11142024_pdf.html, Detection: malicious, Browse Filename: Benefits_Update_2024.pdf, Detection: malicious, Browse Filename: 11sds_Invoice_9334749.html, Detection: malicious, Browse Filename: Request_for_Title_Commitment.html, Detection: malicious, Browse Filename: Must-School-Districts-In-California-Offer-Free-Healthcare-For-Employees.exe, Detection: malicious, Browse Filename: E7X-XIZ5.eml, Detection: malicious, Browse Filename: Eversheds-sutherland-INV39212-3_230470352.doc, Detection: malicious, Browse Filename: THE COSTS INCURRED PENDING (1).pdf, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V......V......`,......`+..p....+. )...p,......D.8....................C.(.....(.8...........p\..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l......&.................@....pdata...p...`+..r.................@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1778
Entropy (8bit):	6.02086725086136
Encrypted:	false
SSDEEP:	48:p/hCdQAdJjRkakCi0LXjX9mqjW6JmfQkNWQzXXf2gTs:RtQ1aaxXrjW6JuQEWQKas
MD5:	3E839BA4DA1FFCE29A543C5756A19BDF
SHA1:	D8D84AC06C3BA27CCEF221C6F188042B741D2B91
SHA-256:	43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
SHA-512:	19B085A9CFEC4D6F1B87CC6BBEEB6578F9CBA014704D05C9114CFB0A33B2E7729AC67499048CB33823C884517CBBDC24AA0748A9BB65E9C67714E6116365F1AB
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJHb29nbGUuV2lkZXZpbmUuQ0RNLmRsbCIsInJvb3RfaGFzaCI6Im9ZZjVLQ2Z1ai1MYmdLYkQyWFdBS1E5Nkp1bTR1Q2dCZTRVeEpGSExSNWMifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYk01YTJOU1d2RkY1LW9Tdml2eFdqdXVwZ05pblVGakdPQXRrLTBJcGpDZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5laWZhb2luZGdnZmNqaWNmZmtncG1ubHBwZWZmYWJkIiwiaXRlbV92ZXJzaW9uIjoiMS4wLjI3MzguMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KTPeHzS0ybFaz3_br3ASYWHjb6Ctul92067u2JMwtNYYm-4KxLiSkJZNBIzhm6hNSEW2p5kUEvHD0TjhhFGCZnWm9titj2bqJayCOAGxZb5BO74JJCRfy5Kwr1KSS4nvocsZepnHBmCiG2OV3by-Lyf1h1uU3X3bDfD92O0vJzrA8rwL2LrwIk-BolLo5nlM0I_MZwg8DhZ8SFBu9GGRVB2XrailDrv4SgupFE9gqA1HY6kjRjoyoAHbRRxZdBNNt9IKNdxNyaF9NcNRY8dAedNQ9Tw3YNp5jB7R9lcjO4knn58RdH2h_GiJ4l96StcXA4e7cqbJ77P-c

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.974403644129192
Encrypted:	false
SSDEEP:	3:SLVV8T+WSq2ykFDJp9qBn:SLVqZS5p0B
MD5:	D30A5BBC00F7334EEDE0795D147B2E80
SHA1:	78F3A6995856854CAD0C524884F74E182F9C3C57
SHA-256:	A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
SHA-512:	DACF60E959C10A3499D55DC594454858343BF6A309F22D73BDEE86B676D8D0CED10E86AC95ECD78E745E8805237121A25830301680BD12BFC7122A82A885FF4B
Malicious:	false
Preview:	1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.595307058143632
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFooG+HhFFKS18CWjhXLXGPQ3TRpvF/FHddTcplFHddTcVYA:F6VlM5PpKS18hRIA
MD5:	BBC03E9C7C5944E62EFC9C660B7BD2B6
SHA1:	83F161E3F49B64553709994B048D9F597CDE3DC6
SHA-256:	6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
SHA-512:	FB80F091468A299B5209ACC30EDAF2001D081C22C3B30AAD422CBE6FEA7E5FE36A67A8E000D5DD03A30C60C30391C85FA31F3931E804C351AB0A71E9A978CC0F
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "windows-mf-cdm",. "version": "1.0.2738.0",. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].}

Chrome Cache Entry: 143

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	212
Entropy (8bit):	4.952478520936182
Encrypted:	false
SSDEEP:	6:qzxUk8rFjJRHXifrFjJtjPDxic40h1A+zLGNbjRUakz:kxR8rFjJRHGrFjJtjPVcnxjRU9
MD5:	B9CD30ACA2DA7850559780C075DB54F2
SHA1:	FF62DC3B5E6EC319996D794F5A783F19FBB8ADDD
SHA-256:	FAC673DB094068885942BBEB24A342A38F2F02998D709D4FEAF2A9BDB740E26E
SHA-512:	C4995A9F8AEF735ED0A1596506327C834E3AA8828625BB5F299163B566026C17EFEBA0171803E5C0C749DCEB7378324D3624DC3AC714F3442CD9E1198BAEBBE3
Malicious:	false
URL:	http://127.0.0.1:88/favicon.ico
Preview:	<html><head><title>404 File Not Found</title></head>..<body><h1>404 File Not Found</h1><hr>..<small>Host by <a href="http://www.netbox.cn" target="_blank">NetBox Version 2.8 Build 4128</a></small>..</body></html>

Chrome Cache Entry: 144

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, original size modulo 2^32 1043441
Category:	downloaded
Size (bytes):	682
Entropy (8bit):	7.717000801271559
Encrypted:	false
SSDEEP:	12:XyfuHwwHsCERmmcS2Wif3qe8/dDrqpSCeptdONxq3xA+K37Hn5xsuiojl:XyQ4RmmcVf3qvdD+paMNxqW+67HnrioZ
MD5:	1221E3BC38C7DF1E77968AAAEE0215A6
SHA1:	FE46880B560183C65723C240A9D99CE00AE6C7B0
SHA-256:	6AD32066928A5D3131767CF117C1D5ED30A648E629025D7A3EE99D552B56C777
SHA-512:	D0E0959E8E83B9A50313C06B7A66217B52B00DD9C80AE8ECE30B3BF27E99B207F714EE1A2C6CE60B8B27B01D917B1271C7ADF7CE55FEB8FA90027E36E92191B4
Malicious:	false
URL:	http://127.0.0.1:88/
Preview:	............[o.@....M.?L....ZJ.A..9...f..Vw..e#...8...f3...~../3#..&M...ob.-.T.;...<..VdQ.:.~...?.........T........u.......H..<.n..a.=...@L..>v.c#..f..lG.Ad...Wuw.+.=..z.MU7~.<_U..^CS5^........P..'cl;3.Q.84T'.fN=U.'..CC.....u-.#.CC..+../b....M.X.+...,.^CC.W.x.<MM.^qh.:.B.tk.g...j.{a .kW......w........W......^r.O.j8d.2.H_..7.xN..2Y....y.{.....#.S#.l....U,..`Q.Dn....[ejV.Cm.*K=f.]5.d.f.E..-.......-......~..B.0../i.d._.....GCv.5.\|k.z$s..y....[f.pa......._w.s...u\+P.x..t\+.....dn.E.Q+P.xw..D...\|^.d.g.x){~....Ffj.UU.m.y..%35....j s.,Z...5......V..C9.-...2md.f..5.F.!..%3bE.>.\.x..I.I..X...v6E..X.t:1..X.K.e..ErxK...U....I.e_.(=......!P~o.5......."........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.912821299212005
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aspweb88.exe
File size:	649'379 bytes
MD5:	8ae129a3f1e337c110ce61578a61e48c
SHA1:	c8d1561e246de145755ca3958b969dc2691ba64c
SHA256:	14171cd5c9cf431e852aac991007c403b0d667b7b58750a1855d09bfd7dcee96
SHA512:	485b6bd9dd3a0aeeb987f3099166dc8456044d67e12592c5255c50c597f84ab28afeb0f1ba37b661a63f5e398b3ba06935055d0a11d007664577554f744210aa
SSDEEP:	12288:JJFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOT6S:fFZqhOBnVyK23C6OoYMLiVcKtVx4MiuS
TLSH:	33D4237A09A4DA02E0128979748BCD8F79E4283A45E97DB7B9099C8FF5FD1DC8D34087
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~....,vB)^.n......k...k...k...k...k...k...k...k...k...k...k;..k...k...k...k...k...k5..k...k...k...k...kRich...k...............

File Icon


Icon Hash:	260606666666e414

Static PE Info

General

Entrypoint:	0x594310
Entrypoint Section:	data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x41AE04F0 [Wed Dec 1 17:52:48 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f800ac67f4f1bcfe8c9c4579de16b1a1

Entrypoint Preview

Instruction
pushad
mov esi, 004F8000h
lea edi, dword ptr [esi-000F7000h]
mov dword ptr [edi+00189894h], 4FB81B6Bh
push edi
or ebp, FFFFFFFFh
jmp 00007FBB65365760h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBB6536573Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FBB6536575Dh
jne 00007FBB6536577Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBB65365771h
dec eax
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FBB65365726h
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FBB653657A4h
xor ecx, ecx
sub eax, 03h
jc 00007FBB65365763h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FBB653657C7h
sar eax, 1
mov ebp, eax
jmp 00007FBB6536575Dh
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBB6536571Eh
inc ecx
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBB65365710h
add ebx, ebx
jne 00007FBB65365759h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FBB65365741h
jne 00007FBB6536575Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FBB65365736h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1967d0	0x19c	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x195000	0x17d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x194498	0x18	data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x16eac8	0x180	data
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
test	0x1000	0xf7000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
data	0xf8000	0x9d000	0x9c600	f4801fcadfcef5ee120347d6600c367a	False	0.9859581085131894	data	7.923240590050918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x195000	0x2000	0x1a00	e651f8b3b7abdf30b8fa0077066cb417	False	0.23587740384615385	data	3.665268733063979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x195288	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.3344594594594595
RT_ICON	0x1953b4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16129032258064516
RT_ICON	0x1956a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152, 16 important colors	English	United States	0.09878048780487805
RT_ICON	0x195d0c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.3344594594594595
RT_ICON	0x195e38	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.16263440860215053
RT_MESSAGETABLE	0x196124	0xdc	data	English	United States	0.38181818181818183
RT_GROUP_ICON	0x196204	0x30	data	English	United States	0.9166666666666666
RT_GROUP_ICON	0x196238	0x22	data	English	United States	1.0294117647058822
RT_VERSION	0x196260	0x2b4	data	English	United States	0.5187861271676301
RT_MANIFEST	0x196518	0x2b8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47270114942528735

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll	RegEnumKeyA
comdlg32.dll	GetFileTitleA
GDI32.dll	Escape
ole32.dll	CoCreateGuid
OLEAUT32.dll	SysStringByteLen
USER32.dll	GetDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 12:18:52.965822935 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:52.967951059 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:52.968100071 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:52.968157053 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:52.969903946 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:52.969942093 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:52.978645086 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.039917946 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.042280912 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.050488949 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.050573111 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.052360058 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.061002016 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.063399076 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.065085888 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.067332029 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.067388058 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.067481995 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.067528963 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.069391966 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.069492102 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.077428102 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.153821945 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.155855894 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.160027027 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.161750078 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.170157909 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.170214891 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.171963930 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.173274994 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.173330069 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.173494101 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.173542976 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.175457954 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.175551891 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.180368900 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.225315094 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.260948896 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.263076067 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.266732931 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.268481970 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.269828081 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.269840002 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.269897938 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.271594048 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.276122093 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.276196957 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.276232004 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.276274920 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.278340101 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.278446913 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.283209085 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.330962896 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.361936092 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.363837004 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.369333982 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.369399071 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.369479895 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.369533062 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.371392012 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.371483088 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.372148991 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.377351999 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.377403975 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.377480030 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.377526045 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.379339933 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.379409075 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.379463911 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.387639999 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.465854883 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.467552900 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.473278046 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.473526955 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.473572016 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.475863934 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.476247072 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.479434013 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.479490042 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.479583979 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.479628086 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.481159925 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.481255054 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.482697010 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.487540960 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.570417881 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.572403908 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.581536055 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.583297014 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.584774971 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.584826946 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.584930897 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.584976912 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.585108042 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.586910963 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.586971998 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.591747046 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.638988018 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.665834904 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.667711020 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.670701981 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.672465086 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.675935984 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.680516958 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.680613995 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.680660963 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.682365894 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.688117027 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.688169956 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.688216925 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.688261032 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.688286066 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.688323021 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.688545942 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.688591957 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.690078020 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.690258980 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.696600914 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.738981009 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.771989107 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.772286892 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.772295952 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.772464991 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.774585962 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.779376030 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.779427052 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.779521942 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.779572010 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.781183004 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.782350063 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.788062096 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.789666891 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.792124033 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.792170048 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.792242050 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.792288065 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.794855118 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.794987917 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.799666882 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.846008062 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.874784946 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.877077103 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.880510092 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.881913900 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.882463932 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.887298107 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.893444061 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.893584967 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:53.893634081 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:53.982245922 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:54.026314020 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:54.038345098 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:54.038434982 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:18:54.038497925 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:18:54.635643959 CET	49676	443	192.168.2.8	52.182.143.211
Nov 20, 2024 12:18:54.745008945 CET	49673	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:18:55.120137930 CET	49672	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:18:55.901272058 CET	49671	443	192.168.2.8	204.79.197.203
Nov 20, 2024 12:18:56.245203018 CET	49677	80	192.168.2.8	192.229.211.108
Nov 20, 2024 12:19:04.345819950 CET	49673	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:04.392697096 CET	49676	443	192.168.2.8	52.182.143.211
Nov 20, 2024 12:19:04.833571911 CET	49672	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:06.446727037 CET	443	49704	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:06.446801901 CET	49704	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:06.884090900 CET	49677	80	192.168.2.8	192.229.211.108
Nov 20, 2024 12:19:06.922142029 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:06.922183037 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:06.922256947 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:06.922682047 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:06.922693014 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.298959970 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:07.298991919 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:07.299062014 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:07.301225901 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:07.301250935 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:07.558104992 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.561197042 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:07.561283112 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.562171936 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.562247992 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:07.583471060 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:07.583564997 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.628669977 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:07.628710985 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:07.675523996 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:08.123445988 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.124006033 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.130695105 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.130717993 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.131036997 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.183259010 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.227332115 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.618577003 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.618664980 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.620054960 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.652630091 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.652630091 CET	49716	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:08.652662039 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:08.652673006 CET	443	49716	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.094861984 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.094929934 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.095014095 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.095599890 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.095621109 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.811887026 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.811997890 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.813725948 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.813749075 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.814773083 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:09.816247940 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:09.859337091 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:10.148101091 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:10.148211002 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:10.148418903 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:10.150780916 CET	49717	443	192.168.2.8	184.28.90.27
Nov 20, 2024 12:19:10.150810957 CET	443	49717	184.28.90.27	192.168.2.8
Nov 20, 2024 12:19:14.796550989 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:14.796677113 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:14.796868086 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:14.798507929 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:14.798552990 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.408230066 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.408338070 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.410922050 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.410950899 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.411298990 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.463332891 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.482985020 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.527324915 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681252003 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681292057 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681303978 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681332111 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681349993 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681364059 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681406975 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.681456089 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.681474924 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.681503057 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.682998896 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.683108091 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.683115959 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.683269024 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.683458090 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.704699039 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.704734087 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:15.704751015 CET	49718	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:15.704757929 CET	443	49718	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:16.366163969 CET	49704	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:16.366539955 CET	49704	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:16.371475935 CET	443	49704	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:16.372550964 CET	443	49704	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:16.390885115 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:16.390916109 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:16.391024113 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:16.418987989 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:16.419007063 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.022053957 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.022142887 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.041264057 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.041284084 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.041810989 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.041868925 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.042763948 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.042787075 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.043297052 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.087343931 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.315171003 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.315238953 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.315252066 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.315289021 CET	443	49720	23.206.229.226	192.168.2.8
Nov 20, 2024 12:19:17.315296888 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.315327883 CET	49720	443	192.168.2.8	23.206.229.226
Nov 20, 2024 12:19:17.463745117 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:17.463815928 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:17.463984013 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:19.176662922 CET	49715	443	192.168.2.8	216.58.206.36
Nov 20, 2024 12:19:19.176695108 CET	443	49715	216.58.206.36	192.168.2.8
Nov 20, 2024 12:19:29.045249939 CET	51896	53	192.168.2.8	162.159.36.2
Nov 20, 2024 12:19:29.050136089 CET	53	51896	162.159.36.2	192.168.2.8
Nov 20, 2024 12:19:29.050225019 CET	51896	53	192.168.2.8	162.159.36.2
Nov 20, 2024 12:19:29.055553913 CET	53	51896	162.159.36.2	192.168.2.8
Nov 20, 2024 12:19:29.499160051 CET	51896	53	192.168.2.8	162.159.36.2
Nov 20, 2024 12:19:29.506627083 CET	53	51896	162.159.36.2	192.168.2.8
Nov 20, 2024 12:19:29.506675959 CET	51896	53	192.168.2.8	162.159.36.2
Nov 20, 2024 12:19:29.518728018 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:29.518774986 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:29.518852949 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:29.519220114 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:29.519239902 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.335886002 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.335995913 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.337625027 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.337637901 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.337873936 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.339003086 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.383328915 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.581053019 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.581129074 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.581417084 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.581456900 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.581475019 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.581475019 CET	51897	443	192.168.2.8	20.3.187.198
Nov 20, 2024 12:19:30.581485033 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.581495047 CET	443	51897	20.3.187.198	192.168.2.8
Nov 20, 2024 12:19:30.606839895 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:30.606940985 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:30.607038975 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:30.607291937 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:30.607335091 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.220693111 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.220809937 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.222244024 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.222275972 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.222703934 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.223864079 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.271327019 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.335100889 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.335192919 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.335278988 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.336406946 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.336457014 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:31.336484909 CET	51898	443	192.168.2.8	20.12.23.50
Nov 20, 2024 12:19:31.336500883 CET	443	51898	20.12.23.50	192.168.2.8
Nov 20, 2024 12:19:32.414810896 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:32.414851904 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:32.414932966 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:32.415436983 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:32.415448904 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.209923983 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.210028887 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.211795092 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.211812973 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.212167025 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.213541985 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.255335093 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.540847063 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.540879965 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.540899992 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.541062117 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.541085958 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.541186094 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.542571068 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.542660952 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.542663097 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.542716026 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.544528008 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.544540882 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.544558048 CET	51899	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.544563055 CET	443	51899	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.710345030 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.710418940 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:33.710530996 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.711091995 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:33.711111069 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.474312067 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.474478006 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.476351023 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.476381063 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.476610899 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.477871895 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.523336887 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.798614979 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.798640966 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.798656940 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.798712015 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.798743010 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.798763037 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.798793077 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.801743984 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.801794052 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.801825047 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.801840067 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.801855087 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.801860094 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.801903963 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.801966906 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.801983118 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:34.801992893 CET	51900	443	192.168.2.8	4.245.163.56
Nov 20, 2024 12:19:34.802000046 CET	443	51900	4.245.163.56	192.168.2.8
Nov 20, 2024 12:19:44.371881962 CET	63744	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:44.377187967 CET	53	63744	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:44.377280951 CET	63744	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:44.377319098 CET	63744	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:44.383373022 CET	53	63744	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:44.832915068 CET	53	63744	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:44.833288908 CET	63744	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:44.841610909 CET	53	63744	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:44.841689110 CET	63744	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:45.283756018 CET	49703	80	192.168.2.8	93.184.221.240
Nov 20, 2024 12:19:45.288954020 CET	80	49703	93.184.221.240	192.168.2.8
Nov 20, 2024 12:19:45.289000988 CET	49703	80	192.168.2.8	93.184.221.240
Nov 20, 2024 12:20:07.053915024 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:07.053972960 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.054095030 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:07.054342985 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:07.054358006 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.692774057 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.693073988 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:07.693120956 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.694376945 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.694669008 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:07.694854975 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:07.751506090 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:17.602427006 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:17.602509975 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:17.602570057 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:19.177315950 CET	63748	443	192.168.2.8	142.250.184.196
Nov 20, 2024 12:20:19.177359104 CET	443	63748	142.250.184.196	192.168.2.8
Nov 20, 2024 12:20:24.014074087 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:20:24.014177084 CET	443	49705	13.107.246.45	192.168.2.8
Nov 20, 2024 12:20:24.014254093 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:20:24.015088081 CET	49705	443	192.168.2.8	13.107.246.45
Nov 20, 2024 12:20:24.022783995 CET	443	49705	13.107.246.45	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 12:19:02.243910074 CET	53	59871	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:02.258728981 CET	53	63417	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:03.361955881 CET	53	62240	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:06.911533117 CET	52757	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:06.911741972 CET	49992	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:06.920808077 CET	53	52757	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:06.921097994 CET	53	49992	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:20.451353073 CET	53	58928	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:29.044632912 CET	53	50436	162.159.36.2	192.168.2.8
Nov 20, 2024 12:19:29.505569935 CET	50990	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:19:29.515862942 CET	53	50990	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:44.371413946 CET	53	58176	1.1.1.1	192.168.2.8
Nov 20, 2024 12:19:45.063811064 CET	138	138	192.168.2.8	192.168.2.255
Nov 20, 2024 12:20:06.972799063 CET	64064	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:20:07.052382946 CET	53	64064	1.1.1.1	192.168.2.8
Nov 20, 2024 12:21:32.008244038 CET	63939	53	192.168.2.8	1.1.1.1
Nov 20, 2024 12:21:32.514856100 CET	53	63939	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 12:19:06.911533117 CET	192.168.2.8	1.1.1.1	0xa2ef	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:19:06.911741972 CET	192.168.2.8	1.1.1.1	0xe0a3	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 20, 2024 12:19:29.505569935 CET	192.168.2.8	1.1.1.1	0xb6a2	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 20, 2024 12:20:06.972799063 CET	192.168.2.8	1.1.1.1	0xbcec	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:21:32.008244038 CET	192.168.2.8	1.1.1.1	0x851	Standard query (0)	www.netbox.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 12:19:06.920808077 CET	1.1.1.1	192.168.2.8	0xa2ef	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:19:06.921097994 CET	1.1.1.1	192.168.2.8	0xe0a3	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 20, 2024 12:19:29.515862942 CET	1.1.1.1	192.168.2.8	0xb6a2	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 20, 2024 12:20:07.052382946 CET	1.1.1.1	192.168.2.8	0xbcec	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:21:32.514856100 CET	1.1.1.1	192.168.2.8	0x851	No error (0)	www.netbox.cn		39.100.111.248	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

https:

www.bing.com

fe3cr.delivery.mp.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49716	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:08 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-11-20 11:19:08 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=19623 Date: Wed, 20 Nov 2024 11:19:08 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:09 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-11-20 11:19:10 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=19569 Date: Wed, 20 Nov 2024 11:19:10 GMT Content-Length: 55 Connection: close X-CID: 2
2024-11-20 11:19:10 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49718	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-20 11:19:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 2a318b31-1a3a-48e1-a605-585c2a7bd8ae MS-RequestId: a81108aa-77bd-494d-bbc8-35fa5ffe62ac MS-CV: XjSOKOe4sE6Xvz4Z.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 20 Nov 2024 11:19:14 GMT Connection: close Content-Length: 24490
2024-11-20 11:19:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-11-20 11:19:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.8	49720	23.206.229.226	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:17 UTC	2083	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A4109008217 X-BM-CBT: 1696494873 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: 229C124F14F843F693B4EF574DFCAAAB X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A4109008217 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40 X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 516 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=7A0479E0E07C4D7D91A8C7552F34E6D4&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&LUT=1696493908190&IPMH=7bc3b11d&IPMID=1696494873321&HV=1696494765; MUID=4E6D5F19647E45969740B90CC0355D4C; _SS=SID=1F4D6C7F4B26664337657FDE4A3767CB&CPID=1696494874312&AC=1&CPH=893a1c21; _EDGE_S=SID=1F4D6C7F4B26664337657FDE4A3767CB
2024-11-20 11:19:17 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-11-20 11:19:17 UTC	515	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 34 45 36 44 35 46 31 39 36 34 37 45 34 35 39 36 39 37 34 30 42 39 30 43 43 30 33 35 35 44 34 43 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 30 36 38 37 30 43 30 39 41 31 46 37 34 43 39 43 42 33 41 42 46 30 34 30 46 43 39 46 30 41 37 38 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>4E6D5F19647E45969740B90CC0355D4C</CID><Events><E><T>Event.ClientInst</T><IG>06870C09A1F74C9CB3ABF040FC9F0A78</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-11-20 11:19:17 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 267CA03D128D419D9BD36A04B43D4440 Ref B: LAX311000115019 Ref C: 2024-11-20T11:19:17Z Date: Wed, 20 Nov 2024 11:19:17 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.d4d7ce17.1732101557.3f336f06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	51897	20.3.187.198	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:30 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-11-20 11:19:30 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Wed, 20 Nov 2024 11:19:30 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	51898	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:31 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-11-20 11:19:31 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: zKW287qfVUGJ8sYh.0 MS-RequestId: ab48be36-c650-45cf-8529-24d2d4a53e6b MS-CorrelationId: 7949d94f-e3f6-442c-bec8-fd11bac49056 X-Content-Type-Options: nosniff Date: Wed, 20 Nov 2024 11:19:30 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	51899	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:33 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-20 11:19:33 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: d129df13-23dd-4ec9-9581-560bbfe0f675 MS-RequestId: 06d348b0-9171-4bed-b6d2-c213e7a6a2be MS-CV: giQCKw9gREWHmZIT.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 20 Nov 2024 11:19:32 GMT Connection: close Content-Length: 24490
2024-11-20 11:19:33 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-11-20 11:19:33 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	51900	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:19:34 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-20 11:19:34 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: b6e19778-a51d-4406-862e-f5455c1ed88d MS-RequestId: d4d65075-1d9b-434e-a754-64402b331a4e MS-CV: 7YCd/XWknEatbfFQ.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 20 Nov 2024 11:19:34 GMT Connection: close Content-Length: 30005
2024-11-20 11:19:34 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-11-20 11:19:34 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	06:18:58
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\aspweb88.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aspweb88.exe"
Imagebase:	0x400000
File size:	649'379 bytes
MD5 hash:	8AE129A3F1E337C110CE61578A61E48C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	06:19:00
Start date:	20/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://127.0.0.1:88/
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:19:01
Start date:	20/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,16356890671198062281,12564807779130480005,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 004CB880 Relevance: 117.8, APIs: 40, Strings: 27, Instructions: 501
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 004CB8AF
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004CB8C0
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004CB8C9
LoadLibraryA.KERNEL32(USER32.DLL), ref: 004CB8D2
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004CB8DD
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004CB8F5
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 004CB901
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 004CB92B
FreeLibrary.KERNEL32(00000000), ref: 004CB9A3
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004CB9B7
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 004CB9C1
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004CB9CD
FreeLibrary.KERNEL32(00000000), ref: 004CBAAA
GlobalMemoryStatus.KERNEL32(?), ref: 004CBABD
GetCurrentProcessId.KERNEL32 ref: 004CBAE8
GetProcAddress.KERNEL32(?,GetForegroundWindow), ref: 004CBB26
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 004CBB30
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 004CBB3C
FreeLibrary.KERNEL32(?), ref: 004CBBF8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004CBC0C
GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 004CBC16
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004CBC22
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004CBC2E
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 004CBC3A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 004CBC44
GetProcAddress.KERNEL32(00000000,Process32First), ref: 004CBC50
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004CBC5C
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 004CBC68
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 004CBC74
GetProcAddress.KERNEL32(00000000,Module32First), ref: 004CBC80
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 004CBC8C
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004CBD0E
Heap32ListFirst.KERNEL32 ref: 004CBD29
Heap32First.KERNEL32(?,?,?,?,?,00000000,?), ref: 004CBD7B

Strings

Module32Next, xrefs: 004CBC82
CryptAcquireContextA, xrefs: 004CB9B1
Heap32ListNext, xrefs: 004CBC3C
CloseToolhelp32Snapshot, xrefs: 004CBC0E
GetQueueStatus, xrefs: 004CBB32
Thread32First, xrefs: 004CBC5E
USER32.DLL, xrefs: 004CB8CB
CreateToolhelp32Snapshot, xrefs: 004CBC06
Heap32Next, xrefs: 004CBC24
KERNEL32.DLL, xrefs: 004CB8C2
ADVAPI32.DLL, xrefs: 004CB8BB
LanmanServer, xrefs: 004CB968
NetApiBufferFree, xrefs: 004CB8F7
Heap32ListFirst, xrefs: 004CBC30
LanmanWorkstation, xrefs: 004CB924
NetStatisticsGet, xrefs: 004CB8EF
CryptReleaseContext, xrefs: 004CB9C3
Heap32First, xrefs: 004CBC18
GetCursorInfo, xrefs: 004CBB28
Process32First, xrefs: 004CBC46
Process32Next, xrefs: 004CBC52
CryptGenRandom, xrefs: 004CB9B9
Module32First, xrefs: 004CBC76
GetForegroundWindow, xrefs: 004CBB20
Thread32Next, xrefs: 004CBC6A
NETAPI32.DLL, xrefs: 004CB8D4
Intel Hardware Cryptographic Service Provider, xrefs: 004CBA50

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AddressProc$Library$Load$Free$FirstHeap32$CreateCurrentGlobalListMemoryProcessSnapshotStatisticsStatusToolhelp32Version
String ID: ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 3649538108-3497599445
Opcode ID: 90da5904a4646cc65b681a384cdf73e39ee60fcdeb57bee9e0b81d865718b52d
Instruction ID: 80e6a8342ca8081a756ff6b345532f468b6ffb9de909e8acb32488c9f0a6e280
Opcode Fuzzy Hash: 90da5904a4646cc65b681a384cdf73e39ee60fcdeb57bee9e0b81d865718b52d
Instruction Fuzzy Hash: 4CF19A78644305ABD760AF65CC46FAFBBE8FF94704F000D1EB58592281EB79D904CBA6

Function 0046F030 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 633
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNEL32(00000000,00538494,?,?,00000000,0052E707,000000FF,0047065E), ref: 0046F05D
VerLanguageNameA.KERNEL32(00538494,?,00000400), ref: 0046F0BE
LoadLibraryA.KERNEL32(Netapi32.dll,System_Language,?,?,?,00538494,?,00000400), ref: 0046F103
GetProcAddress.KERNEL32(00000000,NetWkstaGetInfo), ref: 0046F119
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0046F127
NetWkstaGetInfo.NETAPI32(00538214,00000064,?,?,?,?,00538494,?,00000400), ref: 0046F14D
FreeLibrary.KERNEL32(00000000,?,?,?,00538494,?,00000400), ref: 0046F1A1
FreeLibrary.KERNEL32(00000000,?,?,?,00538494,?,00000400), ref: 0046F1B1
RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Services\MSNP32\NetworkProvider,00000000,00000001,?,?,?,?,00538494,?,00000400), ref: 0046F1D0
RegQueryValueExA.ADVAPI32(?,AuthenticatingAgent,00000000,00000000,?,0055D69C,?,?,?,00538494,?,00000400), ref: 0046F1F9
RegCloseKey.ADVAPI32(?,?,?,?,00538494,?,00000400), ref: 0046F206
RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Services\VxD\VNETSUP,00000000,00000001,?,?,?,?,00538494,?,00000400), ref: 0046F22E
RegQueryValueExA.ADVAPI32(?,Workgroup,00000000,00000000,?,0055D69C,?,?,?,00538494,?,00000400), ref: 0046F255
RegCloseKey.ADVAPI32(?,?,?,?,00538494,?,00000400), ref: 0046F262
GetComputerNameA.KERNEL32(?,?), ref: 0046F2F1
GetUserNameA.ADVAPI32(?,?), ref: 0046F344
GetWindowsDirectoryA.KERNEL32(?,00000400,System_User,?,?,?,?,?,?,?,00542148,?,?,?,?,00538494), ref: 0046F38F
GetSystemDirectoryA.KERNEL32(?,00000400), ref: 0046F3DA
LoadLibraryA.KERNEL32(SHFolder.dll,Folder_System,?,?,?,?,?,?,?,?,?,?,?,?,?,00542148), ref: 0046F420
GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0046F436
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00542148), ref: 0046F669
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00542148), ref: 0046F677
GetIpAddrTable.IPHLPAPI(00000000,0046DACC,00000000), ref: 0046F72C
GetIpAddrTable.IPHLPAPI(00000000,0046DAC0,00000001), ref: 0046F75C

Strings

Workgroup, xrefs: 0046F247
SYSTEM\CurrentControlSet\Services\MSNP32\NetworkProvider, xrefs: 0046F1C6
%d.%d.%d.%d, xrefs: 0046F7E7
SHFolder.dll, xrefs: 0046F41B
System_LanguageID, xrefs: 0046F08D
Folder_ProgramFilesCommon, xrefs: 0046F55B
Folder_Favorites, xrefs: 0046F4BF
NetWkstaGetInfo, xrefs: 0046F113
wwww, xrefs: 0046F6C9
IP_%d, xrefs: 0046F7F7
Folder_StartMenu, xrefs: 0046F5F7
TimeZone, xrefs: 0046F6FC
Folder_System, xrefs: 0046F3F8
TimeZone_Name, xrefs: 0046F698
Folder_Windows, xrefs: 0046F3AD
SHGetFolderPathA, xrefs: 0046F430
Folder_Programs, xrefs: 0046F5A9
NetApiBufferFree, xrefs: 0046F11F
Folder_ProgramFiles, xrefs: 0046F50D
System_Name, xrefs: 0046F30F
Folder_MyDocuments, xrefs: 0046F645
System_Domain, xrefs: 0046F170, 0046F287, 0046F2C4
Netapi32.dll, xrefs: 0046F0FE
AuthenticatingAgent, xrefs: 0046F1EB
Folder_Desktop, xrefs: 0046F471
System_Language, xrefs: 0046F0DB
System_User, xrefs: 0046F362
SYSTEM\CurrentControlSet\Services\VxD\VNETSUP, xrefs: 0046F224

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Library$AddressFreeNameProc$AddrCloseDirectoryLoadOpenQuerySystemTableValue$ComputerDefaultInfoInformationLangLanguageTimeUserWindowsWkstaZone
String ID: %d.%d.%d.%d$AuthenticatingAgent$Folder_Desktop$Folder_Favorites$Folder_MyDocuments$Folder_ProgramFiles$Folder_ProgramFilesCommon$Folder_Programs$Folder_StartMenu$Folder_System$Folder_Windows$IP_%d$NetApiBufferFree$NetWkstaGetInfo$Netapi32.dll$SHFolder.dll$SHGetFolderPathA$SYSTEM\CurrentControlSet\Services\MSNP32\NetworkProvider$SYSTEM\CurrentControlSet\Services\VxD\VNETSUP$System_Domain$System_Language$System_LanguageID$System_Name$System_User$TimeZone$TimeZone_Name$Workgroup$wwww
API String ID: 4118238951-3923110365
Opcode ID: 3b2e2a1eab0e39fe390b81f4d96269bd5fef595262b0d277db15966267d1c36e
Instruction ID: eb8890a7fab2984fbccf88f0af1347c6c3f8dd3db5c7d3d0a6f5b24ba6d96508
Opcode Fuzzy Hash: 3b2e2a1eab0e39fe390b81f4d96269bd5fef595262b0d277db15966267d1c36e
Instruction Fuzzy Hash: 2D3282B0608341ABD624DF66C846B9FBBD9BFC4744F00091EF58597392DB7499088BEB

Function 0041F4F0 Relevance: 88.0, APIs: 46, Strings: 4, Instructions: 546
windownativetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 0041F52C
GetSystemMenu.USER32(?,00000000), ref: 0041F542
GetMenuItemCount.USER32(00000000), ref: 0041F54F
DeleteMenu.USER32(?,00000000,00000400), ref: 0041F56D
InsertMenuA.USER32(?,0000F060,00000003,00000003,Start Service), ref: 0041F5A8
InsertMenuA.USER32(?,0000F060,00000000,00000002,Pause Service), ref: 0041F5BE
InsertMenuA.USER32(?,0000F060,00000800,00000000,00000000), ref: 0041F5D3
InsertMenuA.USER32(?,0000F060,00000000,00000010,Restart Service), ref: 0041F5E9
InsertMenuA.USER32(?,0000F060,00000800,00000000,00000000), ref: 0041F5FE
SetTimer.USER32(?,00000001,00000032,00000000), ref: 0041F606
QueryPerformanceCounter.KERNEL32(00A80E00), ref: 0041F626
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F64E
PostMessageA.USER32(?,00000113,00000000,00000000), ref: 0041F674
KillTimer.USER32(?,00000001), ref: 0041F6B3
Shell_NotifyIcon.SHELL32(00000002,00A80CF0), ref: 0041F6C9
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0041F71C
FindWindowA.USER32(progman,00000000), ref: 0041F7C6
Shell_NotifyIcon.SHELL32(00000000,00A80D40), ref: 0041F7E3
QueryPerformanceCounter.KERNEL32(?), ref: 0041F808
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F82F
GetCursorPos.USER32(000003E8), ref: 0041F841
SetForegroundWindow.USER32(?), ref: 0041F886
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0041F894
QueryPerformanceCounter.KERNEL32(?), ref: 0041F8D4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F8FB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0041F983
TrackPopupMenu.USER32(?,0000002A,?,?,00000000,?,00000000), ref: 0041F9AF

Strings

Restart Service, xrefs: 0041F5DB
progman, xrefs: 0041F7C1
Start Service, xrefs: 0041F599
Pause Service, xrefs: 0041F5B0

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Menu$Insert$Window$CounterMessagePerformancePostQueryUnothrow_t@std@@@__ehfuncinfo$??2@$IconNotifyNtdllProc_Shell_Timer$CountCursorDeleteFindForegroundItemKillPopupQuitSystemTrack
String ID: Pause Service$Restart Service$Start Service$progman
API String ID: 2813876301-2942994475
Opcode ID: 2e6de569ab2976b298a11645f3c358dbaa9bd4a891acc3c1fd60c07217239d09
Instruction ID: 442b706bb23ee063055ad1ded24e5b60396c56a0fadefce10a1525cfbb1a0a88
Opcode Fuzzy Hash: 2e6de569ab2976b298a11645f3c358dbaa9bd4a891acc3c1fd60c07217239d09
Instruction Fuzzy Hash: DE02B0B2600B04AFE320DF64DC85FABB3A8FB94351F44892EF55A82251D774B849CB74

Function 00435800 Relevance: 53.4, APIs: 24, Strings: 6, Instructions: 889networkcomwindowCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00435854
InterlockedExchange.KERNEL32(005877AC,00000000), ref: 0043589A
InternetSetOptionA.WININET(00000000,00000049,?,00000004), ref: 0043592B
InternetSetOptionA.WININET(00000000,0000004A,?,00000004), ref: 0043593F
CoCreateInstance.COMBASE(0054880C,00000000,00000017,005645F4,?), ref: 004359A5
InterlockedExchange.KERNEL32(?,00000000), ref: 004359DC
CoInternetGetSession.URLMON(00000000,?,00000000), ref: 004359EF
CoCreateInstance.COMBASE(0055D440,00000000,00000017,00564624,0058D274), ref: 00435A7C
InterlockedExchange.KERNEL32(?,00000000), ref: 00435AB4
GetCommandLineA.KERNEL32 ref: 00435AC0
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00435FAA
SetEvent.KERNEL32(?,?,00000000), ref: 0043600A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0043603D
GetCommandLineA.KERNEL32(00000005,?,?), ref: 00436135
WinExec.KERNEL32(00000000), ref: 0043613C

Part of subcall function 0044D3A0: CloseHandle.KERNEL32(?), ref: 0044D414

ExitProcess.KERNEL32 ref: 0043614E
InterlockedExchange.KERNEL32(005877AC,00000000), ref: 004361AC
InterlockedExchange.KERNEL32(?,00000000), ref: 0043621B
InterlockedExchange.KERNEL32(?,00000000), ref: 0043622D
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000000), ref: 0043627D
InterlockedExchange.KERNEL32 ref: 00436291
InterlockedExchange.KERNEL32(?,00000000), ref: 004362AB

Part of subcall function 004268B0: GetCurrentThreadId.KERNEL32 ref: 004268CD
Part of subcall function 004268B0: RtlDeleteCriticalSection.NTDLL(?), ref: 004269A0

Strings

, xrefs: 00435937
Main, xrefs: 0043582C
-Dispatch, xrefs: 00435F31, 00436090
NETBOX, xrefs: 00435A09, 0043620B
-debug, xrefs: 00435B36
-run, xrefs: 00435CC7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$Internet$CommandCreateInstanceLineMessageOption$CloseCriticalCurrentDeleteEventExceptionExecExitFilterHandleProcessSectionSessionStartupThreadUnhandled
String ID: $-Dispatch$-debug$-run$Main$NETBOX
API String ID: 3272881514-1207208273
Opcode ID: e02a386901f6c62e3170afcfff85fb3bbe6ea94bb8e9d0e52ea7f7598f934684
Instruction ID: cf296bcd5a9afb928641a1ae21093ac11837aa1b430e3b70fe93168ecc81464a
Opcode Fuzzy Hash: e02a386901f6c62e3170afcfff85fb3bbe6ea94bb8e9d0e52ea7f7598f934684
Instruction Fuzzy Hash: C472F0702007429FD714DF68C889B6BB7E5BF89328F144A6EF4558B392CB78D805CB96

Function 0040B360 Relevance: 46.6, APIs: 5, Strings: 21, Instructions: 1077COMMON

Download Yara Rule

Strings

%14I64d <a href=", xrefs: 0040BCDE
</pre><hr>, xrefs: 0040BEB3, 0040BEF2
/">, xrefs: 0040BD61
</title></head><body>, xrefs: 0040B920, 0040B95A
<a folder="http://, xrefs: 0040B986, 0040B9C0
Cache-control, xrefs: 0040B81D
- , xrefs: 0040B8B8, 0040B8F2, 0040BACE, 0040BB08
Content-Type, xrefs: 0040B82D
<H1>, xrefs: 0040BA67, 0040BAA1
private, xrefs: 0040B817
*.*, xrefs: 0040B613
<dir> <a href=", xrefs: 0040BCB2
</H1><hr><pre>, xrefs: 0040BB36, 0040BB70
</body>, xrefs: 0040BF6C, 0040BFA6
</a>, xrefs: 0040BDB8
gzip, xrefs: 0040B7FE
" id=o style="behavior:url(#default#AnchorClick)"></a><script>o.click()</script>, xrefs: 0040B9FD, 0040BA37
<head><title>, xrefs: 0040B84B, 0040B885
text/html, xrefs: 0040B827
<a href="../">[To Parent Directory]</a>, xrefs: 0040BBA6, 0040BBE0
%04d-%02d-%02d %02d:%02d:%02d, xrefs: 0040BC9A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: <dir> <a href="$ %04d-%02d-%02d %02d:%02d:%02d$ - $" id=o style="behavior:url(#default#AnchorClick)"></a><script>o.click()</script>$%14I64d <a href="$*.*$/">$</H1><hr><pre>$</a>$</body>$</pre><hr>$</title></head><body>$<H1>$<a folder="http://$<a href="../">[To Parent Directory]</a>$<head><title>$Cache-control$Content-Type$gzip$private$text/html
API String ID: 0-52223142
Opcode ID: 9c9a36e9cda9dfc4f2b24f36d92ec5fa79ae2ac966fa26b017b6d5795dd0eac7
Instruction ID: 963397027cf79fa2dfb9a27e2aad14f9f8a988de3c5dc38afdab941e2c6a5f07
Opcode Fuzzy Hash: 9c9a36e9cda9dfc4f2b24f36d92ec5fa79ae2ac966fa26b017b6d5795dd0eac7
Instruction Fuzzy Hash: A592BF303002418FD724DF29C895AAAB7A9FF85314F14856EF8599B3E1DB38ED05CB99

Function 005287EA Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0052880D
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00528818
ConvertDefaultLocale.KERNEL32(?), ref: 00528849
ConvertDefaultLocale.KERNEL32(?), ref: 00528851
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0052885E
ConvertDefaultLocale.KERNEL32(?), ref: 00528878
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0052887E
GetVersion.KERNEL32 ref: 0052888C
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 005288B1
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 005288D7
ConvertDefaultLocale.KERNEL32(?), ref: 00528923
ConvertDefaultLocale.KERNEL32(75570A60), ref: 00528929
RegCloseKey.ADVAPI32(?), ref: 00528934

Strings

GetSystemDefaultUILanguage, xrefs: 00528853
ntdll.dll, xrefs: 0052893C
GetUserDefaultUILanguage, xrefs: 0052880F
kernel32.dll, xrefs: 00528800
Control Panel\Desktop\ResourceLocale, xrefs: 005288A4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: 6264e1f7839442c849e8abafeaf89f0b627dccbb6a36f22255f5997c8af2c162
Instruction ID: 7ebc890d049fba62d5a90674bcf5d052c8855e50700efecf77a1684bfe0971d0
Opcode Fuzzy Hash: 6264e1f7839442c849e8abafeaf89f0b627dccbb6a36f22255f5997c8af2c162
Instruction Fuzzy Hash: D8515371E00229AFDF149FE5DC85AFEBEB9FF55354F14042AE501E3280EA7889849B61

Function 0046FB20 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 0046FD3A
GlobalMemoryStatus.KERNEL32(0055D69C), ref: 0046FD9A

Strings

RAM, xrefs: 0046FDDD
CPU_Number, xrefs: 0046FD75
CPU_Family, xrefs: 0046FBAA
CPU_Serial, xrefs: 0046FD0F
%08X-%08X-%08X, xrefs: 0046FCE3
CPU_Name, xrefs: 0046FC87
%uM, xrefs: 0046FDB1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: GlobalInfoMemoryStatusSystem
String ID: %08X-%08X-%08X$%uM$CPU_Family$CPU_Name$CPU_Number$CPU_Serial$RAM
API String ID: 248183744-931072827
Opcode ID: bd401c8b4d559ce360c14ee91ef39a490692d4e6a739ad2dfd4259a79da6c6d1
Instruction ID: 881c95a67481e16cba4c0ccec7489732c87515a23bec4c87dc1b30b1978dccac
Opcode Fuzzy Hash: bd401c8b4d559ce360c14ee91ef39a490692d4e6a739ad2dfd4259a79da6c6d1
Instruction Fuzzy Hash: 7D8139B15083819FD314DF29C84275BBBE5BF99714F044E2EB09987392EB78D9088B97

Function 00520980 Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00520985
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 005209AF
lstrcpyn.KERNEL32(?,?,00000104,?,?,?), ref: 005209C0

Part of subcall function 0052093E: lstrcpyn.KERNEL32(00000000,?,00000104,?,?,?), ref: 00520963
Part of subcall function 0052093E: PathStripToRootA.SHLWAPI(00000000,?,?,?), ref: 0052096A

PathIsUNCA.SHLWAPI(?,?,?,?,?,?), ref: 005209F5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 00520A19
CharUpperA.USER32(?,?,?,?), ref: 00520A31
FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 00520A4A
FindClose.KERNEL32(00000000,?,?,?), ref: 00520A56
lstrlen.KERNEL32(?,?,?,?), ref: 00520A73
lstrcpy.KERNEL32(?,?), ref: 00520A92

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: 803d0cd94dd0f40201c958ee62c11ddeccce75beb3c68c540379b1b32e2f3729
Instruction ID: bf43e9bbb63373389d9f42b052c11d1206d772c4552de81e36c39c75b8a97b11
Opcode Fuzzy Hash: 803d0cd94dd0f40201c958ee62c11ddeccce75beb3c68c540379b1b32e2f3729
Instruction Fuzzy Hash: AF31BF31900628EFCB109F64EC88AEE7FB8FF56355F405465F406DA2D2D7348E849B50

Function 00421EB0 Relevance: 9.1, APIs: 6, Instructions: 144networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00421EE5
socket.WS2_32(00000002,00000001,00000000), ref: 00421EF8
setsockopt.WS2_32 ref: 00421F33
htons.WS2_32(?), ref: 00421FD6
bind.WS2_32(?,00000008,00000010), ref: 00421FEC
listen.WS2_32(?,7FFFFFFF), ref: 00422044

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: bindclosesockethtonslistensetsockoptsocket
String ID:
API String ID: 4126956815-0
Opcode ID: 462380171bebf5889107f1e4d92bd9a675a1fd7da4f14152a4818deb7cd8b392
Instruction ID: 94ff8ff163dc9e29bee7e7c61cc76b3a6c69cc8dc34ba79d8bb8ac17440e9770
Opcode Fuzzy Hash: 462380171bebf5889107f1e4d92bd9a675a1fd7da4f14152a4818deb7cd8b392
Instruction Fuzzy Hash: A7519BB16047019FD310DF28D985B5AB7E4BF98720F404A2EF5A6973E0DB78E909CB51

Function 00528755 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000800,LOC), ref: 00528778
LoadLibraryA.KERNEL32(?), ref: 005287AB
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 005287BB

Strings

LOC, xrefs: 00528772

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: ad7f9c4ad4eddff18c5f1a728b5707903ea314880c097a3308613bdb753f9aef
Instruction ID: a15a56bbca495d8af9b5ed92513dce86b317fc38a9f59cb50cc1ec69c57fa89a
Opcode Fuzzy Hash: ad7f9c4ad4eddff18c5f1a728b5707903ea314880c097a3308613bdb753f9aef
Instruction Fuzzy Hash: 2801F271900218BBDF109FA4EC45AEE3BBCFF01724F148515F915D61C0EB31CB489A90

Function 0046D400 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(?,00074080,00000000,00000000,?,00000018,?,00000000), ref: 0046D443
DeviceIoControl.KERNEL32 ref: 0046D4CF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: da3706805500b5523fbeda6c633c3fa2039da4cde4fc56560240fa8e742f0fe6
Instruction ID: 820b80d6204d4aae48d6515d2da184bbb17c356aabf9d610a548853af785ee0e
Opcode Fuzzy Hash: da3706805500b5523fbeda6c633c3fa2039da4cde4fc56560240fa8e742f0fe6
Instruction Fuzzy Hash: DC417E71A0C7809FD310CF28D844A6BFBE4AB99304F148A6EF999C7361E774D908CB56

Function 004106A0 Relevance: 1.6, APIs: 1, Instructions: 111comCOMMON

Download Yara Rule

APIs

Part of subcall function 0045C5B0: RtlEnterCriticalSection.NTDLL(005734F4), ref: 0045C603
Part of subcall function 0045C5B0: RtlLeaveCriticalSection.NTDLL(005734F4), ref: 0045C64E

CoCreateInstance.COMBASE(?,00000000,00000017,0054858C,?), ref: 00428476

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$CreateEnterInstanceLeave
String ID:
API String ID: 2599307331-0
Opcode ID: e0df22b4de4c9fb0d7f2fa0dc1150d06542ff546330b9809e29f77643e0f4f36
Instruction ID: 4a3d75e3234612e5ba5073e6525087eb2c07e60980dbac049db4efb3e446eb44
Opcode Fuzzy Hash: e0df22b4de4c9fb0d7f2fa0dc1150d06542ff546330b9809e29f77643e0f4f36
Instruction Fuzzy Hash: BA416D70204351AFD314DB64C885F6BBBE8BF88724F448A0DF5999B2D0DB78D904CB56

Function 00403210 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(-00000110,?,00000006), ref: 00403227

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: db502a40c1240bc52ae5f71ec5372e9d6df1b0478e874980451b70199fcc8097
Instruction ID: 6004608dbfb27284424caab79e4fe5a0a1a42d73684ec1a006f8f95a3578a7ab
Opcode Fuzzy Hash: db502a40c1240bc52ae5f71ec5372e9d6df1b0478e874980451b70199fcc8097
Instruction Fuzzy Hash: 9ED02B263000203AD5101A0EBC009BB77ACCFC5636F05407FF885EA240E2349C47A1B2

Function 0046E4F0 Relevance: 109.2, APIs: 18, Strings: 44, Instructions: 726
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?), ref: 0046E57C
GetVersionExA.KERNEL32(?), ref: 0046E591
RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Internet Explorer,00000000,00000001,?), ref: 0046EA76
RegQueryValueExA.KERNEL32(?,Version,00000000,00000000,?,?), ref: 0046EA99
RegCloseKey.ADVAPI32(?), ref: 0046EAA2
RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000001,?), ref: 0046EAFB

Strings

Windows 2000 Advanced Server, xrefs: 0046E6E0
Windows Server 2003, Web Edition, xrefs: 0046E654
Windows NT, xrefs: 0046E5D1
OS_Version, xrefs: 0046E92A
Windows LongHorn Home Edition, xrefs: 0046E726
User Agent, xrefs: 0046EB1C
Windows 2000 Professional, xrefs: 0046E76E
Windows Server 2003, Enterprise Edition, xrefs: 0046E68F
ADO_Version, xrefs: 0046EE12
IE_Version, xrefs: 0046EAC7
ProductType, xrefs: 0046E7B0
Windows Server 2003, Standard Edition, xrefs: 0046E6A5
SOFTWARE\Microsoft\DataAccess, xrefs: 0046ED88
OS_BuildNumber, xrefs: 0046EA3A
OS_Platform, xrefs: 0046E8E3
Windows NT, xrefs: 0046E818
System\CurrentControlSet\Control\ProductOptions, xrefs: 0046E781
Windows Server 2003, Datacenter Edition, xrefs: 0046E675
WinNT, xrefs: 0046E7C9
OS_ServicePack, xrefs: 0046E98E
Version, xrefs: 0046EA93, 0046EDDE
FullInstallVer, xrefs: 0046EDBB
Windows LongHorn Professional, xrefs: 0046E70F
Windows 95, xrefs: 0046E88C
ProxyEnable, xrefs: 0046EB7F
Windows 98 Second Edition, xrefs: 0046E8A4
Windows NT Workstation, xrefs: 0046E7EC
Windows XP Home Edition, xrefs: 0046E758
Windows 2000 Server, xrefs: 0046E6F6
Windows 98, xrefs: 0046E8AB, 0046E8D6
Windows NT Server, xrefs: 0046E802
Windows ME, xrefs: 0046E8B2
Software\Microsoft\Internet Explorer, xrefs: 0046EA64
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0046EAF1
Windows XP Professional, xrefs: 0046E741
ProxyServer, xrefs: 0046EBB0
OS_Family, xrefs: 0046E5E2, 0046E858
IE_Proxy_, xrefs: 0046EC18, 0046EC26
IE_Proxy, xrefs: 0046ED21
IE_UserAgent, xrefs: 0046EB4C
Windows 2000 Datacenter Server, xrefs: 0046E6C6
%d.%d, xrefs: 0046E8C2
Windows, xrefs: 0046E847
A, xrefs: 0046E898

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: OpenVersion$CloseQueryValue
String ID: %d.%d$A$ADO_Version$FullInstallVer$IE_Proxy$IE_Proxy_$IE_UserAgent$IE_Version$OS_BuildNumber$OS_Family$OS_Platform$OS_ServicePack$OS_Version$ProductType$ProxyEnable$ProxyServer$SOFTWARE\Microsoft\DataAccess$Software\Microsoft\Internet Explorer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$System\CurrentControlSet\Control\ProductOptions$User Agent$Version$WinNT$Windows$Windows 2000 Advanced Server$Windows 2000 Datacenter Server$Windows 2000 Professional$Windows 2000 Server$Windows 95$Windows 98$Windows 98 Second Edition$Windows LongHorn Home Edition$Windows LongHorn Professional$Windows ME$Windows NT$Windows NT$Windows NT Server$Windows NT Workstation$Windows Server 2003, Datacenter Edition$Windows Server 2003, Enterprise Edition$Windows Server 2003, Standard Edition$Windows Server 2003, Web Edition$Windows XP Home Edition$Windows XP Professional
API String ID: 2700936322-523565937
Opcode ID: 819a84b888e59e1b9ad9c4756706df892a4bfe4e76a59eca181dcc294015130c
Instruction ID: 76a8c14a0776137b94c54a19349548f577b924e733a18db4933ee284fe795d91
Opcode Fuzzy Hash: 819a84b888e59e1b9ad9c4756706df892a4bfe4e76a59eca181dcc294015130c
Instruction Fuzzy Hash: 5552B3746083809FD724DB2AC845B5BBBE5BF88714F048A1EF89997381E7749C04CB9B

Function 00455B50 Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 383
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,SMALL), ref: 00455B77
InterlockedExchange.KERNEL32(?,00000000), ref: 00455C20
InterlockedExchange.KERNEL32(?,00000000), ref: 00455C7B
InterlockedExchange.KERNEL32(?,00000000), ref: 00455C98

Strings

(, xrefs: 00455D9C
, xrefs: 00455DBF
SMALL, xrefs: 00455B6D
B, xrefs: 00455BF4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$IconLoad
String ID: $($SMALL$B
API String ID: 1170064449-68420233
Opcode ID: 2ee82684bee47ed7c5c8282e090f5f2ee629463db87da7ef01a69d992e0beb41
Instruction ID: b3415afbb6d2c05ef6f745186a0a92c60805dc6c7b00c98d8e38c10896cb702b
Opcode Fuzzy Hash: 2ee82684bee47ed7c5c8282e090f5f2ee629463db87da7ef01a69d992e0beb41
Instruction Fuzzy Hash: 6BE118B1604740AFD320CF65CC88F6BBBE8BF89715F108A1DF58987291D7759849CBA2

Function 0041EDE0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 140
windowregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(?,00000000), ref: 0041EDF2
SetServiceStatus.ADVAPI32(?,?), ref: 0041EE3F
GetModuleHandleA.KERNEL32(KERNEL32.DLL,RegisterServiceProcess,?), ref: 0041EE50
GetProcAddress.KERNEL32(00000000), ref: 0041EE57
GetCurrentProcessId.KERNEL32(00000001), ref: 0041EE65
GetStockObject.GDI32(00000005), ref: 0041EEB0
RegisterClassA.USER32(?), ref: 0041EEBF
_strncpy.LIBCMT ref: 0041EEE5
CreateWindowExA.USER32(00000000,?,?,80080000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0041EF10
SetServiceStatus.ADVAPI32(?,?), ref: 0041EF4E
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0041EF62
TranslateMessage.USER32(00000000), ref: 0041EF79
DispatchMessageA.USER32(00000000), ref: 0041EF80
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0041EF8D

Strings

KERNEL32.DLL, xrefs: 0041EE4B
RegisterServiceProcess, xrefs: 0041EE46

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Message$ServiceStatusWindow$AddressClassCreateCurrentDispatchFindHandleModuleObjectProcProcessRegisterStockTranslate_strncpy
String ID: KERNEL32.DLL$RegisterServiceProcess
API String ID: 2832294648-1249553837
Opcode ID: 5f551b39c9ce61686fb56a530d70c566debfad81d5128011e68acbb81130ed9b
Instruction ID: 4f05f19d04c7a128178f9b61d4b9ad96e0bd06242875e229661f4f44c1f92a7a
Opcode Fuzzy Hash: 5f551b39c9ce61686fb56a530d70c566debfad81d5128011e68acbb81130ed9b
Instruction Fuzzy Hash: 2B5139B1500B04AFD320DF6AC885B5BBBE8FB88744F40891EF59AC7350EB75A4498F65

Function 004279C0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 333
librarycomloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 004279FA
CLSIDFromProgID.COMBASE ref: 00427A1E
CoCreateInstance.COMBASE(?,00000000,00000017,00562680,?), ref: 00427A3A
VariantClear.OLEAUT32(?), ref: 00427A55
VariantClear.OLEAUT32(?), ref: 00427B16
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 00427C1D
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00427C3A
LoadLibraryA.KERNEL32(?), ref: 00427C4D
VariantClear.OLEAUT32(?), ref: 00427C68
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00427CD7
VariantClear.OLEAUT32(?), ref: 00427D22
VariantClear.OLEAUT32 ref: 00427D75

Strings

DllGetClassObject, xrefs: 00427CD1
VBScript, xrefs: 00427A15, 00427D0E
scriptObject, xrefs: 00427BFA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$AddressCreateFileFromInitInstanceLibraryLoadModuleNameProcProgQueryVirtual
String ID: DllGetClassObject$VBScript$scriptObject
API String ID: 2961108460-1184475560
Opcode ID: dbe13b4485af901509d9ad94f54d76c4cc0b8e1f0b1487f64e1dfddc24247227
Instruction ID: 8c15f0ef472f0c4448e9e1f3676ac808e4883dd74ab3f42ce4e88b93ce16648f
Opcode Fuzzy Hash: dbe13b4485af901509d9ad94f54d76c4cc0b8e1f0b1487f64e1dfddc24247227
Instruction Fuzzy Hash: 41D10A712083819FC710CFA4D888A5BBBE9BF89314F948E6DF199C7250C779E849CB52

Function 0046F8E0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 161
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000000), ref: 0046F914
GetSystemMetrics.USER32(00000001), ref: 0046F965
73F7A570.USER32(00000000), ref: 0046F9AC
DeleteDC.GDI32(00000000), ref: 0046FA27
RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\ThemeManager,00000000,00000001,?), ref: 0046FA48
RegQueryValueExA.KERNEL32(?,ThemeActive,00000000,00000000,?,?), ref: 0046FA6A
RegCloseKey.ADVAPI32(?), ref: 0046FA77

Strings

Screen_Width, xrefs: 0046F936
bit, xrefs: 0046F9DA
ThemeActive, xrefs: 0046FA64
Screen_Color, xrefs: 0046FA03
Screen_Height, xrefs: 0046F987
XPThemeActive, xrefs: 0046FA99, 0046FAD6
Software\Microsoft\Windows\CurrentVersion\ThemeManager, xrefs: 0046FA36

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: MetricsSystem$A570CloseDeleteOpenQueryValue
String ID: bit$Screen_Color$Screen_Height$Screen_Width$Software\Microsoft\Windows\CurrentVersion\ThemeManager$ThemeActive$XPThemeActive
API String ID: 180833123-23443811
Opcode ID: 709b4056ac7044926535f400482691fd886335620e2b09caaeded0c8af43fd35
Instruction ID: e7d5912de26f8d06cae590a420d2b5b9d8a72818dd60b0cfb384a6275b8444fe
Opcode Fuzzy Hash: 709b4056ac7044926535f400482691fd886335620e2b09caaeded0c8af43fd35
Instruction Fuzzy Hash: C051C6B1204780ABC614DF15CC42B9F7BD9AB88B44F000D0EF58597382EBB9A4488BD7

Function 00433BA0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 125
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00528D5F: __EH_prolog.LIBCMT ref: 00528D64
Part of subcall function 00528D5F: GetCurrentThread.KERNEL32 ref: 00528DB2
Part of subcall function 00528D5F: GetCurrentThreadId.KERNEL32 ref: 00528DBB

FindWindowA.USER32(progman,00000000), ref: 00433C63
GetVersionExA.KERNEL32(?), ref: 00433C8F
RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Internet Explorer,00000000,00000001,?), ref: 00433CDA
RegQueryValueExA.KERNEL32(?,Version,00000000,00000000,?,?), ref: 00433CFD
RegCloseKey.KERNEL32(?), ref: 00433D0A
MessageBoxA.USER32(00000000,Program cannot run at this machine.,NetBox Application,00000000), ref: 00433D20
ExitProcess.KERNEL32 ref: 00433D27
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0000007F,00000001), ref: 00433D4E

Strings

Program cannot run at this machine., xrefs: 00433D1A
progman, xrefs: 00433C54
Software\Microsoft\Internet Explorer, xrefs: 00433CC8
Version, xrefs: 00433CF7
NetBox Application, xrefs: 00433D15
4, xrefs: 00433CB9

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CurrentThread$CloseCreateEventExitFindH_prologMessageOpenProcessQueryValueVersionWindow
String ID: 4$NetBox Application$Program cannot run at this machine.$Software\Microsoft\Internet Explorer$Version$progman
API String ID: 409359103-3057245234
Opcode ID: 3683a89ac6526a39570b00c1ee77817e956330f73d4e6d9de4e793baae35879c
Instruction ID: daaa0e81ba1c1bf050d7cf19e7636fce71081d2fdb76bf461a2261c41b696e01
Opcode Fuzzy Hash: 3683a89ac6526a39570b00c1ee77817e956330f73d4e6d9de4e793baae35879c
Instruction Fuzzy Hash: 2541D3B0508384AFE730DF24CC85BEABBE9FB58305F40591EF58997281D7784A48CB26

Function 004346B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115
synchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32 ref: 00434740
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00434755
GetExitCodeProcess.KERNEL32(?,?), ref: 00434765
CloseHandle.KERNEL32(?), ref: 00434776
CloseHandle.KERNEL32(?), ref: 0043477D
ShellExecuteEx.SHELL32(00000000), ref: 004347BA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004347DF
GetExitCodeProcess.KERNEL32(?,?), ref: 004347EF
CloseHandle.KERNEL32(?), ref: 004347FA

Strings

D, xrefs: 0043472D
<, xrefs: 004347A2

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleWait$CreateExecuteShell
String ID: <$D
API String ID: 2882604053-1382654409
Opcode ID: 9fb08576dcf7c203c9f7f0559d7aec040503264c9ef7533c34f62d9c2a6571b7
Instruction ID: 2a71d2dccc001d5ce4421bb016a0a767f775c3c90fc1ffc81a4bc306cb5907dd
Opcode Fuzzy Hash: 9fb08576dcf7c203c9f7f0559d7aec040503264c9ef7533c34f62d9c2a6571b7
Instruction Fuzzy Hash: ED4161725083549BD714DF64EC44A9BB7E8FFC9760F00491EF95493390E7B99809CBA2

Function 00521450 Relevance: 16.6, APIs: 11, Instructions: 88
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00521482
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0052148C
ResumeThread.KERNEL32(00000000), ref: 005214CE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005214D9
CloseHandle.KERNEL32(?), ref: 005214E2
Wow64SuspendThread.KERNEL32(?), ref: 005214ED
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005214FD
CloseHandle.KERNEL32(?), ref: 00521506
SetEvent.KERNEL32(00000004), ref: 00521510
CloseHandle.KERNEL32(?), ref: 0052151E
CloseHandle.KERNEL32(?), ref: 00521528

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$ResumeSuspendWow64
String ID:
API String ID: 1108625485-0
Opcode ID: ab9e72196bc43e94c45609965d4c0cee691c365ef3b56ac124fdb9305144d343
Instruction ID: 557be6b70cf499256c0c06af75650d7b87730767d1d43e1512f9cfcad5dc835a
Opcode Fuzzy Hash: ab9e72196bc43e94c45609965d4c0cee691c365ef3b56ac124fdb9305144d343
Instruction Fuzzy Hash: 58318E72D00609BFCF11AFA5EC8489FBFB8FF58350F104569F116A62A0E6319A45DF60

Function 005290F1 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0058A464), ref: 00529102
GlobalAlloc.KERNEL32(00000002,00000040,?,?,0058A448,0058A448,?,0052962D,?,?,?,005299F7,00527A88,0051FFB3,004033D0,?), ref: 00529153
GlobalHandle.KERNEL32(007FFF88), ref: 0052915C
GlobalUnlock.KERNEL32(00000000), ref: 00529166
GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 0052917A
GlobalHandle.KERNEL32(007FFF88), ref: 0052918C
GlobalLock.KERNEL32(00000000), ref: 00529193
RtlLeaveCriticalSection.NTDLL(?), ref: 0052919C
GlobalLock.KERNEL32(00000000), ref: 005291A8
RtlLeaveCriticalSection.NTDLL(?), ref: 005291F0

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 3e81f588098b698f57ec661d83c239efa209f139120e684f87c6ef6437b6009d
Instruction ID: 43f0eaeca50ad1f8e9e84f9afda7dc13431f0630ed5ae9606eedcff45828688b
Opcode Fuzzy Hash: 3e81f588098b698f57ec661d83c239efa209f139120e684f87c6ef6437b6009d
Instruction Fuzzy Hash: A8318B74A00B16AFDB20CF65DC8DA5ABBF9FF84305B008969E856D3750E730E919CB50

Function 004393C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00586FAC,00000001), ref: 004393DA
RtlEnterCriticalSection.NTDLL(00572260), ref: 0043940D
VirtualQuery.KERNEL32(00000000,?,0000001C,75571620,?,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 00439430
GetModuleFileNameA.KERNEL32(?,?,00000002), ref: 0043947B
VirtualProtect.KERNEL32(?,00000004,00000040,?,FFFF1424), ref: 00439526
InterlockedExchange.KERNEL32(00586FAC,00000000), ref: 00439597
RtlLeaveCriticalSection.NTDLL(00572260), ref: 004395AB

Strings

0nX, xrefs: 004394F0

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalExchangeInterlockedSectionVirtual$EnterFileLeaveModuleNameProtectQuery
String ID: 0nX
API String ID: 2241155862-1172611949
Opcode ID: 7824ab478284bdaedcba60b262ad8563ffb25c1d28b862cdde1e798ba0131d13
Instruction ID: 6bdc53cc5fe2047094b99c973fe1352533d6e2f026ff75c41f7ef71ce9620612
Opcode Fuzzy Hash: 7824ab478284bdaedcba60b262ad8563ffb25c1d28b862cdde1e798ba0131d13
Instruction Fuzzy Hash: E451BC32704301AFDB21CF19E880B2B73E5BB58704F54641AE946EB352E7B8EC84DB59

Function 00470010 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0047009B
CloseHandle.KERNEL32(00000000), ref: 00470148
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0047018A
CloseHandle.KERNEL32(00000000), ref: 00470256

Part of subcall function 0046D400: DeviceIoControl.KERNEL32(?,00074080,00000000,00000000,?,00000018,?,00000000), ref: 0046D443
Part of subcall function 0046D400: DeviceIoControl.KERNEL32 ref: 0046D4CF

Strings

IDE_%d, xrefs: 004700F9, 00470346
SCSI_%d, xrefs: 00470204
\\.\PhysicalDrive%d, xrefs: 0047007A, 00470169

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: IDE_%d$SCSI_%d$\\.\PhysicalDrive%d
API String ID: 33631002-2625957698
Opcode ID: 70d1ec4ef62c0973351042db01eb19c605540c7e93f92c64bdf59da2260bd1ce
Instruction ID: e1655ac2e9934376e39aad970a080530ad7b64b8c5c85c12fa04694505f2e869
Opcode Fuzzy Hash: 70d1ec4ef62c0973351042db01eb19c605540c7e93f92c64bdf59da2260bd1ce
Instruction Fuzzy Hash: 62B1CDB1D012089FDB04DFA9D846BEEBBB4EF54318F14825AF415B7382DB349A048BA5

Function 0042F9D0 Relevance: 12.1, APIs: 8, Instructions: 133injectionCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0042F9FB

Part of subcall function 00422090: accept.WS2_32(?,?,00000010), ref: 004220BE

setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 0042FA5F
setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 0042FA76
VariantClear.OLEAUT32(?), ref: 0042FA8B
QueueUserAPC.KERNEL32(Function_0002F6C0,?,?), ref: 0042FAD8
VariantClear.OLEAUT32(00000009), ref: 0042FB37
InterlockedExchange.KERNEL32(?,00000000), ref: 0042FB60
VariantClear.OLEAUT32(?), ref: 0042FB6B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$setsockopt$ExchangeInitInterlockedQueueUseraccept
String ID:
API String ID: 520812485-0
Opcode ID: f3f3eb8d9685ca333e9f21c40c6ebc8588cff2589b7ca26c11e6ced00b7947f0
Instruction ID: 2cf6c78eb5b685271801cc1e367f8970daacb87a0361bce1f9758491de2a6d8a
Opcode Fuzzy Hash: f3f3eb8d9685ca333e9f21c40c6ebc8588cff2589b7ca26c11e6ced00b7947f0
Instruction Fuzzy Hash: FC5188702043129BD704DF64D884F6BBBF8BF88744F904A2EF55987291E778E849CB96

Function 0045E430 Relevance: 10.8, APIs: 7, Instructions: 264COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0045E4C2
GetLongPathNameW.KERNEL32(?,?,00000104), ref: 0045E502

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0045E5B6
_wcsrchr.LIBCMT ref: 0045E688
SetCurrentDirectoryW.KERNEL32(00810CB8), ref: 0045E6F8
SetCurrentDirectoryA.KERNEL32(?,00810CB8), ref: 0045E713

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: NamePath$CurrentDirectoryFull$ErrorLastLong_wcsrchr
String ID:
API String ID: 1047418922-0
Opcode ID: d7cbfe3bd2d02eb14f041c3b90e27165565e5c6b950f138cdf2ef0e229e99b27
Instruction ID: 40ad2bec1aa685cf45afd6b45680f36696ad7f1da70e90312fc08d3f478c19fe
Opcode Fuzzy Hash: d7cbfe3bd2d02eb14f041c3b90e27165565e5c6b950f138cdf2ef0e229e99b27
Instruction Fuzzy Hash: 5EA1E2712047019FD324CF68C884A9BB3E5FFD8321F144A6EE956C7291EB34E909CB96

Function 00419480 Relevance: 10.7, APIs: 7, Instructions: 166sleepCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041958A
VariantChangeType.OLEAUT32(?,?,00000000,0000000B), ref: 0041959A
VariantClear.OLEAUT32(?), ref: 004195B6
CreateSemaphoreA.KERNEL32(00000000,00000000,00001000,00000000), ref: 004195C9
CreateSemaphoreA.KERNEL32(00000000,00001000,00001000,00000000), ref: 004195D4
RtlLeaveCriticalSection.NTDLL(0058D254), ref: 00419625
Sleep.KERNEL32(00000064), ref: 0041963A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$CreateSemaphore$ChangeClearCriticalInitLeaveSectionSleepType
String ID:
API String ID: 3626925527-0
Opcode ID: 3169203139bdb8c17fe8e8550b2f7d45b73c953eef37a117d00a561f5e5452bb
Instruction ID: 2780e2dc94b70b964924c628cd71b4bde7fc0e90034d76964fc5c7c768985c64
Opcode Fuzzy Hash: 3169203139bdb8c17fe8e8550b2f7d45b73c953eef37a117d00a561f5e5452bb
Instruction Fuzzy Hash: 8551ED72600701AFD715EF29CC91B96BBA5BF44710F00462AF916AB3D0DB78EC49CBA5

Function 0042FA28 Relevance: 10.6, APIs: 7, Instructions: 85injectionCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 0042FA5F
setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 0042FA76
VariantClear.OLEAUT32(?), ref: 0042FA8B
QueueUserAPC.KERNEL32(Function_0002F6C0,?,?), ref: 0042FAD8
VariantClear.OLEAUT32(00000009), ref: 0042FB37
InterlockedExchange.KERNEL32(?,00000000), ref: 0042FB60
VariantClear.OLEAUT32(?), ref: 0042FB6B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant$setsockopt$ExchangeInterlockedQueueUser
String ID:
API String ID: 3571247932-0
Opcode ID: 3710fe7fd4cc921878dd3ca9db8c746ff385ac9f588f2b1d2e7238cb5247bf3e
Instruction ID: a18f24386319708879a924da4185f3f6c844425403761b04bf5d9e4eef2cd69b
Opcode Fuzzy Hash: 3710fe7fd4cc921878dd3ca9db8c746ff385ac9f588f2b1d2e7238cb5247bf3e
Instruction Fuzzy Hash: AC317E703043129BD714DF60D885F6BBBB4BF88744F804A2DF55987290E778D849CB95

Function 004703A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(005C3A63), ref: 00470411
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00470434

Strings

%04X-%04X, xrefs: 0047045A
Volume_%d, xrefs: 0047043F
c:\, xrefs: 004703CA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: DriveInformationTypeVolume
String ID: %04X-%04X$Volume_%d$c:\
API String ID: 3149825354-771349572
Opcode ID: 97b496219ba77d58d1db1d903854e0e3ec480644b3247f8a172001a53c88e601
Instruction ID: 3fc8355bb43c2188c5e2779654f311ae5a9748bec71682548212b84f409e2073
Opcode Fuzzy Hash: 97b496219ba77d58d1db1d903854e0e3ec480644b3247f8a172001a53c88e601
Instruction Fuzzy Hash: E241AEB1504381AFD300DF29D884A5BBBE8FFC9728F448A5EF49597291D734D909CBA2

Function 0046EED0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0046EF1C
GetModuleFileNameA.KERNEL32(?,?,00000400), ref: 0046EF67
VirtualQuery.KERNEL32(?,?,0000001C), ref: 0046EFDC

Strings

Module_%d, xrefs: 0046EF76
lume_%d, xrefs: 0046EFA3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: QueryVirtual$FileModuleName
String ID: Module_%d$lume_%d
API String ID: 3304953423-845420420
Opcode ID: 432ca21e2ff25ac55026d249a492d1fbbeec93bd4d705d0842c454bdfe20a39d
Instruction ID: 9d375801fa1d0f4fb4349aa7c4e7d84bdead6568041e024baa4bb083b88f3165
Opcode Fuzzy Hash: 432ca21e2ff25ac55026d249a492d1fbbeec93bd4d705d0842c454bdfe20a39d
Instruction Fuzzy Hash: 5731CEB55043409FD724CF1AD844B6FB7E8FB88718F044A1EF59497281E778A908CBAB

Function 005289C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,LdT,00000000,00000001,?), ref: 00528A09
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00528A29
RegCloseKey.ADVAPI32(?), ref: 00528A6D
RegCloseKey.ADVAPI32(00000000), ref: 00528A83

Strings

LdT, xrefs: 005289D6, 005289EF, 00528A02

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: LdT
API String ID: 1607946009-3948320504
Opcode ID: 345901c7cf524b5b25f769f722f871f385a4c1e204b480e626bd56a771b9e617
Instruction ID: bbece4d9773be7a197cb2581006409dc4b67376c8ed4e2ddc1987c7320454a37
Opcode Fuzzy Hash: 345901c7cf524b5b25f769f722f871f385a4c1e204b480e626bd56a771b9e617
Instruction Fuzzy Hash: 64215CB1D01214EFDF14CF9AE949ABEBFB8FF51710F10806AE405A6251DB715A44DF60

Function 00422090 Relevance: 7.7, APIs: 5, Instructions: 180networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?,00000010), ref: 004220BE
setsockopt.WS2_32 ref: 00422104
closesocket.WS2_32(00000000), ref: 00422148
closesocket.WS2_32(0000FFFF), ref: 00422172

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: closesocket$acceptsetsockopt
String ID:
API String ID: 2523747058-0
Opcode ID: 749c2e19d9338e74d74b5e042d7d02dcd14433aeb74ac6ebe7577611f8d6bc1d
Instruction ID: 52fdd21f90a89a9b9196ed685e2b50c5a9b994d46dcf78c4a2a001cbcad32ca5
Opcode Fuzzy Hash: 749c2e19d9338e74d74b5e042d7d02dcd14433aeb74ac6ebe7577611f8d6bc1d
Instruction Fuzzy Hash: 3561E075200210DFC704DF18E984AEA77A1FF98310F5441BEEE499B396C7B4E895CBA5

Function 004705E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00470611
RtlLeaveCriticalSection.NTDLL(?), ref: 004707C7
RtlInitializeCriticalSection.NTDLL(00000050), ref: 00470882

Strings

JScript, xrefs: 00470820

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: JScript
API String ID: 3991485460-3623409382
Opcode ID: a6392bebe9c07c11e2a11ed524fb9beb2fa268c44a8b0f2a973a171caa91a09f
Instruction ID: 36c108a0244efc72b6076c0dcbe38f4a8b9333a7fe32b20fc0cf8bcd4be70dc4
Opcode Fuzzy Hash: a6392bebe9c07c11e2a11ed524fb9beb2fa268c44a8b0f2a973a171caa91a09f
Instruction Fuzzy Hash: 36914771600700CFCB28DF29C491A6ABBE5FF88714F10892EE49A87741DB78E945CB95

Function 0046FE40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

GetIfTable.IPHLPAPI ref: 0046FEA0
GetIfTable.IPHLPAPI(00000000,?,00000001), ref: 0046FED0

Strings

%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0046FF38
NIC_%d, xrefs: 0046FF0B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Table
String ID: %02X:%02X:%02X:%02X:%02X:%02X$NIC_%d
API String ID: 937992258-594014613
Opcode ID: 87bbbdcc36e8e042c4ca84d16b806da14e477a7d998822e727fd6e54ce3c18b5
Instruction ID: 5a235312c15b9e816719e61c8d9e17a12166359c2c077b031ea2fb1954fe8134
Opcode Fuzzy Hash: 87bbbdcc36e8e042c4ca84d16b806da14e477a7d998822e727fd6e54ce3c18b5
Instruction Fuzzy Hash: E151A4B11043419FD314DF29D885A1BBBE8EF86724F148A2EF4A587392D734D909CB66

Function 00528AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00528AF2
PathFindExtensionA.SHLWAPI(?), ref: 00528B09
lstrcpy.KERNEL32(00000000,?), ref: 00528B33

Part of subcall function 005287EA: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0052880D
Part of subcall function 005287EA: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00528818
Part of subcall function 005287EA: ConvertDefaultLocale.KERNEL32(?), ref: 00528849
Part of subcall function 005287EA: ConvertDefaultLocale.KERNEL32(?), ref: 00528851
Part of subcall function 005287EA: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0052885E
Part of subcall function 005287EA: ConvertDefaultLocale.KERNEL32(?), ref: 00528878
Part of subcall function 005287EA: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0052887E

Strings

%s.dll, xrefs: 00528B0F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: 0baa090cf4b11c635292dd8022f0054ba16ba4d6cabd36228b00088f44dce261
Instruction ID: 81d4b4fe7d090f02eca5e7a26270fe4c873dad60ed67dd5e3173824552816a5e
Opcode Fuzzy Hash: 0baa090cf4b11c635292dd8022f0054ba16ba4d6cabd36228b00088f44dce261
Instruction Fuzzy Hash: F70175B590011C9BCF15DBA4EC959FEBBBCFF49304F0448ADA606D2240EAB19A489B50

Function 00418430 Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041845D
VariantClear.OLEAUT32(?), ref: 00418495

Part of subcall function 00405530: VariantCopy.OLEAUT32(?,?), ref: 0040557A

ResumeThread.KERNEL32(?), ref: 0041850D
VariantClear.OLEAUT32(?), ref: 00418518

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$CopyInitResumeThread
String ID:
API String ID: 1135631900-0
Opcode ID: 9a4f81981c8ea52ddbec1e35bcb2dea6a85cbc8df7a2a71558088969293a5a4c
Instruction ID: 565ba86151276a51a3566eeef083934379de2d12544aedc928ab1f7328db1316
Opcode Fuzzy Hash: 9a4f81981c8ea52ddbec1e35bcb2dea6a85cbc8df7a2a71558088969293a5a4c
Instruction Fuzzy Hash: 66318D712043419BC724DF25C980BABB7E5FFC8718F400A1DF95997390EB78E9498BA2

Function 0042F5E0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0042F61A
VariantClear.OLEAUT32(?), ref: 0042F651
VariantClear.OLEAUT32(00000009), ref: 0042F682
closesocket.WS2_32 ref: 0042F697

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$Initclosesocket
String ID:
API String ID: 1423517567-0
Opcode ID: 9d6f7e2574229ba16d4a7a5241c99a6b6dc7e2bbcabf47cfa40d7ca0b0b91a73
Instruction ID: 9538f9b8f1a67974cba8a9a8723a9812c29d5fc6245342e262409e577961d478
Opcode Fuzzy Hash: 9d6f7e2574229ba16d4a7a5241c99a6b6dc7e2bbcabf47cfa40d7ca0b0b91a73
Instruction Fuzzy Hash: 3F214C75104B019BC310DF68D884A5AB7F8FF88724F504B1EF4A993690D738A80A8B5A

Function 004BE7F6 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(?,00000000,004BE89C,00000000), ref: 004BE820
FlsGetValue.KERNEL32(00547300,0000000C), ref: 004BE839
FlsSetValue.KERNEL32(?), ref: 004BE84F
GetCurrentThreadId.KERNEL32 ref: 004BE861

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ThreadValue$CurrentExitUser
String ID:
API String ID: 2092121494-0
Opcode ID: 1e8a3d60379211c1a6d1ea2712604603b58514dffdfd409d50fe1692ed337532
Instruction ID: 01f0e5f1212672057a6263376c2dadeb6db46746f44a0f70939a102233b73a13
Opcode Fuzzy Hash: 1e8a3d60379211c1a6d1ea2712604603b58514dffdfd409d50fe1692ed337532
Instruction Fuzzy Hash: 2011A335500A11EFDB26BF72DC4AADE3B64FF50755B00041EF901AB261DF799C80ABA9

Function 00520AC1 Relevance: 4.6, APIs: 3, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 00520AF5

Part of subcall function 00520980: __EH_prolog.LIBCMT ref: 00520985
Part of subcall function 00520980: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 005209AF
Part of subcall function 00520980: lstrcpyn.KERNEL32(?,?,00000104,?,?,?), ref: 005209C0

CreateFileA.KERNEL32(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,00000000), ref: 00520C0A
GetLastError.KERNEL32 ref: 00520C1C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CreateErrorFileFullH_prologLastNamePathlstrcpynlstrlen
String ID:
API String ID: 4207171074-0
Opcode ID: e7c48d8cdbbbe6da910c3a1ed4fc38ab3fd4e105eb3757efc40cd6b030862242
Instruction ID: fd8954679ec740220bc6269ec791af461c36f89741bcc6287557b6e9680b298c
Opcode Fuzzy Hash: e7c48d8cdbbbe6da910c3a1ed4fc38ab3fd4e105eb3757efc40cd6b030862242
Instruction Fuzzy Hash: 89411272601229ABEB388F25EC417EDBF64FF06318F14D629E925D62D1CB78C9808B40

Function 004BE827 Relevance: 4.5, APIs: 3, Instructions: 47threadCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(00547300,0000000C), ref: 004BE839
FlsSetValue.KERNEL32(?), ref: 004BE84F
GetCurrentThreadId.KERNEL32 ref: 004BE861

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Value$CurrentThread
String ID:
API String ID: 1393879374-0
Opcode ID: a51d8ee828c084a03480e08facc5c16b08d4fa67d2f10100cda663f45e813ca7
Instruction ID: 85bd6738a2f10fc2b643a35c89d86f2cf06e2e926637c6784b33aaa4887c5a1b
Opcode Fuzzy Hash: a51d8ee828c084a03480e08facc5c16b08d4fa67d2f10100cda663f45e813ca7
Instruction Fuzzy Hash: FF016D75900700DFDB29EF72D84AA9A3BB4FF44354B10485EF906AB361DB79AC40EB64

Function 00521533 Relevance: 4.5, APIs: 3, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00521538

Part of subcall function 00527D6D: __EH_prolog.LIBCMT ref: 00527D72

SetThreadPriority.KERNEL32(?,00000000,000000FF,?,0042F4E5,0042F920,000000FF,00000002,00000000,00000004,00000000), ref: 0052158F
ResumeThread.KERNEL32(?,?,0042F4E5,0042F920,000000FF,00000002,00000000,00000004,00000000), ref: 0052159E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: H_prologThread$PriorityResume
String ID:
API String ID: 3242664038-0
Opcode ID: cff71466bf1cdcf93eedd99fb17a31b1ac0326dc34985c2bc81f8807ec6803b3
Instruction ID: a703b9e02684ead37b252c5314e22b4217b5f369b4e4fc6a6cfd2bd9e4fc0e65
Opcode Fuzzy Hash: cff71466bf1cdcf93eedd99fb17a31b1ac0326dc34985c2bc81f8807ec6803b3
Instruction Fuzzy Hash: 7201DA31A00929AFCF15AF64E809AAE7FE1FF68720F004119F812A62A1D7708E50DB84

Function 005205C7 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,?,?,?,?,?,?,?,004060E9,?,?,?), ref: 005205E6
GetLastError.KERNEL32(?,?,?,?,?,004060E9,?,?,?), ref: 005205FB
GetLastError.KERNEL32(?,?,?,?,?,?,004060E9,?,?,?), ref: 00520604

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: f3835961fb6ed34f1566f7e2798330a2895cf3e9fe0f0cd72b8137cec18f954c
Instruction ID: 3110ff08d099911be040531077becd0e974c71ec13aa39ddf5421b150bfceb19
Opcode Fuzzy Hash: f3835961fb6ed34f1566f7e2798330a2895cf3e9fe0f0cd72b8137cec18f954c
Instruction Fuzzy Hash: 3AF01DB5900208FBCB149F99EC44C9FBFB9FF95360B104659F81593290D670AE50DA60

Function 0046D540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 0046D5CE

Strings

L, xrefs: 0046D5B4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ControlDevice
String ID: L
API String ID: 2352790924-2909332022
Opcode ID: 99f1bfbb67d4e56fb31483dd77638bf46626be04b7b2ea138fdbd043b61f7468
Instruction ID: eceb0771722ab21f827e0ec4266c7986dc207e7bc7900d244c3c91d0ae08cf5d
Opcode Fuzzy Hash: 99f1bfbb67d4e56fb31483dd77638bf46626be04b7b2ea138fdbd043b61f7468
Instruction Fuzzy Hash: 8C21C071A083805EE325CE29C84079BBBE5ABD6304F44466DF5D8CB282E665C909CBA7

Function 00418250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(000000FF,00000001), ref: 00418294

Strings

HTTPSender, xrefs: 00418259

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Sleep
String ID: HTTPSender
API String ID: 3472027048-1519306121
Opcode ID: 7347d0e3beff95fa4e3ec7cd79385cab89154d831a63904460950ab3be5d62d3
Instruction ID: 5c42cf9efdeebd46bc405b83f9c227f224b4a84e049a5bd6422e67d39ba98186
Opcode Fuzzy Hash: 7347d0e3beff95fa4e3ec7cd79385cab89154d831a63904460950ab3be5d62d3
Instruction Fuzzy Hash: 0AF02431600A018FD621DF3CD851BE7B3E4AF91B14F1009ADE85697391EB34EC48CA91

Function 0042F890 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(000000FF,00000001), ref: 0042F8D4

Strings

TCPReader, xrefs: 0042F899

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Sleep
String ID: TCPReader
API String ID: 3472027048-924911044
Opcode ID: 26aec2876ce78d0616cce2ecbb9aa0174c30f2b67a87ee5f0c5a00c942e1c947
Instruction ID: f0db09f6fd1a5ab14c6e6c70d7e0b19b15f5271ba116a925060a822c8302d75e
Opcode Fuzzy Hash: 26aec2876ce78d0616cce2ecbb9aa0174c30f2b67a87ee5f0c5a00c942e1c947
Instruction Fuzzy Hash: 6CF090317006108FD620EA3CE991BA7B3E0AF96B14F54457EE85697394EB24A84CDA61

Function 004067C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000104,00000104), ref: 004067E4

Strings

h@, xrefs: 004067C0

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileModuleName
String ID: h@
API String ID: 514040917-485769165
Opcode ID: bcb5989c7da44fd7388bda5e2814e2b2bb4111963174cf92d260c8306ea9f391
Instruction ID: f6f4b565876328e6c07187ac358b29ab1b6ea0d682b279526787564b195b85ac
Opcode Fuzzy Hash: bcb5989c7da44fd7388bda5e2814e2b2bb4111963174cf92d260c8306ea9f391
Instruction Fuzzy Hash: EDF0B4712042019FD704EF14C499AB677F5AFC0704F00852DA9C29B2E4EAB49908C755

Function 004C952A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

`oX, xrefs: 004C952A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: `oX
API String ID: 123106877-809745564
Opcode ID: 11712f4b7922ff8c0d06f7b05db324ddd9e2db1d7f258de60179af60d5f24597
Instruction ID: 15b60738abfceb4ba67fc6412edd483cfecd8dc2f352442d3a2413af0268e123
Opcode Fuzzy Hash: 11712f4b7922ff8c0d06f7b05db324ddd9e2db1d7f258de60179af60d5f24597
Instruction Fuzzy Hash: 33B012CE25A105BD3344A1443D0BC370F4CF8C0B20F70801FB401F0044D5508C410132

Function 004C95E3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

oX, xrefs: 004C95E3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: oX
API String ID: 123106877-1087975772
Opcode ID: 0cb8d0c9101b0b93aeeffe161e1082b36b41a01465a64d5cadd6f69e5a61296f
Instruction ID: 81f2206e50bbcce3738309149a63ffbf8ddddf336af4ef45c5a7396aea081b37
Opcode Fuzzy Hash: 0cb8d0c9101b0b93aeeffe161e1082b36b41a01465a64d5cadd6f69e5a61296f
Instruction Fuzzy Hash: FAB012CF25A005BD3384E1483C0BD370FCCF8C0B20F70801FB405E1244D6508C410132

Function 004C958D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

HoX, xrefs: 004C958D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: HoX
API String ID: 123106877-102607812
Opcode ID: 07059fe2799ab8c691d5498c44b6078bd127507d9ad6f780cdade98dfa899e3c
Instruction ID: 0798d817ca5789b7b1c7522c63d803b6de725c5af035adf3c59d0fdea06a51cc
Opcode Fuzzy Hash: 07059fe2799ab8c691d5498c44b6078bd127507d9ad6f780cdade98dfa899e3c
Instruction Fuzzy Hash: 5CB012DE25A101BD3384E1483C0BD370F8CF5C0B20F70811FB415E5180D550CC810132

Function 004C9597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

DoX, xrefs: 004C9597

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: DoX
API String ID: 123106877-252138144
Opcode ID: 3a7ce6ce3fdd65985fbcddc1a139c77b9a0964e651e636c27ac04529bd231059
Instruction ID: b1da57a5eb1c0778927504d02c024dc8d24bce101eef921ae244b327565c53b9
Opcode Fuzzy Hash: 3a7ce6ce3fdd65985fbcddc1a139c77b9a0964e651e636c27ac04529bd231059
Instruction Fuzzy Hash: 2AB012DE25A001BD3384E2483D0BD370F8CF4C0B20B70801FB405F1140D5508C420132

Function 004C95A1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

@oX, xrefs: 004C95A1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: @oX
API String ID: 123106877-135199356
Opcode ID: 0511980e430426b58cc0b9f4aea0cc246300131a76eb422a0079da708b13e67c
Instruction ID: cfce5ff7f7258339d7e756b8880b88803a126e5037eb6c083636ed723cd40515
Opcode Fuzzy Hash: 0511980e430426b58cc0b9f4aea0cc246300131a76eb422a0079da708b13e67c
Instruction Fuzzy Hash: 78B012DE25A001BD3384E2483C0BD370F8CF8C0B20F70801FB405E1144D5508C410132

Function 004C960D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

,oX, xrefs: 004C960D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: ,oX
API String ID: 123106877-1237567544
Opcode ID: 853863d6ba52e581622119d0e373e23e006320a609ef09ec7b1e0c3c66c86a73
Instruction ID: 7cb1d30e79dc6ad5fbbdc576c3f3397006f0b597915f337d7e5be53c340df592
Opcode Fuzzy Hash: 853863d6ba52e581622119d0e373e23e006320a609ef09ec7b1e0c3c66c86a73
Instruction Fuzzy Hash: BDB0929A25A001BD3284A158280AE360E88E4C0B20B60801AB805E124096508C410132

Function 005169D6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Strings

nX, xrefs: 005169D6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: nX
API String ID: 123106877-2063534963
Opcode ID: 9edb99e435c49636e035b9b0c1bb2ff25583bd98e067510047d04d9da9292e91
Instruction ID: 18497ab6670a01144cda64fddcf9e47927b667b2e8d2e550eb493dfc5b620b59
Opcode Fuzzy Hash: 9edb99e435c49636e035b9b0c1bb2ff25583bd98e067510047d04d9da9292e91
Instruction Fuzzy Hash: FBB012C925D001AD3304E20A9C07C770D8CF4C0B90B30891BB405E1080DA40CC800131

Function 004305B0 Relevance: 3.4, APIs: 2, Instructions: 434timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C0: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104), ref: 004067E4

GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00531773,000000FF), ref: 00430687
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00531773,000000FF), ref: 0043069E

Part of subcall function 004034E0: WideCharToMultiByte.KERNEL32(00000000,?,00430B73,?,?), ref: 00403500
Part of subcall function 004034E0: WideCharToMultiByte.KERNEL32(00000000,?,00430B73,?,?), ref: 0040353D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileTime$ByteCharMultiWide$ModuleNameSystem
String ID:
API String ID: 4206828341-0
Opcode ID: 38894adfb6d61a3ae2bf77c0c82c3575390faf0265778a48b8f64538ecbf8a3c
Instruction ID: ca934de9e489d413ba1c3901b9b1fa6b4409a1263b22d32c03f2d0f603c8e2ed
Opcode Fuzzy Hash: 38894adfb6d61a3ae2bf77c0c82c3575390faf0265778a48b8f64538ecbf8a3c
Instruction Fuzzy Hash: 24128EB49011189FDB24DF98DC91AAEBBB1BF48304F0041EDE61A7B281D774AE81CF58

Function 00406890 Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 004068D7
SetCurrentDirectoryA.KERNEL32(00A86A30), ref: 00406973

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CurrentDirectoryFullNamePath
String ID:
API String ID: 2420862269-0
Opcode ID: 1bb5d3f55abb40ab656121b66dee95e9bb539f0d5196341e5e0660e8b3aba25c
Instruction ID: 36fafe2da6f65c2cfbdee242add7a5fa10532c58a2906282cdaea31860fc5b36
Opcode Fuzzy Hash: 1bb5d3f55abb40ab656121b66dee95e9bb539f0d5196341e5e0660e8b3aba25c
Instruction Fuzzy Hash: 2921CEB1104B419FD314DF68C845FA7B7E9FB84724F008B2DF966972D0EB3494088BA6

Function 004BE8BC Relevance: 3.1, APIs: 2, Instructions: 57threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,Function_000BE827,00000000,?,?), ref: 004BE91C
GetLastError.KERNEL32 ref: 004BE926

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CreateErrorLastThread
String ID:
API String ID: 1689873465-0
Opcode ID: de7fb1d62251aa86428423a5e36b484bd4f8ea5fe19b6efebce00732055190f9
Instruction ID: 418beaa55a4aa44f53b76e86370b597c68d096807eee337c04d00525c91e0b6c
Opcode Fuzzy Hash: de7fb1d62251aa86428423a5e36b484bd4f8ea5fe19b6efebce00732055190f9
Instruction Fuzzy Hash: 1101C472205705AFEB21AFABAC41BDB37A8EF44374B10052FF95596281DB78D81487B8

Function 0045EB60 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0045EBBE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0045EBED

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8d3f17d403461f32e391da6e0282a41612e7c1b4070be3e5588db060725fa2f9
Instruction ID: 8532026009a6934491f909d7baa4d33838c954941ccd7d0bcf5f6844464e5e15
Opcode Fuzzy Hash: 8d3f17d403461f32e391da6e0282a41612e7c1b4070be3e5588db060725fa2f9
Instruction Fuzzy Hash: EA1154F16047019FD324DF55D845B9B77E8FB88700F508A1EE555C7690E7B8D504CB91

Function 00527F5D Relevance: 3.1, APIs: 2, Instructions: 51comCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00527F62
OleInitialize.OLE32(00000000), ref: 00527F87

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: H_prologInitialize
String ID:
API String ID: 773696453-0
Opcode ID: f29a58eaf4a4be0bdf2aacf5089e052dff1dedd05b51ce8df4d1e54ad4be7a63
Instruction ID: 0246bb2cc616b0dccf714e9ac6e5dc66e27c3f5205ec5666b6d164b4fa5e812b
Opcode Fuzzy Hash: f29a58eaf4a4be0bdf2aacf5089e052dff1dedd05b51ce8df4d1e54ad4be7a63
Instruction Fuzzy Hash: BD01087090C7668FC754FF70698969E7ED4BF4A324F501A3DE057E66C2D77089408620

Function 004191E0 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 00419234
InterlockedDecrement.KERNEL32(?), ref: 0041924C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID:
API String ID: 2172605799-0
Opcode ID: a4a9951c51af0406651a079065e38236ca1a1bd894a4f71d3e29b60d1815c758
Instruction ID: 4da12973d2ba14f59f7d552168718776882c973a6276331438fa729f2eae0e40
Opcode Fuzzy Hash: a4a9951c51af0406651a079065e38236ca1a1bd894a4f71d3e29b60d1815c758
Instruction Fuzzy Hash: 10012D30300712ABE7249F65D894BABB7E5BF98705F00485EE446C7780D774E8858F54

Function 00430180 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00527F5D: __EH_prolog.LIBCMT ref: 00527F62

Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,00531E68,000000FF), ref: 004301E8

Strings

TimeCache, xrefs: 004301A9

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: H_prologSleep
String ID: TimeCache
API String ID: 3469354165-4075798390
Opcode ID: 7caaee2c6534d425377018860a210841120d5e4658d0fec1ce48e4003b8c668d
Instruction ID: ac34bd33796c40c42f4220bf240c8fa21917fd5f7a4b0446a2b5e05290ecdc21
Opcode Fuzzy Hash: 7caaee2c6534d425377018860a210841120d5e4658d0fec1ce48e4003b8c668d
Instruction Fuzzy Hash: 8201D231604B418FD720EF28C951B5BBBE4BF99B14F004A1DF46587391DB38E804CB81

Function 004BAB15 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004BAB33

Part of subcall function 004BF246: RtlEnterCriticalSection.NTDLL(?), ref: 004BF26E

RtlFreeHeap.NTDLL(00000000,?,005471E8,0000000C,004BE880,?), ref: 004BAB7A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: 28194288793b1ee665a6584f090498493f383b0c9c2bb40bfe8ebea5d37ef041
Instruction ID: 9e1e078aefda542e60584da30aea76cd9b49378bee3341c7cc378ef1a02bb156
Opcode Fuzzy Hash: 28194288793b1ee665a6584f090498493f383b0c9c2bb40bfe8ebea5d37ef041
Instruction Fuzzy Hash: 7AF0F031809305AADF207BA29C06BDF7B71EF00368F10111BF624661D0CB7C69549ABE

Function 004BAA5C Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004BAA7E

Part of subcall function 004BF246: RtlEnterCriticalSection.NTDLL(?), ref: 004BF26E

RtlAllocateHeap.NTDLL(00000000,?,005471D8), ref: 004BAABF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: a28f097c893ff6c31898c9f18a926452446e75821a3cd00782ed58fb33ceeb04
Instruction ID: 64842cdbc84dfdf8ea9fb08e5a42502994b5bf730cb3fd3a542a574242511a20
Opcode Fuzzy Hash: a28f097c893ff6c31898c9f18a926452446e75821a3cd00782ed58fb33ceeb04
Instruction Fuzzy Hash: 29F0AF318412119ADB20BB75ED017DE77B0EB14364F14522AE810B62E0E7382D19DABD

Function 0043E400 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(-0000002C), ref: 0043E42C
SysAllocString.OLEAUT32(?), ref: 0043E43A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocClearStringVariant
String ID:
API String ID: 1959693985-0
Opcode ID: c5ac05655110245907048e882c7e2952c4c03f701d57d4a96e33e421fdf2b874
Instruction ID: df107f4abdea291d3559f8313f9883724da9cc36188c036bac43430c183553c4
Opcode Fuzzy Hash: c5ac05655110245907048e882c7e2952c4c03f701d57d4a96e33e421fdf2b874
Instruction Fuzzy Hash: 6CF01471508302AFC700EF29C80056BB7F8FF98314F00992EE898C7260E7B4D5488B9A

Function 004BF291 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,004BC939,00000001,?,00547278,00000060), ref: 004BF2A2

Part of subcall function 004BF2E2: RtlAllocateHeap.NTDLL(00000000,00000140,004BF2CA), ref: 004BF2EF

HeapDestroy.KERNEL32(?,00547278,00000060), ref: 004BF2D5

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Heap$AllocateCreateDestroy
String ID:
API String ID: 316229882-0
Opcode ID: 4e596ef0558f11482c8c339a79ef6ce778a20a1ad59a039416e23f173356e72f
Instruction ID: ff2931a12967a4ab39354c74603e3552a733b3b6e0e8dc75829cc63feb13a387
Opcode Fuzzy Hash: 4e596ef0558f11482c8c339a79ef6ce778a20a1ad59a039416e23f173356e72f
Instruction Fuzzy Hash: B9E0DF7CA007009AEF087B706C0476B77E4EB54342F10587AF80AE51E0FB398808BB38

Function 0052053C Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,004061D5,?,?), ref: 0052055B
GetLastError.KERNEL32(?,?,?,004061D5,?,?), ref: 00520568

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 17a9bbf9ac3a4b74a941161b81089d77754b00495f42deda02b6f6fa40a0e082
Instruction ID: 901ed4af818e65811edd77b27c016e9a75fcde4c0d39203aebbdfaaea2d7aade
Opcode Fuzzy Hash: 17a9bbf9ac3a4b74a941161b81089d77754b00495f42deda02b6f6fa40a0e082
Instruction Fuzzy Hash: CAE06D31600618BBCF105FA0EC04FAA7FACBF14321F40D425BA19C60A1D770DA10AF50

Function 0042F6C0 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON

Download Yara Rule

APIs

ReadFileEx.KERNEL32(?,?,00001000,?,Function_0002F5E0), ref: 0042F6DE
closesocket.WS2_32 ref: 0042F6F8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileReadclosesocket
String ID:
API String ID: 2833258487-0
Opcode ID: 30e1135791406ffa04849be033d69e585b0cb144d55e65dd6a03b8c39216063f
Instruction ID: 8cd2fd4a970599531a1e5557a5f9b7e08f0e4b2de403cd661744a4cd9418448f
Opcode Fuzzy Hash: 30e1135791406ffa04849be033d69e585b0cb144d55e65dd6a03b8c39216063f
Instruction Fuzzy Hash: FEE065712007119BC250DB64D944D9B77A8BF58B607901A19F5A2C26D0E774F8858B54

Function 00406990 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 00406AFE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: DirectoryPath
String ID:
API String ID: 1580926078-0
Opcode ID: 1f407b65feb3fcaf4e8bff7bc0556654d88e6075e4c69be07d3599a590d6e466
Instruction ID: 42002faf1b482992fd4a321946ba5abe4ba5dcf9dabde95c8f8853520b25750d
Opcode Fuzzy Hash: 1f407b65feb3fcaf4e8bff7bc0556654d88e6075e4c69be07d3599a590d6e466
Instruction Fuzzy Hash: 3151DF716007418FC300DF68C844A1BBBA4FF89324F158B6EE59AAB3D1DB39D905CB96

Function 0042F400 Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,0042F890,000000FF,00000002,00000000,00000004,00000000,0042F920,000000FF,00000002,00000000,00000004,00000000), ref: 0042F50F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1c0835d0b557218c3648b84013d1aefb777993c2b0c520b5bd20261140726d92
Instruction ID: 42769a2da76655e9b4ae6a122df6d52672e36c5f26351284f4116551f926605e
Opcode Fuzzy Hash: 1c0835d0b557218c3648b84013d1aefb777993c2b0c520b5bd20261140726d92
Instruction Fuzzy Hash: A9314EB0600B51AAD220AF659C0AF5BBEE8BFD5B10F400A2FF15997291D7B46444CB65

Function 004619B0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00461710: StringFromCLSID.COMBASE ref: 0046174B
Part of subcall function 00461710: InterlockedExchange.KERNEL32(00000000,00000000), ref: 00461766

CoGetClassObject.COMBASE(?,00000017,00000000,0054859C,00000000), ref: 00461A05

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClassExchangeFromInterlockedObjectString
String ID:
API String ID: 4025817351-0
Opcode ID: 4baaaee7fe1cf72a3a8e899e91667b65f44ae89c3888162ed382943b5dcf2486
Instruction ID: ba795abddb8392254868d64a78975887cf0e025bdc244d90152bde30f48e930b
Opcode Fuzzy Hash: 4baaaee7fe1cf72a3a8e899e91667b65f44ae89c3888162ed382943b5dcf2486
Instruction Fuzzy Hash: 68213975204611AFD210CB59C844B5BBBE8EBC9B64F148A1EF459D32A0D778E902CBA2

Function 00418190 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

QueueUserAPC.KERNEL32(004180D0,?,00000000,?,00000000,005454C0), ref: 00418241

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: QueueUser
String ID:
API String ID: 3100016393-0
Opcode ID: 7a793e1bdefdb78ceed9f0aff53a3e3fae73b44e44cd669902209dc66b48f40c
Instruction ID: 3339218ddef1f736e6f748338ca2911851dfdfd55c490a62f508f4023b561b32
Opcode Fuzzy Hash: 7a793e1bdefdb78ceed9f0aff53a3e3fae73b44e44cd669902209dc66b48f40c
Instruction Fuzzy Hash: BA216D712007059FD724DF51D858BABBBE5BF88710F040A2DE94687781DB74E849CBA6

Function 0042F710 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON

Download Yara Rule

APIs

QueueUserAPC.KERNEL32(Function_0002F6C0,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00531E88), ref: 0042F797

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: QueueUser
String ID:
API String ID: 3100016393-0
Opcode ID: 4a106c6f85d56edd0914bc2dabfaef83261f30495bda01b991c0a4d7c4a1b061
Instruction ID: eb0921344d8b9b8f8180907e32979708ae52cb496eeb4951d508c1bacb8642e9
Opcode Fuzzy Hash: 4a106c6f85d56edd0914bc2dabfaef83261f30495bda01b991c0a4d7c4a1b061
Instruction Fuzzy Hash: AA11B7353047219BC314DF29D884B6B77E5EBC4B20F900A3EE85587790D7389C098755

Function 00417CA0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F400: ResumeThread.KERNEL32(?,0042F890,000000FF,00000002,00000000,00000004,00000000,0042F920,000000FF,00000002,00000000,00000004,00000000), ref: 0042F50F

Part of subcall function 00521533: __EH_prolog.LIBCMT ref: 00521538

ResumeThread.KERNEL32(?,00418250,?,00000002,00000000,00000004,00000000), ref: 00417D3E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ResumeThread$H_prolog
String ID:
API String ID: 966760826-0
Opcode ID: 3460f26ee41a5d87f115fd8e265d05fe151286a2f9b9445111bca665a58b4cea
Instruction ID: 2a72089c400ac4e90667e449d7a8ba8102e736e04012dceb12620def67399abd
Opcode Fuzzy Hash: 3460f26ee41a5d87f115fd8e265d05fe151286a2f9b9445111bca665a58b4cea
Instruction Fuzzy Hash: B7115EB1540B419FC310DF6AD981BD7FBE4FB48714F40492EE55A97681C778A404CB91

Function 00422E00 Relevance: 1.6, APIs: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00422E4A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f84a56c1c81bfc5bd586e26b2e94c2506aef0a3539a66478781990a2227524b3
Instruction ID: eb5f5b52ea8f0b68eb03c101396c434006ceb2f97c1f24c590255b1cfe28c82e
Opcode Fuzzy Hash: f84a56c1c81bfc5bd586e26b2e94c2506aef0a3539a66478781990a2227524b3
Instruction Fuzzy Hash: D101263230042126C724583CBE44B6B264DCF81370F56073BFA2DC73D5EEA8CC561158

Function 005295ED Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005295F2

Part of subcall function 00529338: TlsAlloc.KERNEL32(?,0052961C,?,?,?,005299F7,00527A88,0051FFB3,004033D0,?), ref: 0052935A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 7c38a8aa3250caac651e5e1f3e9bb43e3addc3ac039535de78ca40e38ca99298
Instruction ID: 7b56cc4b762e5c1742dd358a0fde464539f30ba711b968d4c4c069456f0593e5
Opcode Fuzzy Hash: 7c38a8aa3250caac651e5e1f3e9bb43e3addc3ac039535de78ca40e38ca99298
Instruction Fuzzy Hash: 1301A2316022119BDF29AF28E81966D7BB5FFE6310F10042EE891A73E1EB748D00CB21

Function 0052BBEE Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0052BBF3

Part of subcall function 0052BB5C: __EH_prolog.LIBCMT ref: 0052BB61

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5d486f803c5d31f930433d8260c1bbb1467e5f182869af4de63a2f6f39045b43
Instruction ID: 30e6b097befa57c934d06b3bfba8d05be0feae320870c6250986d06385805a57
Opcode Fuzzy Hash: 5d486f803c5d31f930433d8260c1bbb1467e5f182869af4de63a2f6f39045b43
Instruction Fuzzy Hash: 31E0E57191021AAFDF48EFB4DD065EE7EB5BF04310F10466DB125E61D1D7704A409721

Function 00528D27 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0058AD68,?), ref: 00528D53

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 5494571482ab6523701fa0a0666b8e23d4020b6db1fc6da4bf984162a5b49010
Instruction ID: ce77c1fc1d3d89cd7d950fcac10c285aa5eb39b6d3b4751bff04be0289300b4d
Opcode Fuzzy Hash: 5494571482ab6523701fa0a0666b8e23d4020b6db1fc6da4bf984162a5b49010
Instruction Fuzzy Hash: 9EE04F35104A108FD721AFA9A40895ABBE5FFD9321716445FE591C7371DB30C8418B41

Function 004C950A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C94FB

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 9b97b9173e27bbfe490beda7bfaa00e3e2d2b414af44124157976206633d2145
Instruction ID: 87769a2663b9c420ef32d30f79dfdc648fb12814457ad9d38a2683a66cf48bb1
Opcode Fuzzy Hash: 9b97b9173e27bbfe490beda7bfaa00e3e2d2b414af44124157976206633d2145
Instruction Fuzzy Hash: 11B012C925D002BC3248E2082C0BE360E9CF4C1B10730C01FB805E2044D650DCC6013B

Function 004C95C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: efc46ef6bcdea6e32bfa68ec3af94de4afdc9c9b98115658372ca2e95ae52cfe
Instruction ID: d801017240158cb4aab1f6804643d507d386b2e58320dbca485bcbf4ed4e4434
Opcode Fuzzy Hash: efc46ef6bcdea6e32bfa68ec3af94de4afdc9c9b98115658372ca2e95ae52cfe
Instruction Fuzzy Hash: 36B012CE25A101BD3385F1483D0BD370F8CF5C0B20B70811FB415E5184D5508C810132

Function 004C95BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c9fc6ab25c29f1784a315f4c4d7d79b82fe779c0cb435fbb4aa9b9c2cc6c9482
Instruction ID: 660ff674b19b5f738a6c79fc1e5cad8b187649475f1e0386aefd66fe6dfab3de
Opcode Fuzzy Hash: c9fc6ab25c29f1784a315f4c4d7d79b82fe779c0cb435fbb4aa9b9c2cc6c9482
Instruction Fuzzy Hash: 83B012CE25A001FD3385F2487D0BD370F8CF4C0B20B70801FB405E1144D5508C420132

Function 004C95B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ced8242da82dbe88bce8c4a7915b4d316dbcf40e31d881a7cd926b705c502537
Instruction ID: 88719bcd67f4d4aa609668ff7f79730e6ede3cda654fea46768985920b196dce
Opcode Fuzzy Hash: ced8242da82dbe88bce8c4a7915b4d316dbcf40e31d881a7cd926b705c502537
Instruction Fuzzy Hash: 7BB012CE25A001BD3385F1483C0BD370F8CF8C0B20F70841FB405E1188D9508C410132

Function 005169FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ba69dee8123767d13ce4b7f023844f8967df3ffb9d2c49c88087f7062e9e75e3
Instruction ID: 5065666b86fb946ef2c31b546f578ab6580d540ff47bc9e18f9d80621df073ee
Opcode Fuzzy Hash: ba69dee8123767d13ce4b7f023844f8967df3ffb9d2c49c88087f7062e9e75e3
Instruction Fuzzy Hash: 30B012C925D101AD3304E20EAC07C770D8CF4C0B50F34841AB405E1180DA404C800231

Function 005169B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7a90fabe33522cd8f758bc2e2d07c770fe7acf3fc6e58b52deb5eb71534d0bb2
Instruction ID: baa9e457cafab2e01388a2f8f51d8d77bf80a18eb9b0062378095384aee8c556
Opcode Fuzzy Hash: 7a90fabe33522cd8f758bc2e2d07c770fe7acf3fc6e58b52deb5eb71534d0bb2
Instruction Fuzzy Hash: F9B012D925D002BE3304A2069C1BC770D4CF4C0F50B30882AB801F0080DA404C800031

Function 004C94EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C94FB

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 034bd24da7d746da193b3ca7649a0bde5dc6325f5038746b95b8eb0a5a345ae3
Instruction ID: f64d3744e6f736c1d42aa6aa0cf82174860922a4460d24d77dfaa90c3b0a946a
Opcode Fuzzy Hash: 034bd24da7d746da193b3ca7649a0bde5dc6325f5038746b95b8eb0a5a345ae3
Instruction Fuzzy Hash: 99A011CA2AA003BC3008A200AC0BC3A0A2CE8C2B20B30C00EB802A0080AA802C82003A

Function 004C9550 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 4a47b245f749dc44d95244a7a450a833f48e97b1cb8f18e48dfe02e9ede9697a
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 4a47b245f749dc44d95244a7a450a833f48e97b1cb8f18e48dfe02e9ede9697a
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C956A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bbf15e8750ec3f2489384e518e31c022356099ec96826339742a0689b2fafd93
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: bbf15e8750ec3f2489384e518e31c022356099ec96826339742a0689b2fafd93
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9560 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2d02d562066509d07803bfff61b49be7f1bcc4c99af1f6ecc25ea2a324cc5467
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 2d02d562066509d07803bfff61b49be7f1bcc4c99af1f6ecc25ea2a324cc5467
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C957E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 29af03ecab6d0c467d435b3a9100545e3913304fd39946b36041e18aefb865fc
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 29af03ecab6d0c467d435b3a9100545e3913304fd39946b36041e18aefb865fc
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9574 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3d23c349a763a9128831b46bd26c335d3ee3679cecca4d0f870d3e7346202cbb
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 3d23c349a763a9128831b46bd26c335d3ee3679cecca4d0f870d3e7346202cbb
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C951F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C94FB

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 8f4b71aafc1a822b3c7b02ab05ff418e83f79298e1a72257c8ec451d0933e424
Instruction ID: 2781977fc9e977f27f4357a609bd9a8a674a645b6daae4fa5dc57a7041fe53e8
Opcode Fuzzy Hash: 8f4b71aafc1a822b3c7b02ab05ff418e83f79298e1a72257c8ec451d0933e424
Instruction Fuzzy Hash: C9A011CA2AE003BC3008A2002C0BC3A0A2CE8C2BA0B30880EB002A0080AA802C82003A

Function 004C95D8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b890b05b8b49c60d860b058127d75de2c5de11d7fc82b82353f8c15bf27d6c43
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: b890b05b8b49c60d860b058127d75de2c5de11d7fc82b82353f8c15bf27d6c43
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C95F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b94606dabe1f4d2265eacdcce7cb0f00dfd5397b8121a49c78b1e41a33885026
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: b94606dabe1f4d2265eacdcce7cb0f00dfd5397b8121a49c78b1e41a33885026
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bead866fada7a52eef560db8beee593fe6321273daacc437a31637f2730ca270
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: bead866fada7a52eef560db8beee593fe6321273daacc437a31637f2730ca270
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C95B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 4a78a025741bec50d7bfa250870cc0e2f33de2d207f68138d7b6aa47ef042638
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 4a78a025741bec50d7bfa250870cc0e2f33de2d207f68138d7b6aa47ef042638
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9608 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2fed5d3aaeb3394f425b5d43aa1e08c1b207824e9902479d2288e3950c4eb8d1
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 2fed5d3aaeb3394f425b5d43aa1e08c1b207824e9902479d2288e3950c4eb8d1
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C961C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 339b2b68e89f86f3aa0fa4a93abbce08bc827a74578b4d50120ed38dabba52dc
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 339b2b68e89f86f3aa0fa4a93abbce08bc827a74578b4d50120ed38dabba52dc
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9626 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 72e379d3ed127e534eeace366bb731a037fb89b1f15b69863e03547dbcded640
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 72e379d3ed127e534eeace366bb731a037fb89b1f15b69863e03547dbcded640
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 004C9630 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004C953C

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 45c16515aa658271a6a3157d7cd6666440aa09fb844b1ed5187b7c16e809e347
Instruction ID: d2f50bcb234ecf55ba978d71387c0f4a3dcb11bd5fea1b75d6faaef75ee109c6
Opcode Fuzzy Hash: 45c16515aa658271a6a3157d7cd6666440aa09fb844b1ed5187b7c16e809e347
Instruction Fuzzy Hash: 70A011CE2AA002BC3288A2802C0BC3B0B0CE8C0B20BB0880EB002A0080AA800C820032

Function 005169D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a423fbb95190f48cb48d869e031ba93791b99942b5d218dbc7befab5d16aab40
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: a423fbb95190f48cb48d869e031ba93791b99942b5d218dbc7befab5d16aab40
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 005169F9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d2c775824d42eb98fc33c6bf4218ba102fe89619594afc4a4aded367e83777c7
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: d2c775824d42eb98fc33c6bf4218ba102fe89619594afc4a4aded367e83777c7
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 005169E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a6c0d4a5262357fa0ba3cd96a14ee80b1169551e5793409c587de272bd31bbf9
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: a6c0d4a5262357fa0ba3cd96a14ee80b1169551e5793409c587de272bd31bbf9
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 005169EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 78ce6884b4dcfc17393e91c1c17a692400c2902a85a419d8e5533a8672ba4696
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: 78ce6884b4dcfc17393e91c1c17a692400c2902a85a419d8e5533a8672ba4696
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 00516A17 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c53b3fe96c5c1d8b05c1d2d4ef0146c320aac317cbe1aa088ed08cf138e61928
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: c53b3fe96c5c1d8b05c1d2d4ef0146c320aac317cbe1aa088ed08cf138e61928
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 00516A0D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 8dad4528e2b32875b712f51b1af7357d4f86c183790d253692cefc7eec1f1dcb
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: 8dad4528e2b32875b712f51b1af7357d4f86c183790d253692cefc7eec1f1dcb
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Function 00516A21 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005169C3

Part of subcall function 00516A57: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00516ACE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 86cded44a18e6c19efd432c01c98ff8a85eb95e44e399ce769379f4f4b316fe4
Instruction ID: e5eabf3136a287af3367c5058ca6bda0b746300a7a0139f3af7339c15d534c9a
Opcode Fuzzy Hash: 86cded44a18e6c19efd432c01c98ff8a85eb95e44e399ce769379f4f4b316fe4
Instruction Fuzzy Hash: F1A011CA2AE002BC3008A2022C0BCBA0E0CE8C0BA0B30880AB002A0080AA8008800030

Non-executed Functions

Function 00424AC0 Relevance: 109.2, APIs: 10, Strings: 52, Instructions: 740libraryloaderwindowCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00424B9A
InterlockedExchange.KERNEL32(?,00000000), ref: 00424BE8
FindResourceA.KERNEL32(00000000,00000001,00000010), ref: 00424BFE
LoadResource.KERNEL32(00000000,00000000), ref: 00424C07
LockResource.KERNEL32(00000000), ref: 00424C0E
GetModuleHandleA.KERNEL32(ole32.dll,CoGetObjectContext), ref: 00424C4C
GetProcAddress.KERNEL32(00000000), ref: 00424C53
MessageBoxA.USER32(00000000,Cannot initializes the scripting engine !!!,NetBox Version 2.8 Build 4128,00000010), ref: 00424C81
ExitProcess.KERNEL32 ref: 00424C89

Part of subcall function 00410EE0: RtlInitializeCriticalSection.NTDLL(00000018), ref: 00410F13

Part of subcall function 004279C0: VariantInit.OLEAUT32(?), ref: 004279FA
Part of subcall function 004279C0: CLSIDFromProgID.COMBASE ref: 00427A1E
Part of subcall function 004279C0: CoCreateInstance.COMBASE(?,00000000,00000017,00562680,?), ref: 00427A3A
Part of subcall function 004279C0: VariantClear.OLEAUT32(?), ref: 00427A55

InterlockedExchange.KERNEL32(0058D28C,00000000), ref: 00424CBD

Part of subcall function 00470800: RtlInitializeCriticalSection.NTDLL(00000050), ref: 00470882

Part of subcall function 0045D010: StringFromCLSID.COMBASE ref: 0045D03B
Part of subcall function 0045D010: RtlEnterCriticalSection.NTDLL(005734F4), ref: 0045D057
Part of subcall function 0045D010: InterlockedExchange.KERNEL32(?,?), ref: 0045D0D8
Part of subcall function 0045D010: InterlockedExchange.KERNEL32(?,00000000), ref: 0045D10F
Part of subcall function 0045D010: RtlLeaveCriticalSection.NTDLL(005734F4), ref: 0045D129
Part of subcall function 0045D010: CoTaskMemFree.COMBASE(?), ref: 0045D134

Strings

NetBox.List, xrefs: 0042508E
1V, xrefs: 00425327
PJB, xrefs: 00424B0A
VBScript, xrefs: 00424C5E
4+V, xrefs: 00425039
NetBox.Identity, xrefs: 0042529B
D2V, xrefs: 0042549E
NetBox.Queue, xrefs: 00424FF8
l,V, xrefs: 00425084
NetBox.Hash, xrefs: 004252E6
NetBox.MessageManager, xrefs: 004250D9
var scriptObject = new Object(), xrefs: 00424C8F
9465, xrefs: 00424DE3
APP_Created, xrefs: 00424D34
NetBox.Database, xrefs: 004254F3
NetBox.Dictionary, xrefs: 00424FAD
APP_Info, xrefs: 00424DC4
Set scriptObject = Err, xrefs: 00424C59
NetBox.Comm, xrefs: 00425205
NetBox.Http, xrefs: 00425124
NetBox Version %c.%c Build %d, xrefs: 00424C2B
7V, xrefs: 00425165
ole32.dll, xrefs: 00424C42
08V, xrefs: 004253BD
CoGetObjectContext, xrefs: 00424C3D
P,V, xrefs: 00425408
PROG_Info, xrefs: 00424E63
Cannot initializes the scripting engine !!!, xrefs: 00424C7B
netbox, xrefs: 00424EE6
APP_Version, xrefs: 00424CEA
NetBox.RSA, xrefs: 00425331
NetBox.Cipher, xrefs: 004253C7
NetBox.PipeLine, xrefs: 00425250
p V, xrefs: 00424F5E
NetBox.Stream, xrefs: 0042516F
NetBox.Arguments, xrefs: 00425043
shell, xrefs: 00424EFE
X1V, xrefs: 00425534
NetBox.UDPSocket, xrefs: 0042545D
NetBox.HtmlWindow, xrefs: 00425412
Release DateTime, xrefs: 00424D06
NetBox.Recordset, xrefs: 0042553E
4(V, xrefs: 00425246
.ini, xrefs: 004255BF
NetBox.File, xrefs: 004251BA
NetBox Version 2.8 Build 4128, xrefs: 00424C30, 00424C76, 00424CD4
NetBox.Image, xrefs: 004254A8
NetBox.Random, xrefs: 0042537C
JScript, xrefs: 00424C94
8FV, xrefs: 00424EF4
l)V, xrefs: 004251B0
<1V, xrefs: 004252DC

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CriticalSection$Resource$FromInitializeVariant$AddressClearCreateEnterExitFindFreeHandleInitInstanceLeaveLoadLockMessageModuleProcProcessProgStringTask
String ID: 1V$.ini$08V$4(V$4+V$8FV$9465$<1V$APP_Created$APP_Info$APP_Version$Cannot initializes the scripting engine !!!$CoGetObjectContext$D2V$JScript$NetBox Version %c.%c Build %d$NetBox Version 2.8 Build 4128$NetBox.Arguments$NetBox.Cipher$NetBox.Comm$NetBox.Database$NetBox.Dictionary$NetBox.File$NetBox.Hash$NetBox.HtmlWindow$NetBox.Http$NetBox.Identity$NetBox.Image$NetBox.List$NetBox.MessageManager$NetBox.PipeLine$NetBox.Queue$NetBox.RSA$NetBox.Random$NetBox.Recordset$NetBox.Stream$NetBox.UDPSocket$P,V$PJB$PROG_Info$Release DateTime$Set scriptObject = Err$VBScript$X1V$l)V$l,V$netbox$ole32.dll$p V$shell$var scriptObject = new Object()$7V
API String ID: 4242674838-1438605144
Opcode ID: 9ee43067234c17b3756e5fa229f951eec6431fc4c494745eefb0b25569967427
Instruction ID: c3657cbd7998f2e7def59341c5c30e593e978b1d5a3e2d12a163bed53a5b9d1e
Opcode Fuzzy Hash: 9ee43067234c17b3756e5fa229f951eec6431fc4c494745eefb0b25569967427
Instruction Fuzzy Hash: 36420470B003505AD710AF66BC06A563FF0BBA5B18F00451BFC44A73E2D7B99449DBBA

Function 0040C0D0 Relevance: 55.2, APIs: 13, Strings: 18, Instructions: 936fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 0040C26D

Strings

<a:iscollection b:dt="boolean">1</a:iscollection></a:prop></a:propstat></a:response>, xrefs: 0040C92B, 0040C965
<a:lastaccessed b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:lastaccessed>, xrefs: 0040C8F4
</a:multistatus>, xrefs: 0040C9EE, 0040CA28
</a:href><a:propstat><a:status>HTTP/1.1 200 OK</a:status><a:prop>, xrefs: 0040C7C4, 0040C7FE
http://, xrefs: 0040C4F0
text/xml, xrefs: 0040C369
Cache-control, xrefs: 0040C359
<a:creationdate b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:creationdate>, xrefs: 0040C89E
Content-Type, xrefs: 0040C36F
private, xrefs: 0040C34B
*.*, xrefs: 0040C1F8
<?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:">, xrefs: 0040C38D, 0040C3C7
\*.*, xrefs: 0040C204
<a:response><a:href>, xrefs: 0040C639, 0040C673
<a:getlastmodified b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:getlastmodified>, xrefs: 0040C848
Content-Location, xrefs: 0040C5D7
<a:getcontentlength b:dt="int">%I64d</a:getcontentlength></a:prop></a:propstat></a:response>, xrefs: 0040C991
:%d, xrefs: 0040C3DD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileFindFirst
String ID: *.*$:%d$</a:href><a:propstat><a:status>HTTP/1.1 200 OK</a:status><a:prop>$</a:multistatus>$<?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:">$<a:creationdate b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:creationdate>$<a:getcontentlength b:dt="int">%I64d</a:getcontentlength></a:prop></a:propstat></a:response>$<a:getlastmodified b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:getlastmodified>$<a:iscollection b:dt="boolean">1</a:iscollection></a:prop></a:propstat></a:response>$<a:lastaccessed b:dt="dateTime.tz">%04d-%02d-%02dT%02d:%02d:%02d.%03dZ</a:lastaccessed>$<a:response><a:href>$Cache-control$Content-Location$Content-Type$\*.*$http://$private$text/xml
API String ID: 1974802433-2220525765
Opcode ID: a426e046324a537ccb2bc1635584c0eb3a6e9bc3c7cfdc3f4ab571b709f15e17
Instruction ID: d8f7c2aeb292f7603a78f658625695b9ad18c6651b4305abd160036c33a165db
Opcode Fuzzy Hash: a426e046324a537ccb2bc1635584c0eb3a6e9bc3c7cfdc3f4ab571b709f15e17
Instruction Fuzzy Hash: FA72CD70204341DFD324DF29C885BABB7A8BF84314F14866EF8559B2D1DB78E905CBA6

Function 0051DB26 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

./\, xrefs: 0051DBCE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: ./\
API String ID: 0-3176372042
Opcode ID: 71b43d6599a1001abe850088a3a95854c302654ac168757e792f569a4a720ef8
Instruction ID: 0150ca35033f89e4d382cce8582d91c3858da50e2ba9f47fc08efc804940a70c
Opcode Fuzzy Hash: 71b43d6599a1001abe850088a3a95854c302654ac168757e792f569a4a720ef8
Instruction Fuzzy Hash: 60915E728002699AEB309FA58C45BEEBBBCBF08741F00059AF959E6141E7749AC4DB70

Function 00428910 Relevance: 21.9, APIs: 1, Strings: 11, Instructions: 920COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0058D45C), ref: 00428C35

Strings

xPV, xrefs: 0042955D
-, xrefs: 00428D73
\main.box, xrefs: 00429270, 00429398
LIB_%d, xrefs: 00428D99
xPV, xrefs: 00429294
9465, xrefs: 00428ACE
NetBox, xrefs: 00429455
Shell, xrefs: 0042942F
1.2.1, xrefs: 00428ECD, 0042911C
8FV, xrefs: 00429421
[%d]: , xrefs: 004294A8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: IncrementInterlocked
String ID: -$1.2.1$8FV$9465$LIB_%d$NetBox$Shell$[%d]: $\main.box$xPV$xPV
API String ID: 3508698243-1355046871
Opcode ID: 97beb009b20de137afb4976c968f52cd2dd66b6457dfbcb026b92da0aca41972
Instruction ID: 839f35530dadb65734641e4a055eab3bcacb8d2d268ed0b69d3b44a17c79c627
Opcode Fuzzy Hash: 97beb009b20de137afb4976c968f52cd2dd66b6457dfbcb026b92da0aca41972
Instruction Fuzzy Hash: 5A8205712083809FD324DB28D845B9FBBE5BFC9314F148A6DE98987392DB74D805CB96

Function 004609E0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 402fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00460A18
InterlockedExchange.KERNEL32(?,00000000), ref: 00460BD3
InterlockedExchange.KERNEL32(?,?), ref: 00460CAA
InterlockedExchange.KERNEL32(?,00000000), ref: 00460CCF
InterlockedExchange.KERNEL32(?,00000000), ref: 00460CE6
InterlockedExchange.KERNEL32(?,00000000), ref: 00460D29
InterlockedExchange.KERNEL32(?,00000000), ref: 00460DF0
FindNextFileW.KERNEL32(?,?,?), ref: 00460E08
FindClose.KERNEL32(?), ref: 00460E43

Strings

*.*, xrefs: 004609FD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$Find$File$CloseFirstNext
String ID: *.*
API String ID: 3249736490-438819550
Opcode ID: 55e92adf83b2a117161c248efff5cd81d401c75b28c0d5b6e28398599484dafe
Instruction ID: bf8ad870751040ffdf9eef212a94a27d0f4e56edac48fbd55ed86bd58b657eb0
Opcode Fuzzy Hash: 55e92adf83b2a117161c248efff5cd81d401c75b28c0d5b6e28398599484dafe
Instruction Fuzzy Hash: D9E1D1716043419FC314DF68C884A1BB7E9FFC5324F148A5EF5968B292DB38E809CB96

Function 00434820 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000008,00000000), ref: 00434841
ExitWindowsEx.USER32(00000008,00000000), ref: 00434853
GetCurrentProcess.KERNEL32(00000028,?), ref: 00434864
OpenProcessToken.ADVAPI32(00000000), ref: 0043486B
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00434881
AdjustTokenPrivileges.ADVAPI32 ref: 004348A9
InitiateSystemShutdownA.ADVAPI32(00000000,00000000,00000000,00000001,?), ref: 004348C1
ExitWindowsEx.USER32(00000008,00000000), ref: 004348D4
ExitWindowsEx.USER32(00000008,00000000), ref: 004348DC

Strings

SeShutdownPrivilege, xrefs: 0043487A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExitWindows$ProcessToken$AdjustCurrentInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
String ID: SeShutdownPrivilege
API String ID: 2608600139-3733053543
Opcode ID: 5f7e6ea09664ca01727145af414553f37b80e69a54074499600adf7402ea985a
Instruction ID: dd8f302192072b17f3c5296a226a7874175125b65c90adb9cc24f6a0499ac1c1
Opcode Fuzzy Hash: 5f7e6ea09664ca01727145af414553f37b80e69a54074499600adf7402ea985a
Instruction Fuzzy Hash: 061108753417107BF214AB55DC89FBB779CEF99B14F001426FA04A62C0E7A9F809877A

Function 004A1470 Relevance: 13.2, APIs: 1, Strings: 6, Instructions: 912COMMON

Download Yara Rule

Strings

0123456789ABCDEF0123456789abcdef, xrefs: 004A17B9
0000, xrefs: 004A1D98
NaN, xrefs: 004A1A58
, xrefs: 004A20A6, 004A20BA, 004A2124, 004A2138
+, xrefs: 004A18C8
-x0, xrefs: 004A1852

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: $+$-x0$0000$0123456789ABCDEF0123456789abcdef$NaN
API String ID: 0-1496255825
Opcode ID: 2ec225e69f672cd493663f2738df050581d84cd5a115036ffc1f4222c36f1d17
Instruction ID: 0c4495a60a35c153bc9a9690d53d5335b764975aab0d03ece1969e63d3316c07
Opcode Fuzzy Hash: 2ec225e69f672cd493663f2738df050581d84cd5a115036ffc1f4222c36f1d17
Instruction Fuzzy Hash: F36215759083818BC711CF28C58039BBBE5AFE7344F28495EE8C59B3A1D379C945CB96

Function 00480AD0 Relevance: 10.8, Strings: 8, Instructions: 808COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 00480C1B
invalid bit length repeat, xrefs: 00480E6D, 00480E7E
invalid distances set, xrefs: 00480F1A
too many length or distance symbols, xrefs: 00480C2B
invalid distance too far back, xrefs: 00481311
invalid literal/lengths set, xrefs: 00480EC9
invalid distance code, xrefs: 00481289
invalid literal/length code, xrefs: 004810EF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: 061f309650ae96266f059c095db10cf3d22cce48134812261510b72fe63a2a4a
Instruction ID: dc1b1ed7ac0ff68138d6e714c1885b2b7efbfb544daead3d592751b6a78c15cc
Opcode Fuzzy Hash: 061f309650ae96266f059c095db10cf3d22cce48134812261510b72fe63a2a4a
Instruction Fuzzy Hash: 86627B716183048FCB58EF18C89066EBBE1BFC9304F04496EE896CB755E739D94ACB85

Function 00485CF0 Relevance: 10.3, APIs: 2, Strings: 3, Instructions: 1533COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00485DA6
VariantClear.OLEAUT32(?), ref: 00485E03

Part of subcall function 00443DF0: VariantClear.OLEAUT32(?), ref: 00443E18

Strings

', xrefs: 00486ED3
WS, xrefs: 00485EEC, 00485F94, 004860A9, 004861DD, 00486270, 0048637D, 00486420, 004864F0, 004865CF, 004866AD, 0048678B, 00486869, 00486947, 00486A25, 00486B03, 00486BEB, 00486CC9, 00486DC1, 00486F43, 004870AA
), xrefs: 0048705E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant
String ID: '$)$WS
API String ID: 1473721057-2654340187
Opcode ID: 992f00f83de65705cc78b690f42da03db2d53bc2e9d591e730ffa827848a54a0
Instruction ID: 2304aa09ec4d3f049c1228d232beef7c5110c507fdf785867dc891b77cbd99c3
Opcode Fuzzy Hash: 992f00f83de65705cc78b690f42da03db2d53bc2e9d591e730ffa827848a54a0
Instruction Fuzzy Hash: C9D25771A183908BD314EF18C480A2EBBE5FF89B54F144E1EF58583361DB79D989CB86

Function 00430220 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00A896D8,?,00000000), ref: 00430240
SystemTimeToFileTime.KERNEL32(?,?,?,00000000), ref: 00430257
InterlockedDecrement.KERNEL32(?), ref: 00430385

Part of subcall function 00430470: InterlockedDecrement.KERNEL32(?), ref: 0043049C

Strings

%s, %02d %s %d %02d:%02d:%02d GMT, xrefs: 004302C2

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Time$DecrementInterlockedSystem$File
String ID: %s, %02d %s %d %02d:%02d:%02d GMT
API String ID: 1931671789-1915804187
Opcode ID: a36902a6502c1dab9e71f0627b366de4a26815ecad9114d6057332fe76294ddb
Instruction ID: e436c60a11087ece553b7257e3493239060e6994586ef7eb396723de497b727c
Opcode Fuzzy Hash: a36902a6502c1dab9e71f0627b366de4a26815ecad9114d6057332fe76294ddb
Instruction Fuzzy Hash: 71416CB11043419FC314DF15C890A6BB7E8FBD8718F048A1EF99597390E779E948CB66

Function 00480300 Relevance: 6.8, Strings: 5, Instructions: 568COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00480528
invalid window size, xrefs: 00480486
header crc mismatch, xrefs: 00480828
unknown compression method, xrefs: 0048045B, 00480513
incorrect header check, xrefs: 004804CD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3633268661
Opcode ID: 7061da634a308692e22f378b9aed4166b1383309e8dc6796532f941ac13ab55d
Instruction ID: f1bbdd2608f9f1d45f757b65ce8a29cf369c11d9e90b0f567422f3e5fde93734
Opcode Fuzzy Hash: 7061da634a308692e22f378b9aed4166b1383309e8dc6796532f941ac13ab55d
Instruction Fuzzy Hash: 73228BB06143008FDB54EF18C880A2FBBE5AFC5704F04496FE8958B355E739D94ACB9A

Function 004B4A70 Relevance: 6.8, Strings: 4, Instructions: 1814COMMON

Download Yara Rule

Strings

2, xrefs: 004B5CF4
_, xrefs: 004B56BB
WHERE clause too complex - no more than %d terms allowed, xrefs: 004B4CE0
_, xrefs: 004B5C59

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: 2$WHERE clause too complex - no more than %d terms allowed$_$_
API String ID: 0-994766023
Opcode ID: d83f475a613cd01716e748c4d04e75ec2629119b8c823130129e9cae249b2346
Instruction ID: 64b325434214798715b1ab387c136b7eaae47b9caba1ddf255b6969fd3892c1f
Opcode Fuzzy Hash: d83f475a613cd01716e748c4d04e75ec2629119b8c823130129e9cae249b2346
Instruction Fuzzy Hash: 65E26AB0604701AFD724CF19C881B6BB7E5BF88714F14892EF98A9B341D778E941CBA5

Function 004D8F90 Relevance: 5.3, Strings: 4, Instructions: 326COMMON

Download Yara Rule

Strings

You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html, xrefs: 004D939B
gfff, xrefs: 004D8FC0
.\crypto\rand\md_rand.c, xrefs: 004D8FD4, 004D8FF0, 004D9008, 004D9148, 004D9325, 004D935D, 004D938B
...................., xrefs: 004D90B5

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: ....................$.\crypto\rand\md_rand.c$You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html$gfff
API String ID: 0-3960724764
Opcode ID: 3ce6ae9e16784cb545bac4fd0f4a3e1ae170de4f7ec2b1bea57193646648aece
Instruction ID: b988799bdc3a49f85ccc096a073ac71e756698ea5a2575e8fd9b63bd6227ee82
Opcode Fuzzy Hash: 3ce6ae9e16784cb545bac4fd0f4a3e1ae170de4f7ec2b1bea57193646648aece
Instruction Fuzzy Hash: 00B180716443006BD310EF25EC92F9B7BE4BB94708F44496FF984E7392D274E9098BA6

Function 004B9A9C Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc4c00c3413b179654c239b60ee366dea4509c8abc27ae0a37c91e68c5939eb
Instruction ID: 92d4742f3a8306ade4416c644365469a48084d4eca11501cd91d971be56016d1
Opcode Fuzzy Hash: 9cc4c00c3413b179654c239b60ee366dea4509c8abc27ae0a37c91e68c5939eb
Instruction Fuzzy Hash: 81F03C3110814ABBDF019F71DD089EF3F69BB04344B548416FE0695160EB39EE15EB79

Function 004016A0 Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 004016A6
GetLocaleInfoA.KERNEL32(00000000,00001004,00000007,00000007), ref: 004016B9
GetACP.KERNEL32 ref: 004016E5

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: b5bae33e97ddbc995b267fb5bb9ec29d97982df02277d0fc41dd902468373fc5
Instruction ID: 38ff14edf7a6b5d7e9f408aa77791958c6ac28fa08c05cf8eeb5b739f9312bf5
Opcode Fuzzy Hash: b5bae33e97ddbc995b267fb5bb9ec29d97982df02277d0fc41dd902468373fc5
Instruction Fuzzy Hash: A0F09E3150062057CE219F20AC046EF3754AF00B86F48055CE9C6A7351F635580DD7E6

Function 004916D0 Relevance: 4.2, Strings: 3, Instructions: 415COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 00491AAB
invalid distance code, xrefs: 00491AC0
invalid literal/length code, xrefs: 00491ADA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: fc9089ce0216fdab5b79f8d75255847f1375f6428f804a85a263631bdb5b1a18
Instruction ID: da9908ee8154b3dfd44026b6599b7ebafe9a66be5f065c2392016081ecd394f4
Opcode Fuzzy Hash: fc9089ce0216fdab5b79f8d75255847f1375f6428f804a85a263631bdb5b1a18
Instruction Fuzzy Hash: 22E1AF706083868FCB08DF28C59456AFFE1EB95304F144A6EE8D6C7352E779D90ACB46

Function 004950A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0049511F
foreign key on %s should reference only one column of table %T, xrefs: 004950F4
unknown column "%s" in foreign key definition, xrefs: 00495373

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 0-272990098
Opcode ID: 262f29d2d09fdeaaee23d9be94ddbd7d64a3a7d1ed3eae6f1a0394dac5950eee
Instruction ID: e008c231da196307b374e6fdb7390433e0f4ed7e68f9bda2861e17365a023b2d
Opcode Fuzzy Hash: 262f29d2d09fdeaaee23d9be94ddbd7d64a3a7d1ed3eae6f1a0394dac5950eee
Instruction Fuzzy Hash: E0A18F756086068FCB15CF18C58096BBBE1FF88308F64866EE8899B341D735ED06CF96

Function 00521612 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00521639
CallWindowProcA.USER32(?,?,?,?,?), ref: 0052164E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: eea8e7b3274a3bcb2384a17dd044fd6736adc2ae679e0fe37562caf80417a559
Instruction ID: df13f19b6e263420c249ea38040ae44ff20fef8579379e4d3e223581ae6063be
Opcode Fuzzy Hash: eea8e7b3274a3bcb2384a17dd044fd6736adc2ae679e0fe37562caf80417a559
Instruction Fuzzy Hash: 7AF0F836100615EFCF214F94EC04D9A7FB9FF29350B048429FA0696920D332E820AF54

Function 004881F0 Relevance: 2.2, Strings: 1, Instructions: 915COMMON

Download Yara Rule

Strings

WS, xrefs: 00488AF6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant
String ID: WS
API String ID: 1473721057-3819528001
Opcode ID: c6af6c3bd0d23bcf946dfb2b7f3dd30381c62a6e76286a808155f4f75d27916e
Instruction ID: c40ddf31d6b2b3c5986023156a0a6e46ee78d641c25103df082c1683889ec9f0
Opcode Fuzzy Hash: c6af6c3bd0d23bcf946dfb2b7f3dd30381c62a6e76286a808155f4f75d27916e
Instruction Fuzzy Hash: B0724475A183908FC320DF18C480B6EB7E5FFC8B14F94891EE98983351DB79A945CB96

Function 00499DA0 Relevance: 2.1, Strings: 1, Instructions: 803COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00499DD7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: ecd2e3d1e2053a56457c00edd75d6d00d9fac40601ed2313a7bdee498c17c4e7
Instruction ID: 884e0ddc9ecf0dbafebedaf3e5ee30702fb1170a34e1c85894060124aed89797
Opcode Fuzzy Hash: ecd2e3d1e2053a56457c00edd75d6d00d9fac40601ed2313a7bdee498c17c4e7
Instruction Fuzzy Hash: BE6281716083518FCB14CF29D480A6BBBE1BFC8304F19496EE98597342E735ED16CB96

Function 00489AC0 Relevance: 1.9, Strings: 1, Instructions: 611COMMON

Download Yara Rule

Strings

WS, xrefs: 0048A016, 0048A17C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant
String ID: WS
API String ID: 1473721057-3819528001
Opcode ID: d6a7bffce8d5951de8f705c1a79eb7581c6f2b3073d209542dfae611286d402b
Instruction ID: 0558592e3c2cf5bc34360493e1041c8a4ec8d06995a9e8dc5c924000f33ae9b8
Opcode Fuzzy Hash: d6a7bffce8d5951de8f705c1a79eb7581c6f2b3073d209542dfae611286d402b
Instruction Fuzzy Hash: C1326675A183908FD324DF18C480B6EB7E4FF88B10F144A5EF98583751D7BAA949CB86

Function 004C5D91 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00428630,00001004,00000000,00000006,00000000,00428630,00000000), ref: 004C5DB1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0b3000248d8a1f3f2f47fa24418d6d1a39c9bc4c00ad46f143ec74bb62801ebd
Instruction ID: f369bfb176ea4ff3154986153895afecf33b94f793e8be50e3a3c6a5602d96d6
Opcode Fuzzy Hash: 0b3000248d8a1f3f2f47fa24418d6d1a39c9bc4c00ad46f143ec74bb62801ebd
Instruction Fuzzy Hash: 84E09235A04708ABCB00EBB5D806BDD7BB8AB04319F1081AAF611D72D0EB74E6489765

Function 00515EC0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

qeQ, xrefs: 00515ECA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ErrorLast
String ID: qeQ
API String ID: 1452528299-2928944629
Opcode ID: e469530c1a5f85f15b24885f404ab9228e36c3f73f11c3568c9426339271a8cf
Instruction ID: e676e624a0e4205bd8b1ab61c978fe4329e360cbd58c92a2a69283de93d6b6c8
Opcode Fuzzy Hash: e469530c1a5f85f15b24885f404ab9228e36c3f73f11c3568c9426339271a8cf
Instruction Fuzzy Hash: EC814A75A04602CFD718DF1DC580A6ABBE1BF88304B1585ADEC498B356E735EC8ADB81

Function 004E8324 Relevance: 1.0, Instructions: 980COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc688f58461f92235703985cdd770ce861046d79dea0de56dccfc1f501ccef7e
Instruction ID: bf8f26272dd9a7608f98250df7a018412b8a2f22b7098f321602cc2e8ecd18f4
Opcode Fuzzy Hash: dc688f58461f92235703985cdd770ce861046d79dea0de56dccfc1f501ccef7e
Instruction Fuzzy Hash: 05922E37B515198FEB44CEA5D8483DBB7A2FF9C358F6A9534CD08AB607C635B502CA80

Function 004E9245 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5c617ca51a5aa87f98e3e60fe49096df8c13985db2494013344b34b09e392f
Instruction ID: 06ce463a225f6e6742944408d86446274dee3dbc89649c769ba95254baf7fca5
Opcode Fuzzy Hash: bc5c617ca51a5aa87f98e3e60fe49096df8c13985db2494013344b34b09e392f
Instruction Fuzzy Hash: B6923F37B515198FEB44DEA5D8483DBB7A2FF9C318F6A9534CD08AB607C635B502CA80

Function 00468960 Relevance: .8, Instructions: 754COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ec6089ebb91f6f7adf73eb570d51acddf9570dc37b0a27aaeeb533ffa48e8dbf
Instruction ID: c902fce49ad9f0234f003eca6a9c97e769515a090251f16841d2e3fbed0368dc
Opcode Fuzzy Hash: ec6089ebb91f6f7adf73eb570d51acddf9570dc37b0a27aaeeb533ffa48e8dbf
Instruction Fuzzy Hash: 8C5247B56183908FD304CF18C480A5AFBE5FBC8B64F544A6EF88587320E779E945CB96

Function 004E5050 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e189c0d69811ce790ec229e3b79618d715323ac42097435ce5dca6aea851aad
Instruction ID: 5fadc7a57a1674bfd8b236c905e9834c40b9e32292e322fdafd27e01204ef31d
Opcode Fuzzy Hash: 1e189c0d69811ce790ec229e3b79618d715323ac42097435ce5dca6aea851aad
Instruction Fuzzy Hash: 5F12A52051D7D14FD345CA3E885012EFFE2EEDA201B988BAEE4E5CB346D674D542CBA1

Function 004F9434 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80

Function 004B03D0 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9ec5cb4bac888d4173e983beaa985391dc75ef3590f9c6262fcbfa1e757bc683
Instruction ID: 1c45d1d93c16ef5a3ff3b8deda841f80ead0dc2af12aac49a82918e2158886fe
Opcode Fuzzy Hash: 9ec5cb4bac888d4173e983beaa985391dc75ef3590f9c6262fcbfa1e757bc683
Instruction Fuzzy Hash: 80C1F7356042844FCF21CF2898903EB7BD1AF96305F5844AEEDD59B343D669D90ACBB4

Function 004F99C0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Function 004ED0D0 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c2393d1d9735499076d93a0b72f29966404e5afa41d951a02dc35dfd89d012
Instruction ID: bb018c30655cc38f6be07770f3e8f9433913fff035848ddf1d5c19becd977d4a
Opcode Fuzzy Hash: f8c2393d1d9735499076d93a0b72f29966404e5afa41d951a02dc35dfd89d012
Instruction Fuzzy Hash: D2C1EA7575060A8FD750CEADE8C079A63E3AF8C30CF6A85349F18CB346D975A8619B90

Function 004ED4EB Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d73f5765f8a9ce50b8fd4d49e34fa637d2a72b4d3ab4e618b4578db6171323
Instruction ID: d8777bd841593ae2677a03b619aeda16eaf0e585bb5dc75019e838d018e3b9af
Opcode Fuzzy Hash: b8d73f5765f8a9ce50b8fd4d49e34fa637d2a72b4d3ab4e618b4578db6171323
Instruction Fuzzy Hash: 2AC1EA7575060A8FD750CEADE8C079A63E3AF8C30CF6A85349F18CB346D975A8619B90

Function 0048DAE0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7b0ef65c033f222a997c8384d1bb28438e5d9e0d3eef408192cd8c6cc77930
Instruction ID: 0756492b9ef5080a43a2ca079c6649b905315a81cea5b9094fba48954e36bd26
Opcode Fuzzy Hash: 6a7b0ef65c033f222a997c8384d1bb28438e5d9e0d3eef408192cd8c6cc77930
Instruction Fuzzy Hash: 85A12275A0830A8F9304DF9AD8C000AF7E1BFC8754F45867DEA5497312E6B0E959CBD5

Function 004991F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9022c778b3437bc034408cf1d2b8ae6ba653d8ac2425fc3defb26886e54f54
Instruction ID: be7637ae2122e141483c4df5245cc80d939fb4c1404770890e7232db9537b429
Opcode Fuzzy Hash: ab9022c778b3437bc034408cf1d2b8ae6ba653d8ac2425fc3defb26886e54f54
Instruction Fuzzy Hash: 239109716082514FCB18CF2DD89497BBFE19FC9301B0985BEE99ACB342E539E909C761

Function 004D0600 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7809503c9e4c0aaf458ffd789bc20f586dec56622dc0ab4ea14cc754f7c6277a
Instruction ID: 5a325f2211aa01f2024525e9a635e9e843f5e560ffe395cf857d606c2c9dc2c1
Opcode Fuzzy Hash: 7809503c9e4c0aaf458ffd789bc20f586dec56622dc0ab4ea14cc754f7c6277a
Instruction Fuzzy Hash: EA8118765082B407DB189E1E94F033ABBD1EBC6301F5942AFE4E68B346C57594168BE4

Function 004D8250 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f22b23a36e343839646e0c63f245f3025026230523e8a0607b0e68b0662218
Instruction ID: b914748f6e522951e6829d69dd1864aff296997abfcc731c09dc603771bfbafa
Opcode Fuzzy Hash: 29f22b23a36e343839646e0c63f245f3025026230523e8a0607b0e68b0662218
Instruction Fuzzy Hash: C781297151C2B547D7198F1E98F013AFBE4FB86701B4806AFE9D68B342DA79A80187D8

Function 0048DF20 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4635457083079f9557267ae687fbf693a7fb2502e3cc6199447cf550499648f
Instruction ID: e274967d7a448e2f60f2459eda732930ce64bebc00801add3e4cff6d076fb8c3
Opcode Fuzzy Hash: b4635457083079f9557267ae687fbf693a7fb2502e3cc6199447cf550499648f
Instruction Fuzzy Hash: 0E81E432714A144BE75C9E3CDC2123AB6D2EBC8300B548A3EEA6BC3782DD78D905C794

Function 004994D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c2ba0d582d45495c5b16363a469062fe1358c40003e3166f7f9d678abb9eab
Instruction ID: a465ba8b7b67f4be4afd1c810960f4f16678b8505f7adeedd4f4f634cb523e27
Opcode Fuzzy Hash: 52c2ba0d582d45495c5b16363a469062fe1358c40003e3166f7f9d678abb9eab
Instruction Fuzzy Hash: 5471E2756082908FD719CB3D889496B7FE29FE5204B0DC2EDE8458B397D936E809C7A1

Function 004913A0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c4415406bca4e51da29cc8dcf9d686e7eaf14e8b521ac62c50171edf9dc323
Instruction ID: c9bd2b1d0f36298ec75f458e88192234eac6630791e37624bf3104e4b0b50fb4
Opcode Fuzzy Hash: f9c4415406bca4e51da29cc8dcf9d686e7eaf14e8b521ac62c50171edf9dc323
Instruction Fuzzy Hash: 9171B931A106564BD750CF2EECC0326B7E2EB9D301F498939DB41C73A6D739B929A750

Function 004EDAD0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7522fbbaa1af1da4d36e73b98743296ca67b9485b505392998a6d3958e85b6cf
Instruction ID: e7f27a58e812343ae66f229a332c5a27d238c10aa7085409db387d34dc1e3521
Opcode Fuzzy Hash: 7522fbbaa1af1da4d36e73b98743296ca67b9485b505392998a6d3958e85b6cf
Instruction Fuzzy Hash: DA61E63560C3D14FC30ACB2E885046ABFD2EFDB205B5885AEE8D697356C934D90ACB61

Function 004E46E0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3435890fde8f4ed684beea093a2b88e8a93a0fdedbf2bb1eba5db5f99567bea9
Instruction ID: 16958e02308bfeebb2ccacb78c7e7a7b1f360d32c4b0181ef88437c07b5ac634
Opcode Fuzzy Hash: 3435890fde8f4ed684beea093a2b88e8a93a0fdedbf2bb1eba5db5f99567bea9
Instruction Fuzzy Hash: 9561C63560D3C18FD30ACF2E985046ABFD2EFDB205B0985DEE4D697352C934990ACBA1

Function 004E5640 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce12b567b26b744e18cbd8c5dce266666b94fb3bcb6bc97853b7cf721599ffb7
Instruction ID: 3bada9c433d4c4a6b027b7b6819875ea69106a8341a595b76b8915d37b7ccf67
Opcode Fuzzy Hash: ce12b567b26b744e18cbd8c5dce266666b94fb3bcb6bc97853b7cf721599ffb7
Instruction Fuzzy Hash: B261B53560D3C18FC30ACF2E985046ABFD2EEDB205B48859EE4D6D7352C934990ACBA1

Function 004E4B50 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bdbb3a57964aeaca15fa05c0b12e919f9b7d198e7b41b8c80f9a4e679afbf5
Instruction ID: cfb9ef6a304e0655b4a2fad22dd1e1b5c0a75d6dc9136f03339020797ef65c3d
Opcode Fuzzy Hash: 61bdbb3a57964aeaca15fa05c0b12e919f9b7d198e7b41b8c80f9a4e679afbf5
Instruction Fuzzy Hash: 3F5144316086A04BD32DCF2AD4A42AEFBE3EFC9301F09C96ED0DA87355DA349405CB95

Function 004E41F4 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e9d15c80a2a1a18bb4e2bc972fe30a6cd632d489a6d2fda7b5d57b22150d58
Instruction ID: 2928f1ad259eb0f5ea471dbf9faa21a115af2645d91354d51f543fbb6098d8c2
Opcode Fuzzy Hash: 98e9d15c80a2a1a18bb4e2bc972fe30a6cd632d489a6d2fda7b5d57b22150d58
Instruction Fuzzy Hash: 5B511B37B0063897DB54CE2AD8514AAB3E7ABC8648F0B9216FC19F3341D9749C4A8BC4

Function 004E438F Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5adaf166407cd44c4764f857a279d499c16d000d57668d3f6706bc0165cf00
Instruction ID: 24c7590c6593ebd8ae530ca4b41b64cc15e1c577a219f89235ff677f5b3b30e5
Opcode Fuzzy Hash: eb5adaf166407cd44c4764f857a279d499c16d000d57668d3f6706bc0165cf00
Instruction Fuzzy Hash: 1D518873B001244FAB94CDBED9545AEABE7ABC8658B07422AFC19F3254DD709C8E47C1

Function 004EDD90 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b2be01c76dacb9bcdaabeab50959be0f1cd9fd68b238706fcf372701a28087
Instruction ID: 88e36393329edcf3f1887f119228e83c33bab189b29507869cc908719eb8aeb5
Opcode Fuzzy Hash: f6b2be01c76dacb9bcdaabeab50959be0f1cd9fd68b238706fcf372701a28087
Instruction Fuzzy Hash: 47513E2161D7C18FC309CF6D484045EBFE19AEA105F888AAEF8D5DB353C524DA09C7A2

Function 004E49A0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935bf2a9af2ce401f0baa33393c4e11aeb905614696bac68ad71c59915e1ee82
Instruction ID: 534aba2766a0c73fe2e5588f6d4484bf4872c13d81a21714ee803261affd199a
Opcode Fuzzy Hash: 935bf2a9af2ce401f0baa33393c4e11aeb905614696bac68ad71c59915e1ee82
Instruction Fuzzy Hash: FC515F2160D3C18FC34ACF2D989055EFFD2EEEA204F884AADF4D597352C664D509CBA6

Function 004E5900 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8c2168a53a56a72e517c1972a81fe72ec4bffd0969a2998a6fc24fbbb9a53f
Instruction ID: 1fa6125df8f4d6e99fbaefbcbb6e7d5cbc06733f143aebe4d6602becc265b9ce
Opcode Fuzzy Hash: 5b8c2168a53a56a72e517c1972a81fe72ec4bffd0969a2998a6fc24fbbb9a53f
Instruction Fuzzy Hash: 48514F2160D3C18FC34ACF2D989055EFFD2AAEA204F884AADE4D597352C664D509CBA6

Function 004E8190 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab24e5d198003ce769315e0aea9c87cea5396cf87c78ff4a18fd7e3a2d1f232
Instruction ID: 7f33b2f91d787400af2705184ef7841e2eb8113f0c665137195707bd2ae9d2f0
Opcode Fuzzy Hash: 1ab24e5d198003ce769315e0aea9c87cea5396cf87c78ff4a18fd7e3a2d1f232
Instruction Fuzzy Hash: B5517E2561D7C18BC319CA2D488005FFFE2DEEA204F988A9EE8C597346C575D90AC7A6

Function 004D08B0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e094b87a958fa89c2cac6b256f813d31afa79bb30750ccbde30f7a5ef45fce00
Instruction ID: a5a3a1afc6d2dd8fbe5fe719a702ea887707374328d66b17c343dac481f91984
Opcode Fuzzy Hash: e094b87a958fa89c2cac6b256f813d31afa79bb30750ccbde30f7a5ef45fce00
Instruction Fuzzy Hash: 384127306082C08FE35ECA2E98902267FD2DBEB200B5585ADD8D6DB756C9749C06CBB1

Function 004D84F0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22582358e2b9db5f8f4ae943e5598c8383ac11216061bab4d24c7f45ad67cfca
Instruction ID: c4daffc5694ca8b94fc218b7c5e626c2f3808bf42cb9da4d7f2c5a5c4a1af589
Opcode Fuzzy Hash: 22582358e2b9db5f8f4ae943e5598c8383ac11216061bab4d24c7f45ad67cfca
Instruction Fuzzy Hash: 704104306083809FD359CE1D98A06367FD6DB9B300B4989AED8D6CB746C975980ACB61

Function 004D8670 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3fee9d6fc6ec9fc9d4bfd0c0ebb63bfa70ad04494f237ed794b2e2a9b015d2
Instruction ID: 42a0cfcbf7e3c6bf0aa5cf003ec8737d13e137acb2d7115541d09bac2594dca2
Opcode Fuzzy Hash: ce3fee9d6fc6ec9fc9d4bfd0c0ebb63bfa70ad04494f237ed794b2e2a9b015d2
Instruction Fuzzy Hash: DE417B716183018BC728EF1DF4A446AF3E6EBDC300F52493EDA46D7340DA71A8198B95

Function 004BD19C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbc2c22f81e2afe1f0c4ae80a4e2a502de3b76f019045d8db0439e01fa85f63
Instruction ID: f139c949c16098e4d34eac505a04e0750547e19829a80c69fe742da75ecafd65
Opcode Fuzzy Hash: edbc2c22f81e2afe1f0c4ae80a4e2a502de3b76f019045d8db0439e01fa85f63
Instruction Fuzzy Hash: 7921C432900244AFCB14EF69C8C09ABBBA5FF45310B0581EAED199B245E734FA15CBF0

Function 004BC480 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: cf23c4abef821bf670911dd9050e5ab5f2d751e04886c804df7e275d373553ee
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: DB117DB724005253D624CA3DD8F86F7E796EBC532072C437BD0414B758D52AEE41A538

Function 0046D640 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d5588390054f1fb7fda40c01235362b9efe29f7a687861d89e36d0b7be65ce
Instruction ID: c49fd730ba61f3f60a3c560627e88b68c6829206df68b41bd54822d4043f18a3
Opcode Fuzzy Hash: 97d5588390054f1fb7fda40c01235362b9efe29f7a687861d89e36d0b7be65ce
Instruction Fuzzy Hash: 63F01C3E514244EBD7008FA4E8C2A5AF768EF48220B54845AEC4C8B615E635A941C77E

Function 00455310 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b4d688a62edec60d44f7757c217e22087b5daae9fb617ab72c0695d8502126
Instruction ID: df152e172984498ec6d0f23c66101f07dd104215e7c97f555f8233236c3f688e
Opcode Fuzzy Hash: b8b4d688a62edec60d44f7757c217e22087b5daae9fb617ab72c0695d8502126
Instruction Fuzzy Hash: 94E002B5911B108F83349F2EE541456FBF8BFA86103515A1FD99AC3B20D6B0A5468F94

Function 0044D860 Relevance: 49.8, APIs: 33, Instructions: 279COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0044D8A2
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0044D8AE
CombineRgn.GDI32(00000000,?,00000000,00000005), ref: 0044D8C2
OffsetRgn.GDI32(00000000,00000000,?), ref: 0044D8D0
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044D8DE
OffsetRgn.GDI32(00000000,?,00000000), ref: 0044D8E8
CombineRgn.GDI32(?,?,?,00000005), ref: 0044D8FA
OffsetRgn.GDI32(?,00000000,?), ref: 0044D90C
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044D91B
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044D925
DeleteObject.GDI32(?), ref: 0044D92C
CreatePolygonRgn.GDI32(?,00000004,00000002), ref: 0044D988
CombineRgn.GDI32(00000000,?,00000000,00000001), ref: 0044D99A
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044D9A5
DeleteObject.GDI32(?), ref: 0044D9AC
CreatePolygonRgn.GDI32(?,00000004,00000002), ref: 0044D9BB
CombineRgn.GDI32(00000000,?,00000000,00000001), ref: 0044D9CD
OffsetRgn.GDI32(?,00000000,?), ref: 0044D9DF
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044D9EE
DeleteObject.GDI32(?), ref: 0044D9F5
CreatePolygonRgn.GDI32(?,00000004,00000002), ref: 0044DA52
CombineRgn.GDI32(00000000,?,00000000,00000001), ref: 0044DA64
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044DA6F
DeleteObject.GDI32(?), ref: 0044DA76
CreatePolygonRgn.GDI32(?,00000004,00000002), ref: 0044DA85
CombineRgn.GDI32(00000000,?,00000000,00000001), ref: 0044DA97
OffsetRgn.GDI32(?,?,00000000), ref: 0044DAA5
CombineRgn.GDI32(00000000,?,00000000,00000002), ref: 0044DAB4
DeleteObject.GDI32(?), ref: 0044DABB
CreateRectRgn.GDI32(?,?,?,?), ref: 0044DAEC
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 0044DAF9
DeleteObject.GDI32(00000000), ref: 0044DAFC
SetWindowRgn.USER32(?,00000000,00000001), ref: 0044DB09

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Combine$Create$DeleteObject$Offset$Polygon$Rect$Window
String ID:
API String ID: 982932888-0
Opcode ID: aeeec1cfde788a17a37678f2ce50d12f66c865d81024b150f2e05a20ddc928fa
Instruction ID: d49cfba6f9a6cb459aa107ff9fe0d9434fb2581e585889f0538846b797454adc
Opcode Fuzzy Hash: aeeec1cfde788a17a37678f2ce50d12f66c865d81024b150f2e05a20ddc928fa
Instruction Fuzzy Hash: 48A1C7B1608740AFE314DF69DC89F2BB7E8FB89B00F44891DB685D7290E775E8048B65

Function 00448130 Relevance: 48.4, APIs: 32, Instructions: 425memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 00448157
SysStringLen.OLEAUT32(?), ref: 00448162
VariantInit.OLEAUT32(?), ref: 00448173
VariantInit.OLEAUT32 ref: 0044818C
SysStringLen.OLEAUT32(?), ref: 00448198
RtlEnterCriticalSection.NTDLL(?), ref: 004481B2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004481EB
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00448208
VariantCopy.OLEAUT32(00000010,00587598), ref: 0044825D
VariantClear.OLEAUT32(00000010), ref: 004482BC
SysFreeString.OLEAUT32(?), ref: 004482C7
RtlLeaveCriticalSection.NTDLL(?), ref: 00448316
VariantClear.OLEAUT32(?), ref: 00448328
VariantInit.OLEAUT32(?), ref: 00448377
VariantInit.OLEAUT32 ref: 00448386
RtlEnterCriticalSection.NTDLL(?), ref: 0044839B
RtlLeaveCriticalSection.NTDLL(?), ref: 0044840D
VariantClear.OLEAUT32(?), ref: 0044841E
VariantClear.OLEAUT32(?), ref: 00448425
VariantCopy.OLEAUT32(00000010,?), ref: 004484AA
RtlLeaveCriticalSection.NTDLL(?), ref: 00448527
VariantClear.OLEAUT32(?), ref: 00448538
VariantClear.OLEAUT32(?), ref: 0044853F
RtlLeaveCriticalSection.NTDLL(?), ref: 00448564
VariantClear.OLEAUT32(?), ref: 00448575
VariantClear.OLEAUT32(?), ref: 0044857C
RtlLeaveCriticalSection.NTDLL(?), ref: 004485AB
VariantClear.OLEAUT32(?), ref: 004485BC
VariantClear.OLEAUT32(?), ref: 004485C3
RtlLeaveCriticalSection.NTDLL(?), ref: 004485E8
VariantClear.OLEAUT32(?), ref: 004485F9
VariantClear.OLEAUT32(?), ref: 00448600

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$CriticalSection$LeaveString$Init$AllocCopyEnter$Free
String ID:
API String ID: 1084011684-0
Opcode ID: 09fa2affe68c51a070a7677d8301043e8f88aeb0004845facb599e3495e22b28
Instruction ID: 9065c668c88b2e8f5f289d710cc98a4dcc85bdc95a6b92172f5a29f9abbd396b
Opcode Fuzzy Hash: 09fa2affe68c51a070a7677d8301043e8f88aeb0004845facb599e3495e22b28
Instruction Fuzzy Hash: C5E19D726047059BCB14DF68C880A5FB7E8FF98714F00892EF98997350EB38E909CB95

Function 004B9956 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,004B9AA7), ref: 004B997F
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004B999B
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004B99AC
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004B99BD
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004B99CE
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004B99DF
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004B99F0
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 004B9A01

Strings

GetSystemMetrics, xrefs: 004B9995
MonitorFromPoint, xrefs: 004B99C8
EnumDisplayMonitors, xrefs: 004B99D9
USER32, xrefs: 004B9975
MonitorFromRect, xrefs: 004B99B7
EnumDisplayDevicesA, xrefs: 004B99FB
GetMonitorInfoA, xrefs: 004B99EA
MonitorFromWindow, xrefs: 004B99A6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 68deca541ab4c41c8a06c9fbf1b8f8649d838cd2e9ac146cc830dec0c20188d7
Instruction ID: af4492e1078e5cb6e138f3872fc474d35e494688019b6cfd54ee36dbadaee1e7
Opcode Fuzzy Hash: 68deca541ab4c41c8a06c9fbf1b8f8649d838cd2e9ac146cc830dec0c20188d7
Instruction Fuzzy Hash: C22162749007959BA3219F36ACC04BEBEE0B26DB80750143FD506F2262D7394849BF26

Function 004C1F67 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004C1FE8
_strcat.LIBCMT ref: 004C1FFB
_strlen.LIBCMT ref: 004C2008
_strlen.LIBCMT ref: 004C2017
_strncpy.LIBCMT ref: 004C202E
_strlen.LIBCMT ref: 004C2037
_strlen.LIBCMT ref: 004C2044
_strcat.LIBCMT ref: 004C2062
_strlen.LIBCMT ref: 004C20AA
GetStdHandle.KERNEL32(000000F4,005479A0,00000000,?,00000000,00000000,00000000,00000000), ref: 004C20B5
WriteFile.KERNEL32(00000000), ref: 004C20BC

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004C208A
<program name unknown>, xrefs: 004C1FF5
Runtime Error!Program: , xrefs: 004C205C
..., xrefs: 004C2028

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: d5bcddd3314c0cf1972755a6e3d6037f7bc040c018609b3e3f230a8f1178a64b
Instruction ID: e85dffbc950cfc480dd69468cb31aa74ffa1cea79cc08d4839bb1f124be63771
Opcode Fuzzy Hash: d5bcddd3314c0cf1972755a6e3d6037f7bc040c018609b3e3f230a8f1178a64b
Instruction Fuzzy Hash: B5312E765001085BD724BB769C96FDE3B6CEB44308F100C0FF916D7152EEB8A8459B78

Function 004C4A59 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00548248,00000118,004BDDFB,00000001,00000000,005472F0,00000008,004C20D3,00000000,00000000,00000000), ref: 004C4ADA
_strcat.LIBCMT ref: 004C4AF0
_strlen.LIBCMT ref: 004C4B00
_strlen.LIBCMT ref: 004C4B11
_strncpy.LIBCMT ref: 004C4B2B
_strlen.LIBCMT ref: 004C4B34
_strcat.LIBCMT ref: 004C4B50

Strings

Unknown security failure detected!, xrefs: 004C4AA0
A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated., xrefs: 004C4AA5
Program: , xrefs: 004C4B61
Buffer overrun detected!, xrefs: 004C4AB6, 004C4B4E
A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated., xrefs: 004C4ABB
Microsoft Visual C++ Runtime Library, xrefs: 004C4B8B
<program name unknown>, xrefs: 004C4AE4
..., xrefs: 004C4B25

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated.$A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated.$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1010210193
Opcode ID: 9bd99fcad403308ff7fa9a56dd8edac1b4ede2987f4f9885aa1f7359dcb4a379
Instruction ID: 1a6f1370713105b5a25fffb77040a9755327251c63e30248b5091c5e6a2fe68f
Opcode Fuzzy Hash: 9bd99fcad403308ff7fa9a56dd8edac1b4ede2987f4f9885aa1f7359dcb4a379
Instruction Fuzzy Hash: 4D3108759006086BD750ABB18C56FDE3AA8EF44358F10045FF414A6282EF79EE854BAD

Function 00435390 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 253windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004353AF
MessageBoxA.USER32(00000000,?,NetBox Version 2.8 Build 4128,00000010), ref: 0043562E
CoUninitialize.COMBASE ref: 004356C1

Part of subcall function 004352E0: InterlockedExchange.KERNEL32(-00000010,00000000), ref: 00435350

Strings

File: , xrefs: 00435590
NetBox Version 2.8 Build 4128, xrefs: 00435626
ScriptMain, xrefs: 004353BE
NetBox, xrefs: 004354E8
" not found., xrefs: 00435608
Shell, xrefs: 004354C2
Line: %d, xrefs: 004355B3
File ", xrefs: 004355E9
8FV, xrefs: 004354B4
Error Number: %08XFile: , xrefs: 0043557B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInitializeInterlockedMessageUninitialize
String ID: Line: %d$" not found.$8FV$Error Number: %08XFile: $File "$File: $NetBox$NetBox Version 2.8 Build 4128$ScriptMain$Shell
API String ID: 4029736390-466511850
Opcode ID: 5f279bc1d4b5f6f9c5f1161ec5e11fc6f3341ed3fafe31bd30977ddeb26850a0
Instruction ID: bf568eb0ae7bd45edf23bd90e18626df9fd9fa8f50b4b2abb9eac66f8a478791
Opcode Fuzzy Hash: 5f279bc1d4b5f6f9c5f1161ec5e11fc6f3341ed3fafe31bd30977ddeb26850a0
Instruction Fuzzy Hash: 2C9124707047419FD314EF24C846B6BBBA5BF98714F04452EF85697382DB38A905CBD6

Function 004C06C7 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,75570A60,00000000,004BC94B,?,00547278,00000060), ref: 004C06DF
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004C06F7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004C0704
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004C0711
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004C071E
FlsAlloc.KERNEL32(Function_000C0551,?,00547278,00000060), ref: 004C075B
FlsSetValue.KERNEL32(00000000,?,00547278,00000060), ref: 004C0788
GetCurrentThreadId.KERNEL32 ref: 004C079C

Part of subcall function 004C04B0: FlsFree.KERNEL32(00000005,004C07B1,?,00547278,00000060), ref: 004C04BB

Strings

FlsAlloc, xrefs: 004C06F1
FlsGetValue, xrefs: 004C06F9
kernel32.dll, xrefs: 004C06DA
FlsFree, xrefs: 004C0713
FlsSetValue, xrefs: 004C0706

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2355849793-282957996
Opcode ID: 3462a344fa07f921a7abf339378afcd5f3fb5379664747f44d5741baf24300b4
Instruction ID: 9ff485d28cfe5851375596897bef379a84624d2f5915508ec2e4c3a9feaebc71
Opcode Fuzzy Hash: 3462a344fa07f921a7abf339378afcd5f3fb5379664747f44d5741baf24300b4
Instruction Fuzzy Hash: 5A21CF78901700EBD368AF39AD05A473FE4FBA4B14300552FE855E7B60EB789408EF59

Function 00441C12 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 403memoryCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32 ref: 00441CDF
InterlockedExchange.KERNEL32 ref: 00441D40
SysAllocStringLen.OLEAUT32(NULL,00000004), ref: 00441DA4

Strings

NULL, xrefs: 00441D9F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$AllocString
String ID: NULL
API String ID: 3525425447-324932091
Opcode ID: 08eba44e0ae2509cbf28eb0955cee81c0c65fc2bf7a72e3265ef436c0ae4dff2
Instruction ID: bfe1b66dc682f871e18ae86aa8c0bfc907cf7fd85ad9fdce00e5e8eb153a3a72
Opcode Fuzzy Hash: 08eba44e0ae2509cbf28eb0955cee81c0c65fc2bf7a72e3265ef436c0ae4dff2
Instruction Fuzzy Hash: 93B104B69043418BE724DF54D480BABB3E5FF94710F44492EF99AC3360E7389989CB96

Function 004792EC Relevance: 21.2, APIs: 14, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 004BCA40: RaiseException.KERNEL32(?,00000008,?,?,00000000,00000000), ref: 004BCA6E

RtlEnterCriticalSection.NTDLL(?), ref: 00479365
SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0047937F
SafeArrayLock.OLEAUT32(00000000), ref: 00479397
RtlLeaveCriticalSection.NTDLL(?), ref: 004793AB
SafeArrayUnlock.OLEAUT32(00000000), ref: 004793B6
SafeArrayDestroy.OLEAUT32(00000000), ref: 004793C1
VariantCopy.OLEAUT32(?,000000FF), ref: 00479402
RtlLeaveCriticalSection.NTDLL(?), ref: 00479429
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479439
RtlLeaveCriticalSection.NTDLL(?), ref: 0047946F
SafeArrayUnlock.OLEAUT32(?), ref: 00479480
SafeArrayDestroy.OLEAUT32(?), ref: 0047948D
SafeArrayUnlock.OLEAUT32(?), ref: 00479494
SafeArrayDestroy.OLEAUT32(?), ref: 0047949B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$CriticalSectionUnlock$DestroyLeave$CopyCreateEnterExceptionLockRaiseVariant
String ID:
API String ID: 3000636442-0
Opcode ID: 9eab249efeabc2ebfdf7f222b0742d3ad5bc0ff955e913e080514502d9a68546
Instruction ID: bd8e125e7ebb831f988808b6b123ad9e223f7c73b783aadf64e9009d60cb039f
Opcode Fuzzy Hash: 9eab249efeabc2ebfdf7f222b0742d3ad5bc0ff955e913e080514502d9a68546
Instruction Fuzzy Hash: 0A51BF716047169FD714DF29DC84A5AB7E4FF98725F04862EF809E3340E738E9068BA5

Function 004412F0 Relevance: 19.6, APIs: 13, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00441319

Part of subcall function 0043B020: InterlockedExchange.KERNEL32(00000000,00000000), ref: 0043B071

SafeArrayUnlock.OLEAUT32(?), ref: 00441344
SafeArrayDestroy.OLEAUT32(?), ref: 00441353
VariantClear.OLEAUT32(?), ref: 00441366
SysAllocStringByteLen.OLEAUT32(00000000,?), ref: 00441391
SafeArrayUnlock.OLEAUT32(?), ref: 004413BE
SafeArrayDestroy.OLEAUT32(?), ref: 004413CD
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?), ref: 00441403
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00441409
MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?), ref: 00441427
SafeArrayUnlock.OLEAUT32(?), ref: 00441433
SafeArrayDestroy.OLEAUT32(?), ref: 00441442
VariantClear.OLEAUT32(?), ref: 00441455

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$ByteDestroyUnlockVariant$AllocCharClearMultiStringWide$ExchangeInitInterlocked
String ID:
API String ID: 959559482-0
Opcode ID: 96719943b4f2699fef66dc0578f4091d2bbed5e343959675ba500dbbf772d7a6
Instruction ID: 583848437ee6a124bf9c52c464091e9d41e3ea08e5183d69bbf31458a30ac1c8
Opcode Fuzzy Hash: 96719943b4f2699fef66dc0578f4091d2bbed5e343959675ba500dbbf772d7a6
Instruction Fuzzy Hash: E5416A72204745AFD704DF66D884A2BB7E8FB88715F404A1DF95AD3350E738E888CB66

Function 004348F0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 302memoryCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004349B5
_strncpy.LIBCMT ref: 004349FD
VariantInit.OLEAUT32(?), ref: 00434A4B
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00434A63
SysStringLen.OLEAUT32(?), ref: 00434A80
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000010,?,00000000,00000000), ref: 00434AC2
VariantClear.OLEAUT32(00000008), ref: 00434B0A
MultiByteToWideChar.KERNEL32(00000000), ref: 00434B81
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00434B8E
MultiByteToWideChar.KERNEL32(00000000), ref: 00434BB1

Strings

L, xrefs: 004349AD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiVariantWide$String$AllocChangeClearForegroundInitTypeWindow_strncpy
String ID: L
API String ID: 2532158790-2909332022
Opcode ID: 596b4d397bb578129a9c9755a54f3cf0776b3d999437eab0e07a0ed8eca67fb0
Instruction ID: 4d52dac7e264c1977d5e4b80658f8296c46e015aed64f60552ddb084cf788d0b
Opcode Fuzzy Hash: 596b4d397bb578129a9c9755a54f3cf0776b3d999437eab0e07a0ed8eca67fb0
Instruction Fuzzy Hash: 89C1AD702047419FD314DF28C849B9BBBE8FFC9324F148A1DF1998B2A1DB74A849CB56

Function 0041C460 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 249COMMON

Download Yara Rule

Strings

registration, xrefs: 0041C608
pool, xrefs: 0041C59A
true, xrefs: 0041C54F, 0041C5AD
component, xrefs: 0041C4E6
language, xrefs: 0041C6DB
progid, xrefs: 0041C640
script, xrefs: 0041C6C5
classid, xrefs: 0041C651
debug, xrefs: 0041C53C
step, xrefs: 0041C57C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharInterlockedMultiWide$DecrementIncrement
String ID: classid$component$debug$language$pool$progid$registration$script$step$true
API String ID: 3543051981-2943638109
Opcode ID: 8ddbb803c962b69e5407e0205a52c9e44d04dd90453c119067e9ae5af0205967
Instruction ID: e80d0286fbf5968945f07e3cd3e49fb0b73ba62eaf22f6eb87ea99727390c74a
Opcode Fuzzy Hash: 8ddbb803c962b69e5407e0205a52c9e44d04dd90453c119067e9ae5af0205967
Instruction Fuzzy Hash: 0191B4752447019FD300DB29C885BABB7E9FF88324F084A2DF45687391DB78E545CB66

Function 00481E50 Relevance: 18.2, APIs: 12, Instructions: 180fileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00481EA3
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,?,?), ref: 00481F2B
GetTempFileNameA.KERNEL32(?,0055D524,00000000,?,?,00000000,?,?), ref: 00481F4B
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00481F5B
GetTempFileNameA.KERNEL32(?,0055D524,00000000,?,?,00000000,?,?), ref: 00481F75
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,04000000,00000000,?,00000000,?,?), ref: 00481F91
RtlLeaveCriticalSection.NTDLL(?), ref: 00481FAE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileTemp$CriticalNameSection$CreateDirectoryEnterLeavePathSystem
String ID:
API String ID: 302252358-0
Opcode ID: 3d865f84bf7d9999824709fb954fcdef10e8b53cca9d79f8f336771dddc4c9e2
Instruction ID: 3cda9bc6a30005c56a94ab54d6cded7c8915fc6f50ff9ed0e81ddb679323e483
Opcode Fuzzy Hash: 3d865f84bf7d9999824709fb954fcdef10e8b53cca9d79f8f336771dddc4c9e2
Instruction Fuzzy Hash: D8516B312007059FD720EF65DC85FABB3E8AB98715F104D2EEA89C72A0E774E845CB64

Function 00461CC0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00000001,00000000), ref: 00461D2B
InterlockedExchange.KERNEL32(00000001,00000000), ref: 00461D76
InterlockedExchange.KERNEL32(?,00000000), ref: 00461E30
InterlockedExchange.KERNEL32(?,00000000), ref: 00461EE4
WriteClassStm.OLE32(?,005485DC,80070057,00000000,7735E610), ref: 00461E84

Part of subcall function 00461880: StringFromCLSID.COMBASE ref: 004618B8
Part of subcall function 00461880: RtlEnterCriticalSection.NTDLL(005734F4), ref: 004618CC
Part of subcall function 00461880: InterlockedExchange.KERNEL32(?,?), ref: 004618FF
Part of subcall function 00461880: RtlLeaveCriticalSection.NTDLL(005734F4), ref: 00461919
Part of subcall function 00461880: CoTaskMemFree.COMBASE(?), ref: 00461924
Part of subcall function 00461880: InterlockedExchange.KERNEL32(?,00000000), ref: 00461946

Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4A2
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4BF
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4DC
Part of subcall function 0043D480: SysAllocString.OLEAUT32(00474517), ref: 0043D500

WriteClassStm.OLE32(?,?,00000000,7735E610), ref: 00461F57
InterlockedExchange.KERNEL32(?,00000000), ref: 00461FAB

Part of subcall function 00461B40: InterlockedExchange.KERNEL32(00000000,75562E40), ref: 00461B88

InterlockedExchange.KERNEL32(?,00000000), ref: 0046201B
WriteClassStm.OLE32(?,005485AC,?,00000000), ref: 0046203E

Strings

Duplicate object., xrefs: 00461ECB

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$String$Free$ClassWrite$CriticalSection$AllocEnterFromLeaveTask
String ID: Duplicate object.
API String ID: 1640188747-2409005836
Opcode ID: db309594b697c2e9336ee6ee85ba039c9a984861532bda3491f83a33b32b3276
Instruction ID: 3c0f52090540c628d32e97cd72bd8890f1b9f412d3613c32afa0d6e9616f7147
Opcode Fuzzy Hash: db309594b697c2e9336ee6ee85ba039c9a984861532bda3491f83a33b32b3276
Instruction Fuzzy Hash: 03B1D171604341AFC714EF55C880A9BB7E4FF98754F88482EF54AC7221E739E889CB96

Function 004511D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144comstringCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0045121C
GetStockObject.GDI32(0000000D), ref: 00451224
GetObjectA.GDI32(00000000,0000003C,?), ref: 00451235
lstrlen.KERNEL32(?), ref: 00451246
73F7A570.USER32(?,?,?,00000001,00000000), ref: 004512AE
OleCreateFontIndirect.OLEAUT32(00000020,00536924,?), ref: 00451333

Strings

, xrefs: 0045123F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Object$Stock$A570CreateFontIndirectlstrlen
String ID:
API String ID: 3208105210-3916222277
Opcode ID: a30bd3c15ac36f1ae5bbc258e99635b379464c8d8c1bda4bbf56947a71ead010
Instruction ID: 10619255efa13e4200554418571c76f0962f224874de3b1331fa1cb16e6c34e0
Opcode Fuzzy Hash: a30bd3c15ac36f1ae5bbc258e99635b379464c8d8c1bda4bbf56947a71ead010
Instruction Fuzzy Hash: 2E41AE71A006189BCB10DFA5DC48BAEBBB8FF19351F10405AED04EB351E7349909CBA4

Function 0045C390 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000010,00000000,00000008,?,00000010,00000001,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3AC
CloseHandle.KERNEL32(00000000,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3CA
LoadLibraryExW.KERNEL32(00000010,00000000,00000008,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3D4

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,00000010,?,00000010,00000001,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C407
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000003,00000000,00000000,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C425
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C433
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 0045C4A3
FreeLibrary.KERNEL32(00000000), ref: 0045C4B4

Part of subcall function 00402400: CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00402427
Part of subcall function 00402400: GetLastError.KERNEL32 ref: 00402441
Part of subcall function 00402400: SetLastError.KERNEL32(?), ref: 00402492

Strings

DllUnregisterServer, xrefs: 0045C49C, 0045C4A1
DllRegisterServer, xrefs: 0045C495

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Library$Load$ErrorLast$CloseHandle$AddressCreateFileFreeProc
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 290770624-2931954178
Opcode ID: c8f78757ffd23fb8f2829c83b0cad744e99739309a4fed54f7344208c7750bbc
Instruction ID: eafd74acff0d74299d5b93d45db01e15eb43fe11cc3b5eb22688584378bf8ddb
Opcode Fuzzy Hash: c8f78757ffd23fb8f2829c83b0cad744e99739309a4fed54f7344208c7750bbc
Instruction Fuzzy Hash: F131C072601A116FE2219B78DC94F2BB3ACEF95772F158219FD11DB291CB34DC098AA4

Function 004612C0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00461407
InterlockedExchange.KERNEL32(?,00000000), ref: 00461451
InterlockedExchange.KERNEL32(?,00000000), ref: 0046151D
InterlockedExchange.KERNEL32(?,00000000), ref: 0046153A
InterlockedExchange.KERNEL32(?,?), ref: 00461574
InterlockedExchange.KERNEL32(?,?), ref: 00461595
InterlockedExchange.KERNEL32(?,00000000), ref: 00461614
InterlockedExchange.KERNEL32(?,00000000), ref: 00461631

Strings

p@, xrefs: 004613DB, 0046142B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: p@
API String ID: 367298776-1482256116
Opcode ID: 90543b47470c4c8cb6ff93664d21153f22c50db6aad9f624205c6cd2fd6898d1
Instruction ID: 0ab44a4ab2012bf81a75ee71c6110c44bad2ccd411b20a6943c06706ac571f42
Opcode Fuzzy Hash: 90543b47470c4c8cb6ff93664d21153f22c50db6aad9f624205c6cd2fd6898d1
Instruction Fuzzy Hash: 2EB1D1B15043419FD314CF68C8C4A5BB7E8BF88314F184A6EF55ACB2A2D738D949CB96

Function 00440F90 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00440FBC
SafeArrayUnlock.OLEAUT32(?), ref: 00441019
SafeArrayDestroy.OLEAUT32(?), ref: 00441028
VariantClear.OLEAUT32(?), ref: 0044103F
SysAllocStringLen.OLEAUT32(00000000,?), ref: 004410BA

Strings

L, xrefs: 00440FEF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafeVariant$AllocClearDestroyInitStringUnlock
String ID: L
API String ID: 112508948-2909332022
Opcode ID: 8556a8530d4b257015ccb20a37c4f8656ca1240e2c47b2931ec1e05c1ade1daa
Instruction ID: 63b35f14af73cca595b55d69494ad9fc8829c6ea228420a03fe551eb38e5c103
Opcode Fuzzy Hash: 8556a8530d4b257015ccb20a37c4f8656ca1240e2c47b2931ec1e05c1ade1daa
Instruction Fuzzy Hash: 83818D706083428FD314DF69C480A1ABBE5FF88385F54892EF596C7360E778D986CB96

Function 00479DF0 Relevance: 15.1, APIs: 10, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00479E0A
SafeArrayCreate.OLEAUT32 ref: 00479E28
SafeArrayLock.OLEAUT32(00000000), ref: 00479E40
RtlLeaveCriticalSection.NTDLL(?), ref: 00479E54
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479E5F
SafeArrayDestroy.OLEAUT32(00000000), ref: 00479E6A
VariantClear.OLEAUT32(?), ref: 00479EB8
SysAllocString.OLEAUT32(00000000), ref: 00479EC4
RtlLeaveCriticalSection.NTDLL(?), ref: 00479F3E
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479F4E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$CriticalSection$LeaveUnlock$AllocClearCreateDestroyEnterLockStringVariant
String ID:
API String ID: 1938777913-0
Opcode ID: cf38f84d9cb420abf33493ad3529ca1aef674e9e10bd58fb22bcb07ff400a6d9
Instruction ID: d5be7b4c3a1645309db3c282a32b6cc114d13e626146325f56f07453f7c1f020
Opcode Fuzzy Hash: cf38f84d9cb420abf33493ad3529ca1aef674e9e10bd58fb22bcb07ff400a6d9
Instruction Fuzzy Hash: CC4190313006029BCB64DF29C880A9BB7E9FF58315B58D52AE84DD7351E739EC848BA5

Function 00479F70 Relevance: 15.1, APIs: 10, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00479F8A
SafeArrayCreate.OLEAUT32 ref: 00479FA8
SafeArrayLock.OLEAUT32(00000000), ref: 00479FC0
RtlLeaveCriticalSection.NTDLL(?), ref: 00479FD4
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479FDF
SafeArrayDestroy.OLEAUT32(00000000), ref: 00479FEA
VariantClear.OLEAUT32(?), ref: 0047A039
SysAllocString.OLEAUT32(?), ref: 0047A045
RtlLeaveCriticalSection.NTDLL(?), ref: 0047A0BE
SafeArrayUnlock.OLEAUT32(00000000), ref: 0047A0CE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$CriticalSection$LeaveUnlock$AllocClearCreateDestroyEnterLockStringVariant
String ID:
API String ID: 1938777913-0
Opcode ID: 8197d92de01215af8fe1f830835f43bd98dd1b4f3fe2d4bed9526870cfd8cfa0
Instruction ID: 1599ed094c8b6339d3ec67d92866a66266e5645c139e4b45ea06b42ad05b5dae
Opcode Fuzzy Hash: 8197d92de01215af8fe1f830835f43bd98dd1b4f3fe2d4bed9526870cfd8cfa0
Instruction Fuzzy Hash: 9A4193313006428BCB64DF29C880A9FB7E5BF94315B18D92EE84DD7311E739EC54879A

Function 00444340 Relevance: 15.1, APIs: 10, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0044437A
SafeArrayLock.OLEAUT32(00000000), ref: 00444392
SafeArrayUnlock.OLEAUT32(00000000), ref: 004443A3
SafeArrayDestroy.OLEAUT32(00000000), ref: 004443AE
VariantCopy.OLEAUT32(?,?), ref: 004443ED
SafeArrayUnlock.OLEAUT32(00000000), ref: 00444412
SafeArrayUnlock.OLEAUT32(?), ref: 00444447
SafeArrayDestroy.OLEAUT32(?), ref: 00444454
SafeArrayUnlock.OLEAUT32(?), ref: 0044445B
SafeArrayDestroy.OLEAUT32(?), ref: 00444462

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$Destroy$CopyCreateLockVariant
String ID:
API String ID: 2303439331-0
Opcode ID: 5d0e5de7639e8bf98d9476663227f6ae951e2f916f84e3771f809cd3255a9552
Instruction ID: 2295b47c345637501308091a47b8dc55310f2ba48a2f74f7f87b045542e3be1f
Opcode Fuzzy Hash: 5d0e5de7639e8bf98d9476663227f6ae951e2f916f84e3771f809cd3255a9552
Instruction Fuzzy Hash: 7B31C272200B069FD710DF69DC80B0AF7E4FB98B65F404A2EE845D3711D739E8458BA9

Function 00459C60 Relevance: 15.1, APIs: 10, Instructions: 110COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00459C89

Part of subcall function 0043B020: InterlockedExchange.KERNEL32(00000000,00000000), ref: 0043B071

SafeArrayUnlock.OLEAUT32(?), ref: 00459CB4
SafeArrayDestroy.OLEAUT32(?), ref: 00459CC3
VariantClear.OLEAUT32(?), ref: 00459CD6
SafeArrayUnlock.OLEAUT32(?), ref: 00459D2D
SafeArrayDestroy.OLEAUT32(?), ref: 00459D3C
VariantClear.OLEAUT32(?), ref: 00459D4F
SafeArrayUnlock.OLEAUT32(?), ref: 00459D72
SafeArrayDestroy.OLEAUT32(?), ref: 00459D81
VariantClear.OLEAUT32(?), ref: 00459D94

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Variant$ClearDestroyUnlock$ExchangeInitInterlocked
String ID:
API String ID: 2752810024-0
Opcode ID: 89e896c00ff62d72ec91336e87344ec2668d96b30fe25c7630e1e8e83599cc31
Instruction ID: 93e596fda6f4f8b8b35d7d797431740c90ec835ce7daf7142e70f8a2448937b1
Opcode Fuzzy Hash: 89e896c00ff62d72ec91336e87344ec2668d96b30fe25c7630e1e8e83599cc31
Instruction Fuzzy Hash: 5B416BB2504780DBC714DF29D884A5BB7E8BB98716F044A1EF89AD3311E33CD948DB56

Function 00459E90 Relevance: 15.1, APIs: 10, Instructions: 110COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00459EB9

Part of subcall function 0043B020: InterlockedExchange.KERNEL32(00000000,00000000), ref: 0043B071

SafeArrayUnlock.OLEAUT32(?), ref: 00459EE4
SafeArrayDestroy.OLEAUT32(?), ref: 00459EF3
VariantClear.OLEAUT32(?), ref: 00459F06
SafeArrayUnlock.OLEAUT32(?), ref: 00459F5D
SafeArrayDestroy.OLEAUT32(?), ref: 00459F6C
VariantClear.OLEAUT32(?), ref: 00459F7F
SafeArrayUnlock.OLEAUT32(?), ref: 00459FA2
SafeArrayDestroy.OLEAUT32(?), ref: 00459FB1
VariantClear.OLEAUT32(?), ref: 00459FC4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Variant$ClearDestroyUnlock$ExchangeInitInterlocked
String ID:
API String ID: 2752810024-0
Opcode ID: 596c5eba1de760f85bec7134b936b00be4a09e5d65b01b234009e24e0b69225f
Instruction ID: 26f571c07edcbf1b0a9ee6f66e4a300a14a4947907d7173fb7fa2c2863fcd910
Opcode Fuzzy Hash: 596c5eba1de760f85bec7134b936b00be4a09e5d65b01b234009e24e0b69225f
Instruction Fuzzy Hash: 5B412C76604741DBC714DF25D844A5BB7E8BB98715F044A1EF89AD3310E33CD948CB66

Function 005216ED Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005216F2
GetClassInfoA.USER32(?,?,?), ref: 0052170D
RegisterClassA.USER32(00000004), ref: 00521720
lstrlen.KERNEL32(-00000034,00000001), ref: 0052175C
lstrlen.KERNEL32(?), ref: 00521763

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: 74bf85631714d6a76d9f8c6425cbd3cc2a114399abed975baba99a2d40805dbe
Instruction ID: 30f7e79563c1a3f5b2542ab54272c901dc68ebde76dc90bc73261e166e0a27eb
Opcode Fuzzy Hash: 74bf85631714d6a76d9f8c6425cbd3cc2a114399abed975baba99a2d40805dbe
Instruction Fuzzy Hash: D131D23190062AAFCF019FA0EC45BAEBFF8FF65315F144526E805A3291D7309A55DBA4

Function 004C839B Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 004C8473
_strcat.LIBCMT ref: 004C8490
___shr_12.LIBCMT ref: 004C8559

Strings

1#INF, xrefs: 004C846A
?, xrefs: 004C83F0
1#SNAN, xrefs: 004C843F
1#IND, xrefs: 004C8459
1#QNAN, xrefs: 004C8487

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-4131533671
Opcode ID: b75799d9632815a75d403df542ba92a74dfc33cdc108480d9ff3d0ac8a471d23
Instruction ID: 174d1d6cf3fe170929303b8b645b66bbfed831cd88e0c4bc2fc5571780fb3d8f
Opcode Fuzzy Hash: b75799d9632815a75d403df542ba92a74dfc33cdc108480d9ff3d0ac8a471d23
Instruction Fuzzy Hash: BB81173A80429A9ECF55CF68C844BFF7BB4AF11314F08459FD851DB282EB789A05C769

Function 00458460 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00458476
VariantClear.OLEAUT32(?), ref: 00458497
RtlLeaveCriticalSection.NTDLL(?), ref: 004584B0

Strings

mS8CB, xrefs: 004584DE, 004584E6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$ClearEnterLeaveVariant
String ID: mS8CB
API String ID: 3955881063-2657045668
Opcode ID: 7bfb355b893d5ec5990e39cec688329176464d6fdbd7c022594bd94d2bec8421
Instruction ID: 1cbffd9e8c7f78cc5f516dc8c4452d5a02bd6a7abeb13b2f8b1f3b94bd529933
Opcode Fuzzy Hash: 7bfb355b893d5ec5990e39cec688329176464d6fdbd7c022594bd94d2bec8421
Instruction Fuzzy Hash: E4318372200615ABC710DF2DECC0D5BB3E8EB95366701452EFC45E7312EB34EC899AA4

Function 0047C3A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047C3F8
SafeArrayUnlock.OLEAUT32(?), ref: 0047C423
SafeArrayDestroy.OLEAUT32(?), ref: 0047C432
VariantClear.OLEAUT32(?), ref: 0047C445

Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4A2
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4BF
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4DC
Part of subcall function 0043D480: SysAllocString.OLEAUT32(00474517), ref: 0043D500

Strings

Algorithm not initialized., xrefs: 0047C3CA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free$ArraySafeVariant$AllocClearDestroyInitUnlock
String ID: Algorithm not initialized.
API String ID: 687993229-3952168020
Opcode ID: ab15905cbb5b6893ea1a73b5a4282decc755fb5f938e5acb9280da5161e2c216
Instruction ID: cc10c71303118ef3047337bdc49b55a1621bba22b7c2d18b0e8d9e17b1daf952
Opcode Fuzzy Hash: ab15905cbb5b6893ea1a73b5a4282decc755fb5f938e5acb9280da5161e2c216
Instruction Fuzzy Hash: 8F312C766047419BC314DF29E984AABB7E8FBD8B29F04491EF54AD3300D738D9449B62

Function 004C8DAA Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0054735C,00000001,0054735C,00000001,00548528,00000040,004C87AD,?,00000001,?,00000000,?,00000000,?), ref: 004C8DD6
GetLastError.KERNEL32(?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074,00548078,00000018,004C4890,00548088,00000008,004BDC7A), ref: 004C8DE8
GetCPInfo.KERNEL32(?,?,00548528,00000040,004C87AD,?,00000001,?,00000000,?,00000000,?,?,004C7706,00000000,?), ref: 004C8E92
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C8F20
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C8F99
MultiByteToWideChar.KERNEL32(?,00000009,000007D0,?,00000000,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C8FB6
MultiByteToWideChar.KERNEL32(?,00000001,000007D0,?,?,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C902C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: c28ffd1e868b32d2326de3479255bd927237f8006929c596ddf04ee70b8c9421
Instruction ID: ac7489cc107be540898f3af2560012323bf105fb6f3489cf090faeefa70b0a7e
Opcode Fuzzy Hash: c28ffd1e868b32d2326de3479255bd927237f8006929c596ddf04ee70b8c9421
Instruction Fuzzy Hash: 0DB1AC39900209AFCF629F65DC49FEE7BB6AF44300F14011FF914A62A1DB398D61DB59

Function 00479C50 Relevance: 13.6, APIs: 9, Instructions: 143COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00479C6A
SafeArrayCreate.OLEAUT32 ref: 00479C88
SafeArrayLock.OLEAUT32(00000000), ref: 00479CA0
RtlLeaveCriticalSection.NTDLL(?), ref: 00479CB4
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479CBF
SafeArrayDestroy.OLEAUT32(00000000), ref: 00479CCA
VariantClear.OLEAUT32(?), ref: 00479D24
RtlLeaveCriticalSection.NTDLL(?), ref: 00479D9A
SafeArrayUnlock.OLEAUT32(00000000), ref: 00479DAA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$CriticalSection$LeaveUnlock$ClearCreateDestroyEnterLockVariant
String ID:
API String ID: 2217908346-0
Opcode ID: cc6e5a7ec863d19fc4f211475f7e606423bbe96cfd318b11a93c85b18eed08d3
Instruction ID: 778f564513769a89e1978565674a6b85cebcb658376dbd57044bb5d785144ae2
Opcode Fuzzy Hash: cc6e5a7ec863d19fc4f211475f7e606423bbe96cfd318b11a93c85b18eed08d3
Instruction Fuzzy Hash: 184181313046069FCB68DF29D884A9BB7E5FF94315B24C56AE80DD7311E738EC418B99

Function 00475B40 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(005629AC,?), ref: 00475B84
ReleaseSemaphore.KERNEL32(00562988,00000001,00000000,?,?,?,?,?,?,0052ECB8,000000FF,00476137,?), ref: 00475BA8
ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,?,?,?,?,?,0052ECB8,000000FF,00476137,?), ref: 00475BB2
InterlockedExchange.KERNEL32(?,00000000), ref: 00475BB7
InterlockedExchange.KERNEL32(005629AC,?), ref: 00475BDD
ReleaseSemaphore.KERNEL32(00562988,00000001,00000000,?,?,?,?,?,?,0052ECB8,000000FF,00476137,?), ref: 00475BFB
ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,?,?,?,?,?,0052ECB8,000000FF,00476137,?), ref: 00475C05
InterlockedExchange.KERNEL32(?,00000000), ref: 00475C0A
InterlockedExchange.KERNEL32(005629AC,00000000), ref: 00475C31

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$ReleaseSemaphore
String ID:
API String ID: 1069533530-0
Opcode ID: 759ed84538bb10f5e585d444409dd6e732a3c2ef55942c45fdb87753713f55f8
Instruction ID: 1247e2a34a263c9c928c4d76ca58d0444b7725d37a20d2fe32fd1faafcbc03b1
Opcode Fuzzy Hash: 759ed84538bb10f5e585d444409dd6e732a3c2ef55942c45fdb87753713f55f8
Instruction Fuzzy Hash: FF316DB2600305AFD710DFA9CC84F5BB7A8AF48710F044A69F614DB291D7B5EC44CBA5

Function 00431310 Relevance: 13.6, APIs: 9, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00431345
RegCloseKey.ADVAPI32(0055CEDC), ref: 0043135A
RegCloseKey.ADVAPI32(0055CEDC), ref: 00431377
RegEnumKeyExA.ADVAPI32(0002001F,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004313B0
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004313EA
RegCloseKey.ADVAPI32(0055CEDC), ref: 004313FD
RegDeleteKeyA.ADVAPI32(?,?), ref: 00431416
RegCloseKey.ADVAPI32(0055CEDC,?,?), ref: 00431427
RegCloseKey.ADVAPI32(0055CEDC), ref: 00431443

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Close$Enum$DeleteOpen
String ID:
API String ID: 3743465055-0
Opcode ID: 5fb9c5756c1e58f7e2c6d13de7fc067e9ebfbf9033ecee18261979321401fa01
Instruction ID: 12c2e4c2d4b8db3244511ec984a3fe53cd889f46c90f1cd1dcba9b718182380f
Opcode Fuzzy Hash: 5fb9c5756c1e58f7e2c6d13de7fc067e9ebfbf9033ecee18261979321401fa01
Instruction Fuzzy Hash: 363150B5204301ABE314DB25DC48FABB7E8AF98750F04991EF984D7360E775D8098BA5

Function 004592C0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 495COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00000018,00000000), ref: 004598B1

Strings

\\S, xrefs: 0045966F
pyX, xrefs: 004592E0
\\S, xrefs: 00459531
`=D, xrefs: 00459887
\\S, xrefs: 004595D3
x, xrefs: 004594FF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: \\S$\\S$\\S$`=D$pyX$x
API String ID: 367298776-3735900529
Opcode ID: bffcb5245b96025bee34840ad120ba768a1187521df7e93433bf25e4d1b601b1
Instruction ID: 342b02eebb73dec69554dded1e3107ceb7fd8c7b75ee5b14476367b73354c439
Opcode Fuzzy Hash: bffcb5245b96025bee34840ad120ba768a1187521df7e93433bf25e4d1b601b1
Instruction Fuzzy Hash: 3D12BC72604200DFC714DF18C881A9AB7E5FF9A314F148A5EF8999B392D734ED09CB95

Function 00460000 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(?,?), ref: 0046010A
MoveFileA.KERNEL32(?,?), ref: 00460146
MoveFileExW.KERNEL32(?,?,00000004,?,?,?,?), ref: 004601D3

Strings

WININIT.INI, xrefs: 004602F1
Rename, xrefs: 004602FC

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileMove
String ID: Rename$WININIT.INI
API String ID: 3562171763-476351555
Opcode ID: 251412cbb76d33cbc8c750accbfa5428480818a6e226dd6018028dc1bad83c82
Instruction ID: 479d6b5def841a10707d7db18d7db1f6aa2529c8fe227ded23ed90739869ddb8
Opcode Fuzzy Hash: 251412cbb76d33cbc8c750accbfa5428480818a6e226dd6018028dc1bad83c82
Instruction Fuzzy Hash: 6BB192712057418FD314CF28C859B9BB7A4FFDA324F188B5DE4658B2E1DB349905CB92

Function 00418AD0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00527F5D: __EH_prolog.LIBCMT ref: 00527F62

InterlockedExchange.KERNEL32(?,00000001), ref: 00418BE4
VariantClear.OLEAUT32(?), ref: 00418D5E
InterlockedIncrement.KERNEL32(?), ref: 00418D6B
InterlockedDecrement.KERNEL32(?), ref: 00418DB7

Strings

File "%s", Line %d : , xrefs: 00418C52
JobWorker, xrefs: 00418AFA
File not found : , xrefs: 00418B86

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Interlocked$ClearDecrementExchangeH_prologIncrementVariant
String ID: File "%s", Line %d : $File not found : $JobWorker
API String ID: 1733571536-351987683
Opcode ID: 2abeb1dd56305e9d23fe877b8b0634e04357db9fe899aa7c8a47b311980d99e6
Instruction ID: 8ea961e7e5ca0bf3e3721e6eabe935911269488311e7a2b45e79dc36bf2b9222
Opcode Fuzzy Hash: 2abeb1dd56305e9d23fe877b8b0634e04357db9fe899aa7c8a47b311980d99e6
Instruction Fuzzy Hash: CDA1AE706003458FDB14DF64D880BABBBA5FF99304F14456EF9068B392EB38E885CB95

Function 00425610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 00425698

Part of subcall function 004B9414: CloseHandle.KERNEL32(00000002,?,004269AD), ref: 004B9425

RtlDeleteCriticalSection.NTDLL(?), ref: 0042571B
InterlockedExchange.KERNEL32(0058D28C,00000000), ref: 00425769
InterlockedExchange.KERNEL32(?,00000000), ref: 004257A5
InterlockedExchange.KERNEL32(?,00000000), ref: 004257BE

Strings

PJB, xrefs: 0042562F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CriticalDeleteSection$CloseHandle
String ID: PJB
API String ID: 4021226023-28930193
Opcode ID: 02deaf90e3ddb916f839aa590b65d533d344e78d1a886e4add6eea8b522cc949
Instruction ID: 6f54e3f890f6a6f54188350e77b48a815e5c6f12ff655a7f35ab1e5a926b8a14
Opcode Fuzzy Hash: 02deaf90e3ddb916f839aa590b65d533d344e78d1a886e4add6eea8b522cc949
Instruction Fuzzy Hash: B2919071600B81CFC710DF69C884A5BFBE5BF88314F944A2EE48A87751D778E849CB65

Function 004746B0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 208COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004746E3

Part of subcall function 0043C770: WideCharToMultiByte.KERNEL32(00000000,?,?,?,?,?,?,0052BFE8,000000FF), ref: 0043C7D7
Part of subcall function 0043C770: WideCharToMultiByte.KERNEL32(00000000,?,?,?,?,?,?,0052BFE8,000000FF), ref: 0043C812

InterlockedExchange.KERNEL32 ref: 0047472B
InterlockedExchange.KERNEL32(?,00000000), ref: 00474831
SysStringLen.OLEAUT32(?), ref: 004748AF
InterlockedExchange.KERNEL32(?,00000000), ref: 004748CB

Strings

select * from [, xrefs: 00474791
] where 1=0, xrefs: 0047479C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$ByteCharMultiStringWide
String ID: ] where 1=0$select * from [
API String ID: 3026511587-958639821
Opcode ID: 54b65f6acf7d65a6cb1f2a5e64602aee4e1e7572bfcb29a2e789c5c0514cd87d
Instruction ID: 4f0598c90cd6f8e3bcd54c5b445cd7a8c8751b3a54066ecf9e0f640823c682c2
Opcode Fuzzy Hash: 54b65f6acf7d65a6cb1f2a5e64602aee4e1e7572bfcb29a2e789c5c0514cd87d
Instruction Fuzzy Hash: 3C819C712047819FD304DB28C845B6BB7A8BFD5724F148B5DF4A98B2E1DB34D805CBA6

Function 00474010 Relevance: 12.5, APIs: 8, Instructions: 457COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0047407A
QueryPerformanceCounter.KERNEL32(?), ref: 00474097
InterlockedExchange.KERNEL32(?,00000000), ref: 004740BD
InterlockedExchange.KERNEL32(?,00000000), ref: 004740DA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CounterCriticalEnterPerformanceQuerySection
String ID:
API String ID: 2848589658-0
Opcode ID: b06eeb84ec33b735a9f87abb830b7f8b95939d4538c3e1095c445cd92b159ec1
Instruction ID: a19df775c51bb6cab56bce827cdca25ac1e2f106718790f0545094f88fc27301
Opcode Fuzzy Hash: b06eeb84ec33b735a9f87abb830b7f8b95939d4538c3e1095c445cd92b159ec1
Instruction Fuzzy Hash: AF027BB16043419FC710DF69D884A6BB7E5BBC8304F148D2EF98A87351EB38E945CB66

Function 00478840 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166filetimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00478894
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 004788B0
BuildCommDCBA.KERNEL32(00000010,?), ref: 004789BD
SetCommState.KERNEL32(00000000,?), ref: 004789CC
SetCommTimeouts.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052EEE8,000000FF), ref: 00478904

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

Strings

COM%d, xrefs: 0047888E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Comm$BuildCreateErrorFileLastStateTimeoutswsprintf
String ID: COM%d
API String ID: 3206050894-3228104410
Opcode ID: 26ac976555198e0a5e12cd9ed138f2f0afd66c5037de28f19688c73b611e1f2f
Instruction ID: f0fa877e21c54fe8e1a827bda57ef964a5e31b9a72980c12b243ab3f6fd3c12b
Opcode Fuzzy Hash: 26ac976555198e0a5e12cd9ed138f2f0afd66c5037de28f19688c73b611e1f2f
Instruction Fuzzy Hash: F2519CB26047019FD314DF29C888B5BB7E4FFC8724F048A2EE55997390EB389909CB95

Function 00460E70 Relevance: 12.4, APIs: 8, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e20e4a27539f2dcb9f81036f4fd810784aa737f4b997ded0a664219cce186b61
Instruction ID: 7667ac8a2e1077b8344a351aec79746e09b659486e8689936411a4f30b68eddb
Opcode Fuzzy Hash: e20e4a27539f2dcb9f81036f4fd810784aa737f4b997ded0a664219cce186b61
Instruction Fuzzy Hash: 1DE1E3716043418FC314DF68C884A1BB7E9BFC9324F184A5EF5558B3A2DB39E849CB96

Function 00441974 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004419AF
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00441A94

Strings

', xrefs: 00441A07
&, xrefs: 00441A67
", xrefs: 00441A1F
>, xrefs: 00441A4F
<, xrefs: 00441A37

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Alloc
String ID: &$'$>$<$"
API String ID: 143312630-87953025
Opcode ID: 32ca868b857dc8b47cbe1cb266882148293aef18b9296a888d11054e7a5833a6
Instruction ID: b0c3abc6d2bca8500977b7c1a9ceb5fc5852f36f7293fae41b52f91c83210678
Opcode Fuzzy Hash: 32ca868b857dc8b47cbe1cb266882148293aef18b9296a888d11054e7a5833a6
Instruction Fuzzy Hash: E8214BF7E057006BE3009A14CCC1E9F7364BF61308F26442FF94A762A1F279864686AB

Function 0045D010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

StringFromCLSID.COMBASE ref: 0045D03B
RtlEnterCriticalSection.NTDLL(005734F4), ref: 0045D057
InterlockedExchange.KERNEL32(?,?), ref: 0045D0D8
InterlockedExchange.KERNEL32(?,00000000), ref: 0045D10F
RtlLeaveCriticalSection.NTDLL(005734F4), ref: 0045D129
CoTaskMemFree.COMBASE(?), ref: 0045D134

Strings

(wX, xrefs: 0045D086

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterFreeFromLeaveStringTask
String ID: (wX
API String ID: 1130067563-3436312765
Opcode ID: cc42f1efc5f06f6919b8a91a1bea98f8c47fa00b2a3c31d9994176c14442a1a2
Instruction ID: 4733db848672eac0be63e2e1c5d882b24a5887c4ff6229358ed78075c7b90698
Opcode Fuzzy Hash: cc42f1efc5f06f6919b8a91a1bea98f8c47fa00b2a3c31d9994176c14442a1a2
Instruction Fuzzy Hash: 3F3159716047029BC314DF64C844A1BBBE8FF89765F048A1DB899973D2DB38D809CBA5

Function 00434030 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(?,00000000), ref: 0043404B
SetConsoleTitleA.KERNEL32(NetBox Version 2.8 Build 4128,?,00000000), ref: 00434056
InterlockedExchange.KERNEL32(?,00000000), ref: 00434077

Part of subcall function 0047DFB0: GetStdHandle.KERNEL32 ref: 0047DFEA
Part of subcall function 0047DFB0: GetStdHandle.KERNEL32(000000F5), ref: 0047DFF1

InterlockedExchange.KERNEL32(00000000,00000000), ref: 004340B6
InterlockedExchange.KERNEL32(00000000,00000000), ref: 004340C9
InterlockedExchange.KERNEL32(00000000,00000000), ref: 004340D4

Strings

NetBox Version 2.8 Build 4128, xrefs: 00434051

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$ConsoleHandle$AllocTitle
String ID: NetBox Version 2.8 Build 4128
API String ID: 675694746-2480762426
Opcode ID: 94d3fed5e9e16b12fed30f7fde73b256890974eaa8691adc71f078c3eb91d4a4
Instruction ID: 373c99eed2560f0f06b70c9206967a04ecb8180271dc602f824ddac1fd4daf4a
Opcode Fuzzy Hash: 94d3fed5e9e16b12fed30f7fde73b256890974eaa8691adc71f078c3eb91d4a4
Instruction Fuzzy Hash: 8D114F72600201AFD604ABB4CC48BEB77ACAFC4750F048929EA45CB250DB76E945CBA6

Function 004C427B Relevance: 12.2, APIs: 8, Instructions: 212timeCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004C428E

Part of subcall function 004BF246: RtlEnterCriticalSection.NTDLL(?), ref: 004BF26E

_strlen.LIBCMT ref: 004C4300
_strcat.LIBCMT ref: 004C431D
_strncpy.LIBCMT ref: 004C4336

Part of subcall function 004BAB15: __lock.LIBCMT ref: 004BAB33
Part of subcall function 004BAB15: RtlFreeHeap.NTDLL(00000000,?,005471E8,0000000C,004BE880,?), ref: 004BAB7A

GetTimeZoneInformation.KERNEL32(0058AB88,00548078,00000018,004C4890,00548088,00000008,004BDC7A,?,?,004B33D6,?), ref: 004C439F
WideCharToMultiByte.KERNEL32(00000000,00000000,0058AB8C,000000FF,0000003F,00000000,?,?,004B33D6,?), ref: 004C442D
WideCharToMultiByte.KERNEL32(00000000,00000000,0058ABE0,000000FF,0000003F,00000000,?,?,004B33D6,?), ref: 004C4461

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID:
API String ID: 3757401926-0
Opcode ID: f0d3c5b7abb85a21a0caa1bddaa4812d836f0470ae9675c0b103e4baba27b61a
Instruction ID: afd9be8f094e739708ceabae437dd3142eb569fb349a4a4fa78e8cfe4e645b67
Opcode Fuzzy Hash: f0d3c5b7abb85a21a0caa1bddaa4812d836f0470ae9675c0b103e4baba27b61a
Instruction Fuzzy Hash: 0D7169749002409ED7699F29EE41F567FADBBA1320F34010FE854A72A1D77C4C86EB2E

Function 00479930 Relevance: 12.2, APIs: 8, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00479979
RtlLeaveCriticalSection.NTDLL(?), ref: 00479A84
SysAllocStringLen.OLEAUT32(00000010,?), ref: 00479A8F
RtlLeaveCriticalSection.NTDLL(?), ref: 00479AB4
VariantClear.OLEAUT32(80070057), ref: 00479ABF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$Leave$AllocClearEnterStringVariant
String ID:
API String ID: 835841781-0
Opcode ID: b3ca407512ac1a01c324c612a1edda83eee7c9407ad298d8a39b86e100f332fc
Instruction ID: a6b2e2f42821b879d20e58c97d5b822161d778139286edb8c18e0e2be25fa540
Opcode Fuzzy Hash: b3ca407512ac1a01c324c612a1edda83eee7c9407ad298d8a39b86e100f332fc
Instruction Fuzzy Hash: E251C3752047019FD714DF29C885A6BB3E4FF94324F048A2EF85A93391E738E809CB65

Function 004C5DD4 Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,005482A0,00000038,004C1F30,?,00000000,00000000,?,00000000,00000000,00547618,0000001C,004C02C9,00000001,00000000), ref: 004C5E12
GetCPInfo.KERNEL32(00000000,00000001), ref: 004C5E25
_strlen.LIBCMT ref: 004C5E49
MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000,?,004BB8AD,?,00000000,00000008,00000000,00428630), ref: 004C5E6A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: 9a66a6b18e09c56a12111f6b9054091a65b8c71eebf393e7d450acb19ec87fd5
Instruction ID: 32210e8da3c1a5768d81b62bc671e5e2abfd58bbbb46e0d61878af17790fac1e
Opcode Fuzzy Hash: 9a66a6b18e09c56a12111f6b9054091a65b8c71eebf393e7d450acb19ec87fd5
Instruction Fuzzy Hash: E551BE75800A08EFCF259F55DC85EAFBBB8EF45750F20011EF415A6250E734AD91CB64

Function 00458240 Relevance: 12.2, APIs: 8, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0045828F
RtlLeaveCriticalSection.NTDLL(?), ref: 00458367
SysAllocStringLen.OLEAUT32(?,?), ref: 00458376
RtlLeaveCriticalSection.NTDLL(?), ref: 00458391
VariantClear.OLEAUT32(?), ref: 0045839C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$Leave$AllocClearEnterStringVariant
String ID:
API String ID: 835841781-0
Opcode ID: 65cb226a69a99bb37cbc4adf567f129474bb873d17997eb3d9b7dc6fd7e5602a
Instruction ID: 60225d1dca7ddc56a9b68dcc5cba3291829cba342199ed632320c2d1b52f917e
Opcode Fuzzy Hash: 65cb226a69a99bb37cbc4adf567f129474bb873d17997eb3d9b7dc6fd7e5602a
Instruction Fuzzy Hash: 62516D71104B019FD714DF25D845A6BB7A8FF94721F044A2EFC56A7392EB34E808CBA5

Function 004BC86B Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00547278,00000060), ref: 004BC88B
GetModuleHandleA.KERNEL32(00000000,?,00547278,00000060), ref: 004BC8DE
_fast_error_exit.LIBCMT ref: 004BC940
_fast_error_exit.LIBCMT ref: 004BC951
GetCommandLineA.KERNEL32(?,00547278,00000060), ref: 004BC970
GetStartupInfoA.KERNEL32(?), ref: 004BC9C4
__wincmdln.LIBCMT ref: 004BC9CA
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004BC9E7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
String ID:
API String ID: 3897392166-0
Opcode ID: 6cc946732051a21a6d3a480c074a328926aea05020864ed9c04dd5400ca07eb3
Instruction ID: 881e6fa0891d88651721f0f72f3a4442ad6833391d2d154a16f6612d842b4e2f
Opcode Fuzzy Hash: 6cc946732051a21a6d3a480c074a328926aea05020864ed9c04dd5400ca07eb3
Instruction Fuzzy Hash: 214190B1D006148BEB20BF7698C67EE77A0AF44714F10442FF854AB291DB7C8842DBB9

Function 004416E0 Relevance: 12.1, APIs: 8, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0044170A
SafeArrayUnlock.OLEAUT32(?), ref: 0044174E
SafeArrayDestroy.OLEAUT32(?), ref: 0044175D
VariantClear.OLEAUT32(?), ref: 00441770
SysAllocStringLen.OLEAUT32(00000000,?), ref: 004417A5
SafeArrayUnlock.OLEAUT32(?), ref: 00441822
SafeArrayDestroy.OLEAUT32(?), ref: 00441831
VariantClear.OLEAUT32(?), ref: 00441844

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Variant$ClearDestroyUnlock$AllocInitString
String ID:
API String ID: 599256811-0
Opcode ID: 744010dfc61ee733e71f0487e55eef924930985ee153d1ea8a2bd4f0e321b502
Instruction ID: 3fbfbe3c439a932cea1dbf73fac8d3a981514a6393388a25b953f36af52da55d
Opcode Fuzzy Hash: 744010dfc61ee733e71f0487e55eef924930985ee153d1ea8a2bd4f0e321b502
Instruction Fuzzy Hash: 7041F2726047518BD708DF25C980A2BB7F6FF98B15F448A2EE45AC7310E738D944CB56

Function 00461710 Relevance: 12.1, APIs: 8, Instructions: 115COMMON

Download Yara Rule

APIs

StringFromCLSID.COMBASE ref: 0046174B
InterlockedExchange.KERNEL32(00000000,00000000), ref: 00461766
RtlEnterCriticalSection.NTDLL(005734F4), ref: 00461798
InterlockedExchange.KERNEL32(?,?), ref: 004617CB
RtlLeaveCriticalSection.NTDLL(005734F4), ref: 004617E5
CoTaskMemFree.COMBASE(?), ref: 004617F0
InterlockedExchange.KERNEL32(?,00000000), ref: 0046181E
InterlockedExchange.KERNEL32(?,00000000), ref: 0046184E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CriticalSection$EnterFreeFromLeaveStringTask
String ID:
API String ID: 2223238521-0
Opcode ID: 399e0a705b9a2093fa8438ecafd422e5c4e8396f9575b5744f8ff6dbc7765864
Instruction ID: deffa8940ea4ac40117cb207a42b7ce7a5584a7e13dfc1ee22039394375ff08f
Opcode Fuzzy Hash: 399e0a705b9a2093fa8438ecafd422e5c4e8396f9575b5744f8ff6dbc7765864
Instruction Fuzzy Hash: 96413A75604701AFC314DB68D848F5BB7A8FF88B21F088619F559C73A0EB38D845CBA2

Function 004197C0 Relevance: 12.1, APIs: 8, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(75570F00), ref: 004197FA
Sleep.KERNEL32(00000001), ref: 0041982A
RtlLeaveCriticalSection.NTDLL(0058D254), ref: 0041985E
Sleep.KERNEL32(00000001), ref: 00419872
Sleep.KERNEL32(00000001), ref: 0041989A
CloseHandle.KERNEL32(?), ref: 004198AD
CloseHandle.KERNEL32(?), ref: 004198B3
VariantClear.OLEAUT32(?), ref: 004198D7

Part of subcall function 00419750: Sleep.KERNEL32(00000001,?,7534EA60,00418322,004197F2,?,00418322), ref: 0041979F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Sleep$CloseHandleVariant$ClearCriticalInitLeaveSection
String ID:
API String ID: 633018327-0
Opcode ID: 986e76d3c627a765a454f13b5ed4a3535fa8f32a3239a577ec4f6dac8212b68b
Instruction ID: fa68cae559a671269559b38844318ecabe33dc1151d0a2b33a6b227b49563df4
Opcode Fuzzy Hash: 986e76d3c627a765a454f13b5ed4a3535fa8f32a3239a577ec4f6dac8212b68b
Instruction Fuzzy Hash: 7D314971600B009BC724EF6AC891B9BB7E9BF48B04F40482EE546D7791DB78F849CB65

Function 00450800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf75d25b6040774c48589c64a3196150df60e9cd5e46f14fce6333992e6209d
Instruction ID: 5fb770c933bd1e086877ec2d5842c6b74dee66fb6ef05a96cf07fbee111657c0
Opcode Fuzzy Hash: 8cf75d25b6040774c48589c64a3196150df60e9cd5e46f14fce6333992e6209d
Instruction Fuzzy Hash: 9C31CE756046029BC711EF28D888F6BBBA8BF98701F10885AFC8587312E335D808CBA5

Function 0040CF60 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

http://, xrefs: 0040D06B
Destination, xrefs: 0040D024

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: Destination$http://
API String ID: 0-4217230688
Opcode ID: f0408bdea402188fbe727312a454c3da33d8ab450951e806547380a67946a51c
Instruction ID: 4c41e324084851fca0e6b5c5b48455ce6c3eca41f4c261c871bf981a8c1158a2
Opcode Fuzzy Hash: f0408bdea402188fbe727312a454c3da33d8ab450951e806547380a67946a51c
Instruction Fuzzy Hash: DFF1CF716047418FD300DF28C845A5BBBE4FF95328F14866DE8559B3E2DB34E909CBA6

Function 00478F30 Relevance: 10.8, APIs: 7, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00478F57
RtlEnterCriticalSection.NTDLL(?), ref: 00478F95
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00479024
RtlLeaveCriticalSection.NTDLL(?), ref: 00479091

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSectionString$AllocEnterLeave
String ID:
API String ID: 3338872719-0
Opcode ID: ec0f9a07b3b2696df3c46fdc204732a08e8c3d07bcd8c080b1e6dbd7bc4b1495
Instruction ID: 0e2358838c6815c4faf04b331ef813650b77ca25ba9723a2516904c4caed2918
Opcode Fuzzy Hash: ec0f9a07b3b2696df3c46fdc204732a08e8c3d07bcd8c080b1e6dbd7bc4b1495
Instruction Fuzzy Hash: 25A16C759043419BD714DF19C880AABF7E4FF88754F048A2EF85993341E738E945CBA9

Function 004319C0 Relevance: 10.7, APIs: 7, Instructions: 189librarystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00431A10
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 00431A76
LoadLibraryExA.KERNEL32(00000000,00000000,00000002), ref: 00431AD0
FindResourceA.KERNEL32(00000000,?,?), ref: 00431AF4
LoadResource.KERNEL32(00000000,00000000), ref: 00431B0C
SizeofResource.KERNEL32(00000000,00000000), ref: 00431B25

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

FreeLibrary.KERNEL32(?,?), ref: 00431BC3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Resource$LibraryLoad$ByteCharErrorFindFreeLastMultiSizeofWidelstrlen
String ID:
API String ID: 2863270923-0
Opcode ID: c2abcc440c3422c91c8370abc73b203cc3d78c48a428a93e30e224e50c57f0cb
Instruction ID: 4116ccb6d9827ae5ade38016ddcb87252f49af79b22d4b9f1c6261e2ab763e7f
Opcode Fuzzy Hash: c2abcc440c3422c91c8370abc73b203cc3d78c48a428a93e30e224e50c57f0cb
Instruction Fuzzy Hash: 3061BF71A012199BCB20DF69CC81B9EB7F8AF4C314F50516AF905E7351E738EE448BA9

Function 0043C0F0 Relevance: 10.7, APIs: 7, Instructions: 179timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 0043C14F
InterlockedExchange.KERNEL32(?,00000000), ref: 0043C184
InterlockedExchange.KERNEL32(?,?), ref: 0043C1BC
InterlockedExchange.KERNEL32(?,00000000), ref: 0043C1F7
InterlockedExchange.KERNEL32(00000001,00000000), ref: 0043C231
GetFileTime.KERNEL32(?,00000000,?,00000001,?,?,?,?,?,0052BF88,000000FF), ref: 0043C277
GetFileSize.KERNEL32(?,00000000,?,?,?,?,?,0052BF88,000000FF), ref: 0043C2AF

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

Part of subcall function 004466B0: InterlockedExchange.KERNEL32(00000000,00000000), ref: 004466B3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$File$ErrorLastSizeTime
String ID:
API String ID: 74514043-0
Opcode ID: 6bb8adb0e7cd44231ad22e6a797cb3d449ca3dac9ff2181878b597a78b7386f6
Instruction ID: 3375e96f08955628092207f2cbdb9d0ae528f9f5cd88d9b1bb1c8ac935fc5447
Opcode Fuzzy Hash: 6bb8adb0e7cd44231ad22e6a797cb3d449ca3dac9ff2181878b597a78b7386f6
Instruction Fuzzy Hash: 285159726007419BD714DF59C884F6BB3A8FBC8724F048A6EE469DB391DB39D805CBA1

Function 00410BE0 Relevance: 10.7, APIs: 7, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,?,?,?,?,?,00532618,000000FF), ref: 00410C30
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00410C3B
MultiByteToWideChar.KERNEL32(00000000,?,?,?,?,?,00532618,000000FF), ref: 00410C54
MultiByteToWideChar.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00532618,000000FF), ref: 00410D39
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00410D44
MultiByteToWideChar.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00532618,000000FF), ref: 00410D5D
VariantClear.OLEAUT32 ref: 00410DB1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$ClearVariant
String ID:
API String ID: 1048908205-0
Opcode ID: 6377d8b2ac078f4392eecc3b08018f9b43c147c7c28cfd2ece60ddc39ea14878
Instruction ID: 190c78ae86272400f4e53458039b70b264bf926d6e6cbd576ee51124b4d99566
Opcode Fuzzy Hash: 6377d8b2ac078f4392eecc3b08018f9b43c147c7c28cfd2ece60ddc39ea14878
Instruction Fuzzy Hash: B051CE71200740AFD314DF69CC49F57BBA8FB99325F144B19F9598B2D1DB78A808CBA1

Function 00478A40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4, xrefs: 00478BA1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 3ae593d2bb94d604eabf99877e5d18cfb7e2cda89c2bd0863443e17439ab80be
Instruction ID: 854ea5a6914bd5de937ce7d49142ca354aadcebc3d66daa072440673e0bc7cf8
Opcode Fuzzy Hash: 3ae593d2bb94d604eabf99877e5d18cfb7e2cda89c2bd0863443e17439ab80be
Instruction Fuzzy Hash: 995191766407058FD714CF68C844B9BB7A4FB85730F048A2EF96587390DB39E806CB95

Function 0049C5A0 Relevance: 10.7, APIs: 7, Instructions: 159filesleeptimeCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000,004A02A2), ref: 0049C5FC
GetSystemTimeAsFileTime.KERNEL32(?), ref: 0049C616
Sleep.KERNEL32(00000001), ref: 0049C67E
LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0049C692
UnlockFile.KERNEL32(?,40000000,00000000,?,00000000), ref: 0049C6D8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: File$LockTime$SleepSystemUnlock
String ID:
API String ID: 786281107-0
Opcode ID: 50fcfb92f320ca50b8cd1c6f9be93c056a879a0a01444647e39deaf7b4bf885d
Instruction ID: 52e5326c30dbd4d0d19ae35112a33ffe51acb5b4209d68181d28b6f21fe5ccb8
Opcode Fuzzy Hash: 50fcfb92f320ca50b8cd1c6f9be93c056a879a0a01444647e39deaf7b4bf885d
Instruction Fuzzy Hash: 2C51D1352447015BDB309E189CC0B6BBBE1AFC4B44F24182FF9948B380DB79EC498B59

Function 0046D8E0 Relevance: 10.7, APIs: 7, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046D903
VariantClear.OLEAUT32(?), ref: 0046D9B4
SysAllocString.OLEAUT32 ref: 0046D9C2
VariantClear.OLEAUT32(00000002), ref: 0046DA21
VariantClear.OLEAUT32(?), ref: 0046DA43
VariantClear.OLEAUT32(?), ref: 0046DA65
VariantClear.OLEAUT32(?), ref: 0046DA91

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$AllocInitString
String ID:
API String ID: 347172062-0
Opcode ID: e5db7b77256533cef08f7ad973e303b6ccddac6a52d29a985c38026fe02f9577
Instruction ID: 47913b8e34797cd19e026bb0d5f7f4ff7a35563e12ab82106ce3164a99f3690f
Opcode Fuzzy Hash: e5db7b77256533cef08f7ad973e303b6ccddac6a52d29a985c38026fe02f9577
Instruction Fuzzy Hash: 1351CEB5A083059FC314DF54C880A5AB7A8FF98314F104A2EF945C7350EB79E989CBE6

Function 00425950 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 004259BB
RtlEnterCriticalSection.NTDLL(00586E58), ref: 004259D4
RtlLeaveCriticalSection.NTDLL(00586E58), ref: 00425A87
InterlockedExchange.KERNEL32(?,00000000), ref: 00425A93
InterlockedExchange.KERNEL32 ref: 00425AAE

Strings

p@, xrefs: 0042598B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CriticalSection$EnterLeave
String ID: p@
API String ID: 3113034006-1482256116
Opcode ID: 59bec277648920ca017573c2067237d580245a6681a46dbd2483e891a7853635
Instruction ID: 0117de7400e76aed56be4b0043937cfb666c5b97c1dafe786185a87f64abb725
Opcode Fuzzy Hash: 59bec277648920ca017573c2067237d580245a6681a46dbd2483e891a7853635
Instruction Fuzzy Hash: 9041B272700A618FCB24CF54E8C292BB7A5BB44310BE88B6EE416DB351D738DC85CB95

Function 004155C0 Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041561A
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00415626
SysStringByteLen.OLEAUT32(?), ref: 00415640
SafeArrayUnlock.OLEAUT32(00000000), ref: 0041566F
SafeArrayDestroy.OLEAUT32 ref: 0041567C
SafeArrayLock.OLEAUT32(?), ref: 0041568F
SafeArrayGetElemsize.OLEAUT32(?), ref: 004156A6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Variant$ByteChangeDestroyElemsizeInitLockStringTypeUnlock
String ID:
API String ID: 3446032631-0
Opcode ID: 20ed9156d6ac25149d70547f4185250a4ea75359ab7b4e80d96d8a1f884e900b
Instruction ID: 160653d7d2681ff46ec1a6218d9e6c841ca9f95a010bdbea2bf70e1b6f615f5a
Opcode Fuzzy Hash: 20ed9156d6ac25149d70547f4185250a4ea75359ab7b4e80d96d8a1f884e900b
Instruction Fuzzy Hash: 87319375500B02DFCB24DF28D844B97BBE4FF54751F94892AE849DB351E738A884CBA8

Function 00475FC0 Relevance: 10.6, APIs: 7, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00475FCC
RtlEnterCriticalSection.NTDLL(?), ref: 00475FF6
RtlLeaveCriticalSection.NTDLL(?), ref: 00476015
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00476023
ReleaseSemaphore.KERNEL32 ref: 00476060
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 004760B5
RtlLeaveCriticalSection.NTDLL(?), ref: 004760C7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalReleaseSectionSemaphore$Leave$EnterObjectSingleWait
String ID:
API String ID: 3245942426-0
Opcode ID: 5db90a49720f21afe84ccacba4237378d892a8e81d40814c8c57bfc65268e4a9
Instruction ID: f46a2f014e355d296f6a6980982ea85395ad9879f32106d5621001c833c13e19
Opcode Fuzzy Hash: 5db90a49720f21afe84ccacba4237378d892a8e81d40814c8c57bfc65268e4a9
Instruction Fuzzy Hash: AC31C0712046009FCB18DF28DC80B9B77A5FB58711F10852AFE09DB385E779E849CBA8

Function 00451640 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 004516C4
GetWindowLongA.USER32(?,000000FC), ref: 004516D9
CallWindowProcA.USER32(?,?,00000082,?,?), ref: 004516EE
GetWindowLongA.USER32(?,000000FC), ref: 00451709
SetWindowLongA.USER32(?,000000FC,?), ref: 0045171B

Strings

$, xrefs: 00451684

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: a143ff3861129a36287e8cd85503cd91c2ddbd59ee33c041b17994193a26b5b6
Instruction ID: 326bb0651f7886f313ffe39dd754075fa5600d15335a770fbc1b297dc4f4b486
Opcode Fuzzy Hash: a143ff3861129a36287e8cd85503cd91c2ddbd59ee33c041b17994193a26b5b6
Instruction Fuzzy Hash: CE4115B1508700AFC724CF19C88492BBBF8FB8D714F509A0EF99A83361D775E8458B65

Function 0047CC00 Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0047CC38
SafeArrayLock.OLEAUT32(00000000), ref: 0047CC50
SafeArrayUnlock.OLEAUT32(00000000), ref: 0047CC61
SafeArrayDestroy.OLEAUT32(00000000), ref: 0047CC6C
VariantClear.OLEAUT32(?), ref: 0047CCA0
SysAllocString.OLEAUT32(00000000), ref: 0047CCAC
SafeArrayUnlock.OLEAUT32(00000000), ref: 0047CCE2

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$AllocClearCreateDestroyLockStringVariant
String ID:
API String ID: 1463714135-0
Opcode ID: 73905dd9d4cc9a70e3691626ad6c7841988e06276aefc31a532d5da5555afbb1
Instruction ID: 4a362da789905ac91af91359e7dee7e9fd4f87ea959edd75dd62baa2c306e1bd
Opcode Fuzzy Hash: 73905dd9d4cc9a70e3691626ad6c7841988e06276aefc31a532d5da5555afbb1
Instruction Fuzzy Hash: D931CF72200602DFC7219F69D8C4A5BB7E4FF99720F108A2EF95DD7310E73998458BA6

Function 005293DD Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0058A464), ref: 005293ED
TlsGetValue.KERNEL32(0058A448,?,?,0058A448,?,00529655,?,00000000,?,?,?,?,005299F7,00527A88,0051FFB3,004033D0), ref: 0052940B
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,0058A448,?,00529655,?,00000000,?,?,?,?,005299F7,00527A88), ref: 00529467
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,0058A448,?,00529655,?,00000000,?,?,?,?,005299F7), ref: 00529479
RtlLeaveCriticalSection.NTDLL(?), ref: 00529486
TlsSetValue.KERNEL32(0058A448,00000000,?,?,?,00000104,?,?,?,?,?,00000000), ref: 005294B6
RtlLeaveCriticalSection.NTDLL(0058A464), ref: 005294D7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: 959f5720fbe3ef71fdc5011a5be47a2311dcbddc42b3e219fbc50410e4ee891a
Instruction ID: c3122bb8290f733048b1bcd12b46e0acaa97e836d261f6c01bb30daea8665031
Opcode Fuzzy Hash: 959f5720fbe3ef71fdc5011a5be47a2311dcbddc42b3e219fbc50410e4ee891a
Instruction Fuzzy Hash: 7831A075500626AFCB24EF55E888C6ABBA5FF49310B10C929E95A83790D730ED55CBE0

Function 00441480 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004414AB
SysStringByteLen.OLEAUT32(?), ref: 004414BE
SafeArrayUnlock.OLEAUT32(?), ref: 004414F2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00441518
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00441539
SafeArrayUnlock.OLEAUT32(?), ref: 00441544
VariantClear.OLEAUT32(?), ref: 00441567

Part of subcall function 0043B260: SafeArrayUnlock.OLEAUT32(?), ref: 0043B270
Part of subcall function 0043B260: SafeArrayDestroy.OLEAUT32(00000000), ref: 0043B27D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$ByteUnlock$CharMultiVariantWide$ClearDestroyInitString
String ID:
API String ID: 2519303447-0
Opcode ID: 77f07984beef338a88629f10cf21ba1117c468b0a4c2d713b7a8fe0aec1e1fed
Instruction ID: 088345f1f5a7dd6e58993f65127e219c65cdfce71a81c7c3300ba17e0e27e797
Opcode Fuzzy Hash: 77f07984beef338a88629f10cf21ba1117c468b0a4c2d713b7a8fe0aec1e1fed
Instruction Fuzzy Hash: F0317AB1108304AFD714DF65DC84B6BBBE8FB98765F100A2DF946933A0D7749988CB62

Function 00441860 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044186F
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00441938

Strings

&, xrefs: 0044190B
", xrefs: 004418C3
>, xrefs: 004418F3
<, xrefs: 004418DB

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Alloc
String ID: &$>$<$"
API String ID: 143312630-318658290
Opcode ID: 53c54a41714c5ddc35c12a744aa4f0ff66b743a274c4d12b4c89746a20b8a125
Instruction ID: 33ff192995a5c8ec4ddda155f01cedccad89042feb0582d08d3e24f714049887
Opcode Fuzzy Hash: 53c54a41714c5ddc35c12a744aa4f0ff66b743a274c4d12b4c89746a20b8a125
Instruction Fuzzy Hash: F4217BF7D44300ABE3009F248C91D6FB3A4BFA5305F16442FF94A673A1F2394545866E

Function 004B9B07 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004B9B45
GetSystemMetrics.USER32(00000000), ref: 004B9B5D
GetSystemMetrics.USER32(00000001), ref: 004B9B64
lstrcpyn.KERNEL32(?,DISPLAY,00000020), ref: 004B9B8A

Strings

DISPLAY, xrefs: 004B9B81
B, xrefs: 004B9B24

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 958e534cca53e747dff120bc15612d4f3ed712ce1422feef36ec2b4aec5630d5
Instruction ID: 3f1648e92d13787b6019bf0ec7d5d73240fe4a22444cbec591bd9414630f1052
Opcode Fuzzy Hash: 958e534cca53e747dff120bc15612d4f3ed712ce1422feef36ec2b4aec5630d5
Instruction Fuzzy Hash: 5511A3715143249BDF159F64AC84A9BBBA9FF19750B00401AFE05AE146D279EC00CBB5

Function 004193F0 Relevance: 10.5, APIs: 7, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 004193F8
WaitForSingleObject.KERNEL32(?,?,?,00000000,?,?,7534EA60,00418322,004197F2,?,00418322), ref: 00419407
InterlockedDecrement.KERNEL32(?), ref: 00419412
InterlockedDecrement.KERNEL32(?), ref: 00419421
VariantCopy.OLEAUT32(?,00000000), ref: 0041943F
VariantClear.OLEAUT32(?), ref: 00419456
ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,00000000,?,?,7534EA60,00418322,004197F2,?,00418322), ref: 0041946B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Interlocked$DecrementVariant$ClearCopyIncrementObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 696636016-0
Opcode ID: 0738eb8cd3a271ec1430ddeea2d2a0750d2f9286442093c40395785c4714e413
Instruction ID: 976438882a85f90bfda3c005e8f35e89aba25040b170557b724a333bd6d64970
Opcode Fuzzy Hash: 0738eb8cd3a271ec1430ddeea2d2a0750d2f9286442093c40395785c4714e413
Instruction Fuzzy Hash: E1018CB5200B00AFD715AFA4DC88AAF77E8FF98705B40581DF94287321E774E889DB61

Function 0045D890 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 0045D8B7
InterlockedExchange.KERNEL32(?,00000000), ref: 0045D8CA
InterlockedExchange.KERNEL32(?,00000000), ref: 0045D8DC

Strings

0E, xrefs: 0045D89F
@E, xrefs: 0045D8A6
PE, xrefs: 0045D8AD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$ChangeCloseFindNotification
String ID: 0E$@E$PE
API String ID: 4171991764-2256013827
Opcode ID: 56928db3c4524d97d06960cc3ba5867cc4dcc99330a4492a9311ea82a6d7de97
Instruction ID: 56d5a1e5d24e9b2b6a683f65faf0645c2a606305f3d3e0577923a712fe40a2ce
Opcode Fuzzy Hash: 56928db3c4524d97d06960cc3ba5867cc4dcc99330a4492a9311ea82a6d7de97
Instruction Fuzzy Hash: F9F062B19007089BC734AFA9D84CE57B7ECBF49715B14091DE552CB290D7B5E849CF60

Function 00439B40 Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

SafeArrayLock.OLEAUT32(?), ref: 00439B64
SafeArrayUnlock.OLEAUT32(?), ref: 00439BAF
SafeArrayUnlock.OLEAUT32(?), ref: 00439C59
SysStringByteLen.OLEAUT32(?), ref: 00439D08

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$ByteLockString
String ID:
API String ID: 1629010759-0
Opcode ID: b61c9b922c0bbea035cf3a59c9e7e70ad1474d4c5017e8d808e202b0ab6b308a
Instruction ID: fe265a2dd293db80b84f83bd35568b8d3e46d37e928537d2ac9d38ff88003185
Opcode Fuzzy Hash: b61c9b922c0bbea035cf3a59c9e7e70ad1474d4c5017e8d808e202b0ab6b308a
Instruction Fuzzy Hash: 117104766002019BD710DF19EC84BABB3A8FFD8724F14542BF9448B340E7B9DC45C6AA

Function 00454320 Relevance: 9.2, APIs: 6, Instructions: 244stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0058D2B0), ref: 0045436A
GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 004543EF
lstrlen.KERNEL32(?), ref: 0045441F
LoadTypeLib.OLEAUT32(00000000,?), ref: 004544AF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalEnterFileLoadModuleNameSectionTypelstrlen
String ID:
API String ID: 4054831426-0
Opcode ID: 286d6e8f589e5a3962c1604e9c3af86f72087a87e1d9643a7e8356dc24cff04a
Instruction ID: 0242d2d94924cdd26db1bf6dee40acd536d0328d7044b37b224268ffc8730a83
Opcode Fuzzy Hash: 286d6e8f589e5a3962c1604e9c3af86f72087a87e1d9643a7e8356dc24cff04a
Instruction Fuzzy Hash: CE91A671900119AFCB10DB94C884AAFB7B5FF89709F14451AED05DB352E778ED88CBA4

Function 004056C0 Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00405714
VariantChangeType.OLEAUT32(?,?,00000000,00000003), ref: 0040572F
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00405747
VariantClear.OLEAUT32(00000008), ref: 0040576C

Part of subcall function 004034E0: WideCharToMultiByte.KERNEL32(00000000,?,00430B73,?,?), ref: 00403500
Part of subcall function 004034E0: WideCharToMultiByte.KERNEL32(00000000,?,00430B73,?,?), ref: 0040353D

VariantClear.OLEAUT32(00000003), ref: 00405829
VariantClear.OLEAUT32(00000003), ref: 00405870

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$ByteChangeCharMultiTypeWide$Init
String ID:
API String ID: 2246336597-0
Opcode ID: 185cb550d56d6e90e7357cbe572013a5f9e88bf9d49d61777b2701cb7546109c
Instruction ID: 4ef190a0fae53f1efd78f029205ddef870e4382eca97aa9076ae877011f65a33
Opcode Fuzzy Hash: 185cb550d56d6e90e7357cbe572013a5f9e88bf9d49d61777b2701cb7546109c
Instruction Fuzzy Hash: E7518D75204B028FC714DF29C884A5BB7E4FF88724F108A6EE4559B391E778E94ACF91

Function 004C1DAD Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0054735C,00000001,?,00547618,0000001C,004C02C9,00000001,00000000,00000001,?,?,?,00000001,?), ref: 004C1DD1
GetLastError.KERNEL32(?,004BB8AD,?,00000000,00000008,00000000,00428630), ref: 004C1DE3
MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,00547618,0000001C,004C02C9,00000001,00000000,00000001,?,?,?,00000001), ref: 004C1E45
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,00000008), ref: 004C1EC3
GetStringTypeW.KERNEL32(00000008,?,00000000,?,?,00000000,00000000,00000008), ref: 004C1ED5

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 8afb4d933444fab76c430e1085a7a13d0eed130731c565606c31a483140b410e
Instruction ID: b07c06ff95ae6c46cce8b710d6d91f46c5c28764b641df0877c083c360fb9033
Opcode Fuzzy Hash: 8afb4d933444fab76c430e1085a7a13d0eed130731c565606c31a483140b410e
Instruction Fuzzy Hash: D141E039900215ABCF229F54CC45FEF3B75EF0A760F24010EFC11A62A2D7388951DBA9

Function 0047DB50 Relevance: 9.1, APIs: 6, Instructions: 113comCOMMON

Download Yara Rule

APIs

Part of subcall function 004821D0: SysStringByteLen.OLEAUT32(?), ref: 004821FD
Part of subcall function 004821D0: InterlockedExchange.KERNEL32(?,00000000), ref: 004822FD

InterlockedExchange.KERNEL32(?,00000000), ref: 0047DBA8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0054885C,?), ref: 0047DBC9
InterlockedExchange.KERNEL32(?,00000000), ref: 0047DBE5
InterlockedExchange.KERNEL32 ref: 0047DBFF
InterlockedExchange.KERNEL32(?,00000000), ref: 0047DC40
InterlockedExchange.KERNEL32 ref: 0047DC5A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$ByteLoadPictureString
String ID:
API String ID: 1390841951-0
Opcode ID: 126a0d307c399d6fe0c9b1bd7114be428f7eb61b236c3c43e24f1d5bc4eae90f
Instruction ID: f41edc8e143845e39494d6fa2eb351edb37fb88cdb056ddb15d243e0e571732e
Opcode Fuzzy Hash: 126a0d307c399d6fe0c9b1bd7114be428f7eb61b236c3c43e24f1d5bc4eae90f
Instruction Fuzzy Hash: 55316DB2504641AFC701DF98DC8499BBBE8FFC8724F148E6EF159C7250D6389849CB62

Function 00481870 Relevance: 9.1, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 004818A9
SetFilePointer.KERNEL32(?,?,00000000,00000000,?,0055D526,00000000,?,?,00000000,?,0043CFB2,?,00000000,?,?), ref: 004818FB
RtlLeaveCriticalSection.NTDLL(?), ref: 00481912

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterFileLeavePointer
String ID:
API String ID: 2026149223-0
Opcode ID: d76ef62e7f7b64ac66c3cf0f1d5cc7a5a040e26cbd2d38e84d07ce53f2311784
Instruction ID: e4755141379258558cb91ba1e198f82d09d923bcd319336430ee0c7d2afdd0e2
Opcode Fuzzy Hash: d76ef62e7f7b64ac66c3cf0f1d5cc7a5a040e26cbd2d38e84d07ce53f2311784
Instruction Fuzzy Hash: A63159712043019FDB24EF69D894F2BB7E9AF98761F00492EF486C7660D734E845DB64

Function 00475EA0 Relevance: 9.1, APIs: 6, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00475EAA
RtlEnterCriticalSection.NTDLL(?), ref: 00475ED2
RtlLeaveCriticalSection.NTDLL(?), ref: 00475EE7
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00475EF5
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00475F92
RtlLeaveCriticalSection.NTDLL(?), ref: 00475FA4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$LeaveReleaseSemaphore$EnterObjectSingleWait
String ID:
API String ID: 323997250-0
Opcode ID: bc7faf1636091f9d6e4c810e7722d4c3c8144c99ba5e65a84e64ededaa52588d
Instruction ID: dabfbf967cb74e396b087abf4d32e76144f6e82637aa976f1c213c75e5acd5d6
Opcode Fuzzy Hash: bc7faf1636091f9d6e4c810e7722d4c3c8144c99ba5e65a84e64ededaa52588d
Instruction Fuzzy Hash: 9B316CB13046008BDF18DF24D884B9B77E9FB98311F24851AF94ADB385D6B5EC488B94

Function 004510A0 Relevance: 9.1, APIs: 6, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00451128
SysStringLen.OLEAUT32(?), ref: 00451137
CoTaskMemAlloc.COMBASE(00000002), ref: 00451142
SysFreeString.OLEAUT32(?), ref: 00451154

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free$AllocTask
String ID:
API String ID: 2715170445-0
Opcode ID: e9705b289d877b74dbd9507a4a6d2cbff3019858a93e35458ee3fd41abe2f14e
Instruction ID: 4edd6f3fc92b8752775c4891b5a11175bd90ec639bca64be702d83277209a4d4
Opcode Fuzzy Hash: e9705b289d877b74dbd9507a4a6d2cbff3019858a93e35458ee3fd41abe2f14e
Instruction Fuzzy Hash: 4931A972604B149BC710CB18D840B5BB7E8FB8CB65F004A2AF949A7311C779E909CB95

Function 0047CB00 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0047CB38
SafeArrayLock.OLEAUT32(00000000), ref: 0047CB50
SafeArrayUnlock.OLEAUT32(00000000), ref: 0047CB61
SafeArrayDestroy.OLEAUT32(00000000), ref: 0047CB6C
VariantCopy.OLEAUT32(?,?), ref: 0047CBA8
SafeArrayUnlock.OLEAUT32(00000000), ref: 0047CBCF

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$CopyCreateDestroyLockVariant
String ID:
API String ID: 3809054396-0
Opcode ID: a799c961fdc75bbb116e06b2338213d3689abe6bdae2fdfd82c8e2abcaf374a4
Instruction ID: 567f9e225cc2fc5f1561876386c8de4276685bb68a8b6725300b98f0accf74dc
Opcode Fuzzy Hash: a799c961fdc75bbb116e06b2338213d3689abe6bdae2fdfd82c8e2abcaf374a4
Instruction Fuzzy Hash: CC31E171204705DFC714EF28E8C5A5BB7A8FB48720F108A2EF959D7301E738E8458BA5

Function 0043C430 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0043C459

Part of subcall function 0043B020: InterlockedExchange.KERNEL32(00000000,00000000), ref: 0043B071

SafeArrayUnlock.OLEAUT32(?), ref: 0043C484
SafeArrayDestroy.OLEAUT32(?), ref: 0043C493
SafeArrayUnlock.OLEAUT32(?), ref: 0043C4CC
SafeArrayDestroy.OLEAUT32(?), ref: 0043C4DB
VariantClear.OLEAUT32(?), ref: 0043C4EE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$DestroyUnlockVariant$ClearExchangeInitInterlocked
String ID:
API String ID: 1673483752-0
Opcode ID: 458be620dcb0bb17bb2139796fd9da668ce77603e4af27740c9372d047fc4374
Instruction ID: 171fa34b788a76fad7d2fb2beea8aeccbff29bf756b7255499a9098760030979
Opcode Fuzzy Hash: 458be620dcb0bb17bb2139796fd9da668ce77603e4af27740c9372d047fc4374
Instruction Fuzzy Hash: 2C2106B6504740ABC314CF29D884A6BB7E8FBDC725F045A0EF496E3250D338D544CB62

Function 00461880 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

StringFromCLSID.COMBASE ref: 004618B8
RtlEnterCriticalSection.NTDLL(005734F4), ref: 004618CC
InterlockedExchange.KERNEL32(?,?), ref: 004618FF
RtlLeaveCriticalSection.NTDLL(005734F4), ref: 00461919
CoTaskMemFree.COMBASE(?), ref: 00461924
InterlockedExchange.KERNEL32(?,00000000), ref: 00461946

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterFreeFromLeaveStringTask
String ID:
API String ID: 1130067563-0
Opcode ID: 176fca80a483ea66457dd5b457bcd256ba4773d677ffd72e17cc1492f9d520e2
Instruction ID: 84f87b25bdd352169b80409bedfd35f232b625e36f9a51fda68cc1fa3ea5db70
Opcode Fuzzy Hash: 176fca80a483ea66457dd5b457bcd256ba4773d677ffd72e17cc1492f9d520e2
Instruction Fuzzy Hash: 092128B12047019BC714DF65D848B1BBBA9FF89711F088A19F895C73A0EB38D849DB62

Function 0047DC80 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047DCAA

Part of subcall function 0043B260: SafeArrayUnlock.OLEAUT32(?), ref: 0043B270
Part of subcall function 0043B260: SafeArrayDestroy.OLEAUT32(00000000), ref: 0043B27D

SafeArrayUnlock.OLEAUT32(?), ref: 0047DCD2
SafeArrayDestroy.OLEAUT32(?), ref: 0047DCE1
VariantClear.OLEAUT32(?), ref: 0047DCF4
SafeArrayUnlock.OLEAUT32(?), ref: 0047DD23
VariantClear.OLEAUT32(?), ref: 0047DD42

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$UnlockVariant$ClearDestroy$Init
String ID:
API String ID: 1782516564-0
Opcode ID: f84112cd69c12b42b1c21795b088b42a4cc8b68c7508dc4a7b4b30cd9ce5caed
Instruction ID: dd815d184906e5c30c1d862970db8f9ef01bfc998d4d96f678d91018dd29a0de
Opcode Fuzzy Hash: f84112cd69c12b42b1c21795b088b42a4cc8b68c7508dc4a7b4b30cd9ce5caed
Instruction Fuzzy Hash: 062169766047409FC304DF2AD884A5BB7E8FFD8B19F004A1EF449D3210E3798944CB62

Function 00428560 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 307synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32(00001D4C,00000400,00000000,?), ref: 00428684
WaitForSingleObject.KERNEL32(000001EC,000000FF), ref: 00428693

Strings

File "%s", Line %d : , xrefs: 00428829
File not found : , xrefs: 00428795
H,V, xrefs: 0042857F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: MessageObjectPostSingleThreadWait
String ID: File "%s", Line %d : $File not found : $H,V
API String ID: 2601575711-1278257379
Opcode ID: 2b4079271fa0b5e5afcdaca74bf2589b0db93a770e96cdd5e0d71dda5317eeef
Instruction ID: f3c878adbefb02a3a8e7aee033ed44b275dc8431f0882740970643f8a7d8b1d6
Opcode Fuzzy Hash: 2b4079271fa0b5e5afcdaca74bf2589b0db93a770e96cdd5e0d71dda5317eeef
Instruction Fuzzy Hash: 82C1BB716057409BD300EB28D885A1FBBE4BFC5724F544A1DF4929B3E2DB78E805CB9A

Function 0044DC10 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044DC19
GetWindowLongA.USER32(?,000000F0), ref: 0044DC3A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0044DC53

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 00b3fc21be8a668dca62a501bb6d16f8dcf88dd5fa1bee7712277c6bb90e4377
Instruction ID: 9bbeec338bb40f3af9719bb2a3dbcbe9eee804e4f3eab54aaa87574883de476c
Opcode Fuzzy Hash: 00b3fc21be8a668dca62a501bb6d16f8dcf88dd5fa1bee7712277c6bb90e4377
Instruction Fuzzy Hash: 0A01B5792146019BDB249B74DC48A6773E5AB64321B108E0EF166C73E0D674E880CB24

Function 0044DCE0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044DCE9
GetWindowLongA.USER32(?,000000F0), ref: 0044DD0A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0044DD23

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ec24d83be36b58b7c56a0a7246d52c74be6a1c2114a9f573a907156f956fe298
Instruction ID: de53d5ef2c343557d5a89e7576c4ef1dfce9bf6b79ce71751d110cbbcad64268
Opcode Fuzzy Hash: ec24d83be36b58b7c56a0a7246d52c74be6a1c2114a9f573a907156f956fe298
Instruction Fuzzy Hash: 9B01B5B66146019BDB349B65DC48B6773E4AB64321F108E1EF166D73E0D634E884C724

Function 0041D3C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 294memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041D3EB
SysAllocString.OLEAUT32(NetBox ScriptObject), ref: 0041D453
SysAllocString.OLEAUT32(Cannot use an instance of a script object across the different thread.), ref: 0041D45D

Part of subcall function 00403750: RtlEnterCriticalSection.NTDLL(?), ref: 00403784

Strings

NetBox ScriptObject, xrefs: 0041D447
Cannot use an instance of a script object across the different thread., xrefs: 0041D455

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocString$CriticalCurrentEnterSectionThread
String ID: Cannot use an instance of a script object across the different thread.$NetBox ScriptObject
API String ID: 291490220-3025682305
Opcode ID: 9363d92aa8e0885644b10dc9026c1cfddc9bf4608859bfbf08e322714689c28f
Instruction ID: b7dd6a4cb05aebbae785e802ba778f402ad66db3d513015a2f8943919f6ca983
Opcode Fuzzy Hash: 9363d92aa8e0885644b10dc9026c1cfddc9bf4608859bfbf08e322714689c28f
Instruction Fuzzy Hash: D3B178B1A046059FC718CF59C480A6BF7E6BFC8314F148A2EE95A87350D775EC86CB91

Function 00434330 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 264fileCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(00000010,?), ref: 00434472
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000,?,?,00000000), ref: 00434536
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,?,00000000), ref: 00434553
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0043455A

Part of subcall function 0040E590: MultiByteToWideChar.KERNEL32(00000000,?,?,00000000), ref: 0040E5AC
Part of subcall function 0040E590: MultiByteToWideChar.KERNEL32(00000000,?,?,00000000), ref: 0040E5E5

Part of subcall function 0045C390: LoadLibraryExW.KERNEL32(00000010,00000000,00000008,?,00000010,00000001,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3AC
Part of subcall function 0045C390: CloseHandle.KERNEL32(00000000,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3CA
Part of subcall function 0045C390: LoadLibraryExW.KERNEL32(00000010,00000000,00000008,?,004345E6,?,00000001,00000000,00000010,00000000), ref: 0045C3D4

Strings

\\%s\MAILSLOT\messngr, xrefs: 00434436

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharCloseFileHandleLibraryLoadMultiWide$ComputerCreateNameWrite
String ID: \\%s\MAILSLOT\messngr
API String ID: 1499735514-3245225977
Opcode ID: a5b071b6c7e3247a9a7330814389826006fe6921a6f2034d35e76629e971a6a9
Instruction ID: 8f381239f97c2af0ff2a9972c6ea19e5f9bd712df396b85b25e4023222471d4d
Opcode Fuzzy Hash: a5b071b6c7e3247a9a7330814389826006fe6921a6f2034d35e76629e971a6a9
Instruction Fuzzy Hash: DC919A716047029FD300CF28C845B9AB7A4FFD9324F148A2DF5A59B2D1DB78E909CB95

Function 004A16E8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 221COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004A17E5

Strings

-, xrefs: 004A1728
0123456789ABCDEF0123456789abcdef, xrefs: 004A17B9
, xrefs: 004A20A6, 004A20BA, 004A2124, 004A2138
-x0, xrefs: 004A1852

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: __aulldvrm
String ID: $-$-x0$0123456789ABCDEF0123456789abcdef
API String ID: 1302938615-2299590050
Opcode ID: 37fdcebf4af046d6bd8bccf2fe2de8c25ba6d8e595be048e560656fc34011000
Instruction ID: 6ae6a53e7294dcd0c32bd58dcc11c6ac4b9d88f6099e1a0b7155eccdb7e042e7
Opcode Fuzzy Hash: 37fdcebf4af046d6bd8bccf2fe2de8c25ba6d8e595be048e560656fc34011000
Instruction Fuzzy Hash: 077116746083814FC704CF2D854066BBBE2AFEB348F08496EF9C89B351D679D905CB8A

Function 00434D40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00434D7E
GetForegroundWindow.USER32 ref: 00434DD1
VariantChangeType.OLEAUT32(?,?,00000000,0000000B), ref: 00434E4F
VariantClear.OLEAUT32(?), ref: 00434F02

Strings

@, xrefs: 00434E6F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$ChangeClearForegroundInitTypeWindow
String ID: @
API String ID: 1829303453-2766056989
Opcode ID: 1fba1ddd37c01e3d120d134481178fc4a6590d8418da195f45258d20c9c4882d
Instruction ID: ab63e94957aa64c6fba677dfc37d584881b47179a1a571035b3fd9044959e46d
Opcode Fuzzy Hash: 1fba1ddd37c01e3d120d134481178fc4a6590d8418da195f45258d20c9c4882d
Instruction Fuzzy Hash: 7A616A701087419FC314DF28D849A9BBBE4BFC9325F148A1DF0998B2A0DB78E945CB96

Function 00415E20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

[Object], xrefs: 00415F84
[Array], xrefs: 00415EFA, 00415F5C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: [Array]$[Object]
API String ID: 0-1303309366
Opcode ID: a6018c0829078c53c73c3ed64a07208459f51c3f47f3f93c2ea3601b73991ded
Instruction ID: bf6b094dec2c3d022659fc481c36af6442c2b6177040b9b184e313279e6f5b41
Opcode Fuzzy Hash: a6018c0829078c53c73c3ed64a07208459f51c3f47f3f93c2ea3601b73991ded
Instruction Fuzzy Hash: 0951AC76604B01CFD314DF29C484A96F7E4FB88724F14862EE56A973A0C739E846CB55

Function 00435060 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004BC6DA: _strlen.LIBCMT ref: 004BC6EA

RegOpenKeyExA.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00435173
RegQueryValueExA.ADVAPI32(?,Content Type,00000000,?,?,?), ref: 004351A7
RegCloseKey.ADVAPI32(?), ref: 004351C7

Strings

Content Type, xrefs: 00435195
application/octet-stream, xrefs: 004351DA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CloseOpenQueryValue_strlen
String ID: Content Type$application/octet-stream
API String ID: 961576821-2873135101
Opcode ID: e8873e05fe081ed33356691b5aac9e1fc8e2bc3423b710854295839f479f7ba9
Instruction ID: 28b928595e07857cedddad04af1f7f96b7264118e334bbeb74ec59aeffd8ec15
Opcode Fuzzy Hash: e8873e05fe081ed33356691b5aac9e1fc8e2bc3423b710854295839f479f7ba9
Instruction Fuzzy Hash: C351AF712083419FD314DF29C895B9BB7E4BF98324F008A1DF599972D1EB38D908CBA2

Function 00454A30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 0044D590: RtlEnterCriticalSection.NTDLL(?), ref: 0044D596

GetClassInfoExA.USER32(00000000,?,?), ref: 00454ACA
GetClassInfoExA.USER32(?,?,?), ref: 00454ADD
LoadCursorA.USER32(00536690,?), ref: 00454B34
GetClassInfoExA.USER32(00536578,?,?), ref: 00454B80

Strings

0, xrefs: 00454AC2

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClassInfo$CriticalCursorEnterLoadSection
String ID: 0
API String ID: 2074842536-4108050209
Opcode ID: e861e90c2e6bc62e33018b45f0b57435a5417de208a689ad0aa276a6c31e3729
Instruction ID: b32695c062bbd1ad37d36e669e6f6bada9989e3a7edd87854de63de2504fb582
Opcode Fuzzy Hash: e861e90c2e6bc62e33018b45f0b57435a5417de208a689ad0aa276a6c31e3729
Instruction Fuzzy Hash: 7E5178756043018BDB24CF65D880B6B77E8BF88319F50455EED588B346E778EC88CBA9

Function 004158F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 125timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004073D0: InterlockedDecrement.KERNEL32(?), ref: 00407411
Part of subcall function 004073D0: InterlockedIncrement.KERNEL32(?), ref: 00407437

InterlockedDecrement.KERNEL32(?), ref: 00415973
FileTimeToSystemTime.KERNEL32(?,?,?,?,23C34600,00000000), ref: 00415997

Strings

%s, %02d %s %d %02d:%02d:%02d GMT, xrefs: 004159D9
Expires, xrefs: 00415A12
Header Error, xrefs: 004159F6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Interlocked$DecrementTime$FileIncrementSystem
String ID: %s, %02d %s %d %02d:%02d:%02d GMT$Expires$Header Error
API String ID: 2080703397-790970298
Opcode ID: e1b6e1217786bc40bc6e376d0b5b14206aac1558fce1c9a1a700fbf0442c5b68
Instruction ID: 09a507cf6279cf8f016c0bb0f7694ac2e21bd75d5abeb27a6567a7680598a0b8
Opcode Fuzzy Hash: e1b6e1217786bc40bc6e376d0b5b14206aac1558fce1c9a1a700fbf0442c5b68
Instruction Fuzzy Hash: 34419DB12087019FD310DF65C885BAAB7E8FFC8714F048A1EF99597291E778D948CB62

Function 00465760 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0046577B
ResetEvent.KERNEL32(?), ref: 00465837
GetLastError.KERNEL32 ref: 00465855
WaitForSingleObject.KERNEL32(?,000000FF,00000064), ref: 0046587B

Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4A2
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4BF
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4DC
Part of subcall function 0043D480: SysAllocString.OLEAUT32(00474517), ref: 0043D500

Strings

Response is not yet available., xrefs: 00465787

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free$ObjectSingleWait$AllocErrorEventLastReset
String ID: Response is not yet available.
API String ID: 3477042704-915989950
Opcode ID: 50e5d93626a3df9bce61f98d8ecdc23227a7ab7b7bb4fa943682094a438146dc
Instruction ID: f2c70d498cb299c3c972028838a0d9b161ec6f8c4dd218a0276ea251a9ee5d44
Opcode Fuzzy Hash: 50e5d93626a3df9bce61f98d8ecdc23227a7ab7b7bb4fa943682094a438146dc
Instruction Fuzzy Hash: 0B31BD71A047058FCB14DF69C88465BB7E5FB98314F14853AEA05CB346E774E809CBA6

Function 0045C5B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005734F4), ref: 0045C603
RtlLeaveCriticalSection.NTDLL(005734F4), ref: 0045C64E
CLSIDFromProgID.COMBASE(000000FF,0045C7EF), ref: 0045C6A2
CLSIDFromString.COMBASE(000000FF,0045C7EF), ref: 0045C6AE

Strings

(wX, xrefs: 0045C60E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalFromSection$EnterLeaveProgString
String ID: (wX
API String ID: 2186355366-3436312765
Opcode ID: 9a70e4f36a969bea2614f5ea4c39a1414ba0f9bc161684992fdce22d2fe8f19a
Instruction ID: 8a38684bae662e5a840bef4b8f1bcd45ecdc841fbda2301d930a0ea1be800dd7
Opcode Fuzzy Hash: 9a70e4f36a969bea2614f5ea4c39a1414ba0f9bc161684992fdce22d2fe8f19a
Instruction Fuzzy Hash: 7E31CF752007018FC304CF29D884A27BBE4FF99725F14C66EE819873A2D739D90ADBA1

Function 0044DFA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044DFA9
LoadLibraryA.KERNEL32(USER32,GetLayeredWindowAttributes), ref: 0044DFD0
GetProcAddress.KERNEL32(00000000), ref: 0044DFD7

Strings

GetLayeredWindowAttributes, xrefs: 0044DFC1
USER32, xrefs: 0044DFC6

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AddressLibraryLoadProcWindow
String ID: GetLayeredWindowAttributes$USER32
API String ID: 1082215438-2434508084
Opcode ID: 5b676955dbef2468aa47bd9cd4278df92858a9548fff853ad77d65ccf124828e
Instruction ID: 5f9ba52cf423205f8712615c65dd0d64be9f6b24f356632e91db4b746bb78261
Opcode Fuzzy Hash: 5b676955dbef2468aa47bd9cd4278df92858a9548fff853ad77d65ccf124828e
Instruction Fuzzy Hash: C7F03932744701ABE3209FA9DC48F4BB7A8BFA4751F148D0EB155DB290E7B4E44887A8

Function 004C4BA1 Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 004C04E0: GetLastError.KERNEL32(?,00000000,004BEA02,004BF208,00000000,00547350,00000008,004BF25F,?,?,?,004BAB38,00000004,005471E8,0000000C,004BE880), ref: 004C04E2
Part of subcall function 004C04E0: FlsGetValue.KERNEL32(?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C04F0
Part of subcall function 004C04E0: FlsSetValue.KERNEL32(00000000,?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C0517
Part of subcall function 004C04E0: GetCurrentThreadId.KERNEL32 ref: 004C052F
Part of subcall function 004C04E0: SetLastError.KERNEL32(00000000,?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C0546

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C4C13
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C4D10
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C4D69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C4D86
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C4DA9

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: b6fc5f6679d428ce21a389e30963863eb4e5e5a6747158945bc3a806cc22ccb0
Instruction ID: 060bf763f12307b6004f7e87dfc66ba71b566771ec3c8064e08cbc9e3bf9e9c1
Opcode Fuzzy Hash: b6fc5f6679d428ce21a389e30963863eb4e5e5a6747158945bc3a806cc22ccb0
Instruction Fuzzy Hash: F261F67AE00305AFDB14DF99CD91FAAB7F6EBC4314F20456EF51197291E778A9008B18

Function 004BC52D Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58906576f0fde04201b980670cfa8d8680468cc1754a5eba936075dff351269a
Instruction ID: dcac474e8677fa04061a0bc44ad45af54273af76e996704ccf9d628dbfaf2905
Opcode Fuzzy Hash: 58906576f0fde04201b980670cfa8d8680468cc1754a5eba936075dff351269a
Instruction Fuzzy Hash: 8041BEB1C01226ABCF20BF669CC4CEF7B74EA51758711523BF818A6290E7385D419BBD

Function 00459FE0 Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045A034
SafeArrayUnlock.OLEAUT32(?), ref: 0045A05B
SafeArrayDestroy.OLEAUT32(?), ref: 0045A06A
VariantClear.OLEAUT32(?), ref: 0045A07D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafeVariant$ClearDestroyInitUnlock
String ID:
API String ID: 3899158566-0
Opcode ID: e7e16c2606e64332e93d99c47c6fd2ce862c4aba58724a44cf9c9874ba133c38
Instruction ID: 7ace2e31563af706ee84be2d7ab81dc153873b2586c406963afe8e9fb8710d0f
Opcode Fuzzy Hash: e7e16c2606e64332e93d99c47c6fd2ce862c4aba58724a44cf9c9874ba133c38
Instruction Fuzzy Hash: 2C517CB25087509FC214DF59D881E6BF7A8FB98B51F000A1FF44583252D738D958CBA7

Function 0043DCB0 Relevance: 7.6, APIs: 5, Instructions: 111threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005722E0), ref: 0043DCE5
CoCreateFreeThreadedMarshaler.COMBASE(00000000,?), ref: 0043DD2F
InterlockedExchange.KERNEL32(?,00000000), ref: 0043DDD8
InterlockedExchange.KERNEL32(005357F0,00000000), ref: 0043DDEE
RtlLeaveCriticalSection.NTDLL(005722E0), ref: 0043DE08

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CreateEnterFreeLeaveMarshalerThreaded
String ID:
API String ID: 1509384461-0
Opcode ID: f7bc7bd329e8e4899cc2d67f769aa518a6bac4452c2a0b85cd222a12470b2470
Instruction ID: a13313f628611b34cbcdfa4815a8ea1d98fe1d747f00f097bb00f163a50f383f
Opcode Fuzzy Hash: f7bc7bd329e8e4899cc2d67f769aa518a6bac4452c2a0b85cd222a12470b2470
Instruction Fuzzy Hash: 85419EB1508341AFC300DF95DC85A6BBBECFB98744F00992EF45593291D7B8D948CB62

Function 00440E40 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 00440E65
VariantInit.OLEAUT32(?), ref: 00440E7A

Part of subcall function 0043B260: SafeArrayUnlock.OLEAUT32(?), ref: 0043B270
Part of subcall function 0043B260: SafeArrayDestroy.OLEAUT32(00000000), ref: 0043B27D

SafeArrayUnlock.OLEAUT32(?), ref: 00440F2F
SafeArrayDestroy.OLEAUT32(?), ref: 00440F3E
VariantClear.OLEAUT32(?), ref: 00440F51

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$DestroyUnlockVariant$ClearInitString
String ID:
API String ID: 3564170424-0
Opcode ID: 67b48ff44b573875c5a745c8171c8e9ae8761e693f587d0ebb1d3ef978398df4
Instruction ID: c8e6942fb9b769bed5e3372c8c7a5804c3f8c5e21bdd1e49e005030fd2cbb651
Opcode Fuzzy Hash: 67b48ff44b573875c5a745c8171c8e9ae8761e693f587d0ebb1d3ef978398df4
Instruction Fuzzy Hash: 7A31B0315083499FC724DF69C884A1BFBE4FB99710F404A2EF69687340E734D849CB95

Function 004C12BE Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000028,000000FF,?,?,?,?,?,?,?,004C13E0,?,?,?,?), ref: 004C1323
GetLastError.KERNEL32(?,?,?,?,?,004C13E0,?,?,?,?,004BB9E3,?,?,00000028,?,?), ref: 004C132D
MultiByteToWideChar.KERNEL32(?,00000001,00000028,00000028,?,?,?,?,?,?,?,004C13E0,?,?,?,?), ref: 004C1382
_strlen.LIBCMT ref: 004C1395
MultiByteToWideChar.KERNEL32(?,00000009,00000028,000000FF,00000000,00000000,?,?,?,?,?,004C13E0,?,?,?,?), ref: 004C13A9

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_strlen
String ID:
API String ID: 1602738612-0
Opcode ID: 2b10134dd53a8cdb808535eeddaceee12474f293f931d1cb82dfe514ac961b51
Instruction ID: 5e780ec1ddfc36142bad5f8f99cbbbcc757f58f8551be425401530c597ced818
Opcode Fuzzy Hash: 2b10134dd53a8cdb808535eeddaceee12474f293f931d1cb82dfe514ac961b51
Instruction Fuzzy Hash: 8731C138200295AFEB518F64CD40FAE3B65BF03758F24425AFC529A6B2D334CC61D7A9

Function 00418300 Relevance: 7.6, APIs: 5, Instructions: 93sleepinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0042FCC0: ResumeThread.KERNEL32(?), ref: 0042FCE8
Part of subcall function 0042FCC0: closesocket.WS2_32(00418322), ref: 0042FD0A
Part of subcall function 0042FCC0: closesocket.WS2_32(00418322), ref: 0042FD2B
Part of subcall function 0042FCC0: Sleep.KERNEL32(00000001,?,?,?,?,00418322), ref: 0042FD46
Part of subcall function 0042FCC0: Sleep.KERNEL32(00000001,?,?,?,?,00418322), ref: 0042FD71
Part of subcall function 0042FCC0: QueueUserAPC.KERNEL32(0042F900,?,?,?,?,?,?,00418322), ref: 0042FD92
Part of subcall function 0042FCC0: Sleep.KERNEL32(00000001,?,?,?,?,?,00418322), ref: 0042FDA3

QueueUserAPC.KERNEL32(004182C0,?), ref: 00418338
Sleep.KERNEL32(00000001), ref: 00418352
VariantInit.OLEAUT32(?), ref: 0041836A
VariantClear.OLEAUT32(?), ref: 004183A5
VariantClear.OLEAUT32(?), ref: 00418400

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Sleep$Variant$ClearQueueUserclosesocket$InitResumeThread
String ID:
API String ID: 3536217809-0
Opcode ID: aacc9034b82f9a36869606a47f91aa1a6f04ec3729641ee9a238afe6698efe53
Instruction ID: aed5f4866df328afc65d7a796967bb2d4f78a42ae4d566fc10a6e5ee3e6ebd23
Opcode Fuzzy Hash: aacc9034b82f9a36869606a47f91aa1a6f04ec3729641ee9a238afe6698efe53
Instruction Fuzzy Hash: 4431F4311043468BC710DF25C880AAFB7E0FF88718F040E2EF86997281DB79E945CB92

Function 00481990 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 004819A3
GetFileSize.KERNEL32(?,?), ref: 004819E1

Part of subcall function 004368A0: GetLastError.KERNEL32(00431B1E), ref: 004368A0

RtlLeaveCriticalSection.NTDLL(?), ref: 00481A05
RtlLeaveCriticalSection.NTDLL(?), ref: 00481A2E
RtlLeaveCriticalSection.NTDLL(?), ref: 00481A4B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$Leave$EnterErrorFileLastSize
String ID:
API String ID: 2715711871-0
Opcode ID: 0ae49947ced9c016537b7b7acd51abe8d55dd4114c17a154d929702cc24b08a3
Instruction ID: ed9b27ace1d89ed312afb2b5ba3aa31518090fccadbaf5330e45bebdaf47a757
Opcode Fuzzy Hash: 0ae49947ced9c016537b7b7acd51abe8d55dd4114c17a154d929702cc24b08a3
Instruction Fuzzy Hash: 06215C713012068BCB14EF19D884A5BB7E8FB94365F14892BF809C3761E734E856DBA5

Function 00475C60 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00475C88
InterlockedExchange.KERNEL32(?,00000000), ref: 00475CA2
RtlEnterCriticalSection.NTDLL(0000002C), ref: 00475CCA
RtlLeaveCriticalSection.NTDLL(0000002C), ref: 00475CEA
InterlockedExchange.KERNEL32(?,00000000), ref: 00475CFD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CriticalSection$EnterLeave
String ID:
API String ID: 3113034006-0
Opcode ID: a8308afe2d3016277d853e5bf32c162fc65e41fcb552c67e3da4432eb4a49992
Instruction ID: ceb12ff891ef82e012a7ba96372792653199126ef6206dadfca45975dc382855
Opcode Fuzzy Hash: a8308afe2d3016277d853e5bf32c162fc65e41fcb552c67e3da4432eb4a49992
Instruction Fuzzy Hash: 5D21AC76200711AFC720CF68D888F9BB7ECAF88351B01C55AF809DB200DB75E841CBA4

Function 0051DF1A Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebde9e955fc5d13898cd2cc376531dab7d8c6f3f63a90a4d21f4865b3d09889
Instruction ID: 8331179bc9eabce8b2a81a8a2f0fbc78153c118e042cea04cacf588e0658883a
Opcode Fuzzy Hash: 1ebde9e955fc5d13898cd2cc376531dab7d8c6f3f63a90a4d21f4865b3d09889
Instruction Fuzzy Hash: EB21E136600104AEEF209BA5DC81AED7FB9FB54325F541165F952E31E0DB30DE89EB20

Function 004C04E0 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,004BEA02,004BF208,00000000,00547350,00000008,004BF25F,?,?,?,004BAB38,00000004,005471E8,0000000C,004BE880), ref: 004C04E2
FlsGetValue.KERNEL32(?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C04F0
SetLastError.KERNEL32(00000000,?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C0546

Part of subcall function 004C3CF3: __lock.LIBCMT ref: 004C3D37
Part of subcall function 004C3CF3: RtlAllocateHeap.NTDLL(00000008,?,00547FE0), ref: 004C3D75

FlsSetValue.KERNEL32(00000000,?,004BAB38,00000004,005471E8,0000000C,004BE880,?), ref: 004C0517
GetCurrentThreadId.KERNEL32 ref: 004C052F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 116d34f346832963e1601ceb400217df48e6222bf095284369d1091fa418167a
Instruction ID: 97f44e5cb1842d36cd6c2339b5e7bec4eba8a4081cf2ea0e2eba057fa9d43e42
Opcode Fuzzy Hash: 116d34f346832963e1601ceb400217df48e6222bf095284369d1091fa418167a
Instruction Fuzzy Hash: B1F0C836501721EFD7216F70BC0EB567FE4FB10762B40451EF9569A291DBB48C44ABA0

Function 0044DE50 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044DE59
GetClassLongA.USER32(?,000000E6), ref: 0044DE7A
SetClassLongA.USER32(?,000000E6,00000000), ref: 0044DE8C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClassLong$Window
String ID:
API String ID: 498577357-0
Opcode ID: 918752786a21136d492421bff1a4564b90e80e05cfc53846b7194dbd89c4fd81
Instruction ID: b527fb18f7740d1fe4c3a50bd5aee3a6ecfea92f70c12b720de1c3739ef64b89
Opcode Fuzzy Hash: 918752786a21136d492421bff1a4564b90e80e05cfc53846b7194dbd89c4fd81
Instruction Fuzzy Hash: 0BF09636518B119FD7709B65DC4CE5777EAAF653217108E09F0A6DB3A0D638F8848B50

Function 00529697 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00882620,?,?,0052970E,00000000,00000001), ref: 005296BD
GlobalHandle.KERNEL32(007FFF88), ref: 005296CB
GlobalUnlock.KERNEL32(00000000), ref: 005296D4
GlobalFree.KERNEL32(00000000), ref: 005296DB
RtlDeleteCriticalSection.NTDLL(0058A42C), ref: 005296E5

Part of subcall function 005294FF: RtlEnterCriticalSection.NTDLL(?), ref: 0052955C
Part of subcall function 005294FF: RtlLeaveCriticalSection.NTDLL(?), ref: 0052956C
Part of subcall function 005294FF: LocalFree.KERNEL32(?), ref: 00529575
Part of subcall function 005294FF: TlsSetValue.KERNEL32(?,00000000), ref: 00529587

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: c73df4919ca9fc46a7f1b9e0fbf98314e3401c45d22df63f13c384d12e01e046
Instruction ID: 17cdaf90521627175804080c174999871746e48441b35fd4bb1d3029565f319a
Opcode Fuzzy Hash: c73df4919ca9fc46a7f1b9e0fbf98314e3401c45d22df63f13c384d12e01e046
Instruction Fuzzy Hash: 8EF08235200A205BC621AF38BD4CE6B7AEDBF96721B150618F855D73A0EB24EC0696A4

Function 004C49F3 Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004C4A0E
GetCurrentProcessId.KERNEL32 ref: 004C4A1A
GetCurrentThreadId.KERNEL32 ref: 004C4A22
GetTickCount.KERNEL32 ref: 004C4A2A
QueryPerformanceCounter.KERNEL32(?), ref: 004C4A36

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c6f93590425300be853a4c7582277d4039bff2189ce937be5ec0f40e95b796dd
Instruction ID: 1b4659a9d2d356f42d05bbcfeb6d64a6db390dfce59c09db20bde88cbff91dc6
Opcode Fuzzy Hash: c6f93590425300be853a4c7582277d4039bff2189ce937be5ec0f40e95b796dd
Instruction Fuzzy Hash: 14F0FF75C006149FCB10DFB4ED4899FBBF8FB28241B851959D812E7210EB759948EB84

Function 00411580 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 004073D0: InterlockedDecrement.KERNEL32(?), ref: 00407411
Part of subcall function 004073D0: InterlockedIncrement.KERNEL32(?), ref: 00407437

InterlockedDecrement.KERNEL32(?), ref: 0041178F

Strings

NetBox Version 2.8 Build 4128, xrefs: 00411767
<small>Host by <a href="http://www.netbox.cn" target="_blank">, xrefs: 00411751
</a></small>, xrefs: 00411775

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID: <small>Host by <a href="http://www.netbox.cn" target="_blank">$</a></small>$NetBox Version 2.8 Build 4128
API String ID: 2574743344-174737269
Opcode ID: 3b8917c63f93c0cbcde2c655650cb3e8870466d181c374e62cf96a72d2468abc
Instruction ID: cc94c21959357f3d0ceb362b4ec9f1250cb8ef3ba2c2234f1d784d5dfc5d3442
Opcode Fuzzy Hash: 3b8917c63f93c0cbcde2c655650cb3e8870466d181c374e62cf96a72d2468abc
Instruction Fuzzy Hash: 29714D706043858FE700DF29C44978EBBE4BF89708F044A5EF9499B392CBB4D944CB96

Function 00454600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00454728
SysStringLen.OLEAUT32(00000000), ref: 00454733
SysFreeString.OLEAUT32(00000000), ref: 0045475C

Strings

0K@, xrefs: 004546A8, 004546AD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free
String ID: 0K@
API String ID: 1391021980-3195792348
Opcode ID: 66876cf9c3ba2ecfc25b8e7094e3769eb0e0d4dee0c13b9257e43c422fed8f27
Instruction ID: a0fba3370e832ce9f80e05c2f961b4ebf16ca2e7abcd7359362d8bce1c29e5a2
Opcode Fuzzy Hash: 66876cf9c3ba2ecfc25b8e7094e3769eb0e0d4dee0c13b9257e43c422fed8f27
Instruction Fuzzy Hash: 1C514AB5A006059FCB14CF99D884BAEFBF8FF89710F10865AE805EB351D774A944CBA4

Function 00421BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,?,?,?,?), ref: 00421CC0
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00421CCB
MultiByteToWideChar.KERNEL32(00000000,?,?,?,?), ref: 00421CE4

Strings

%d.%d.%d.%d, xrefs: 00421C9A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID: %d.%d.%d.%d
API String ID: 262959230-3491811756
Opcode ID: 521527bc864185fcb93f0f29e7dbf3de56570d26c3600a18a400cfa95a03ed1e
Instruction ID: a1034ca6f6b3af4ef8c97e4ab1ba46cf80823160ef24f10f866d6af1beca744d
Opcode Fuzzy Hash: 521527bc864185fcb93f0f29e7dbf3de56570d26c3600a18a400cfa95a03ed1e
Instruction Fuzzy Hash: DF41A871200A009FC314DB69DC89B2BB7A8FB99335F148B1DF5699B2E1DB389800CB61

Function 0049C170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0049C18A
GetTempPathA.KERNEL32(00000118,?), ref: 0049C1A5
GetFileAttributesA.KERNEL32(?,?,?,00000007,?,?), ref: 0049C28C

Strings

%s\sqlite_, xrefs: 0049C1E8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AttributesFilePathTemp_strncpy
String ID: %s\sqlite_
API String ID: 210055721-921541735
Opcode ID: 83afd3e86dabfe2b38ed85ef21fb832215e71d454b2c5080048bbec2a7808a25
Instruction ID: d33d526b0054dfaaf2745cf240e3fb011e61e0251ed92493ec17c3dfe2f4f33f
Opcode Fuzzy Hash: 83afd3e86dabfe2b38ed85ef21fb832215e71d454b2c5080048bbec2a7808a25
Instruction Fuzzy Hash: 4B318D305097C28AE725CB3458C07F7FFD88FAA305F0846AED9D5C3287D625A5098BA5

Function 004749B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00474010: RtlEnterCriticalSection.NTDLL(?), ref: 0047407A
Part of subcall function 00474010: QueryPerformanceCounter.KERNEL32(?), ref: 00474097
Part of subcall function 00474010: InterlockedExchange.KERNEL32(?,00000000), ref: 004740BD
Part of subcall function 00474010: InterlockedExchange.KERNEL32(?,00000000), ref: 004740DA

InterlockedExchange.KERNEL32(00000000,00000000), ref: 00474A22
InterlockedExchange.KERNEL32(?,00000000), ref: 00474A90
InterlockedExchange.KERNEL32(?,00000000), ref: 00474AC7

Strings

PRAGMA synchronous, xrefs: 004749EC

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$CounterCriticalEnterPerformanceQuerySection
String ID: PRAGMA synchronous
API String ID: 2848589658-1931804681
Opcode ID: 94d5c344f1a6843f44f969a2b88a6f826ffcaff7924496f6f69164270ffcead6
Instruction ID: d76b9d21063cbb4d558c75437d2282dded219c1636af4d23df884b112b30be49
Opcode Fuzzy Hash: 94d5c344f1a6843f44f969a2b88a6f826ffcaff7924496f6f69164270ffcead6
Instruction Fuzzy Hash: E63115756187419FC714DF68C844B6BBBE4EF88724F408A1EF9A987290E735D804CB96

Function 00415A80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90timeCOMMON

Download Yara Rule

APIs

VariantTimeToSystemTime.OLEAUT32 ref: 00415AC6

Part of subcall function 0052BBEE: __EH_prolog.LIBCMT ref: 0052BBF3

Strings

%s, %02d %s %d %02d:%02d:%02d GMT, xrefs: 00415B08
Expires, xrefs: 00415B41
Header Error, xrefs: 00415B25

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Time$H_prologSystemVariant
String ID: %s, %02d %s %d %02d:%02d:%02d GMT$Expires$Header Error
API String ID: 2957148001-790970298
Opcode ID: 6bce7af6aef09f9c81f796121816d14fc3cd756477c3e9b0307d04c5b06341f9
Instruction ID: b7a298ac78cd06c790d1c339b8dfaed23ea1493e5717684e4ab6003a67e0ce0a
Opcode Fuzzy Hash: 6bce7af6aef09f9c81f796121816d14fc3cd756477c3e9b0307d04c5b06341f9
Instruction Fuzzy Hash: 1031D0B15086029BD304DF65C845AABB7E8FFC9710F044A1EF59697290D738A548C762

Function 004218D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,?,?,?,REMOTE_PORT,?,?), ref: 00421963
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0042196E
MultiByteToWideChar.KERNEL32(00000000,?,?,?,REMOTE_PORT,?,?), ref: 00421987

Strings

%d.%d.%d.%d, xrefs: 0042193F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID: %d.%d.%d.%d
API String ID: 262959230-3491811756
Opcode ID: 7b11011f1e3ae1c3cd2eedd2c53e29d8970b8e3f1191b3315c4fb740893903b6
Instruction ID: b20fa354fd581753ea63143fe2e06e55d313e5f154e3eec5e7cacc15a604b423
Opcode Fuzzy Hash: 7b11011f1e3ae1c3cd2eedd2c53e29d8970b8e3f1191b3315c4fb740893903b6
Instruction Fuzzy Hash: 3231E3B1204741AFD3108B68DC48F2BBBE8FB89326F044A1DF58997291D778D808CBA1

Function 00421A00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,?,?,?,CONTENT_LENGTH,?,?), ref: 00421A93
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00421A9E
MultiByteToWideChar.KERNEL32(00000000,?,?,?,CONTENT_LENGTH,?,?), ref: 00421AB7

Strings

%d.%d.%d.%d, xrefs: 00421A6F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID: %d.%d.%d.%d
API String ID: 262959230-3491811756
Opcode ID: a17897a4e118a698895035b924770ce5b1dadb102ce2b1a56537d75c13bde7ee
Instruction ID: fc085b9c0e6d2091a8a5fed4e5d45c95abbfd3bd99f574c12b73193fe531f450
Opcode Fuzzy Hash: a17897a4e118a698895035b924770ce5b1dadb102ce2b1a56537d75c13bde7ee
Instruction Fuzzy Hash: 9631E3B1204741AFD3108B68CC49F2BBBE8FB89326F040A1DF59997291D778D808CBA1

Function 0047C4D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047C555
SafeArrayUnlock.OLEAUT32(?), ref: 0047C5B0
VariantClear.OLEAUT32(?), ref: 0047C5CF

Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4A2
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4BF
Part of subcall function 0043D480: SysFreeString.OLEAUT32(?), ref: 0043D4DC
Part of subcall function 0043D480: SysAllocString.OLEAUT32(00474517), ref: 0043D500

Strings

Algorithm not initialized., xrefs: 0047C4FB

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free$Variant$AllocArrayClearInitSafeUnlock
String ID: Algorithm not initialized.
API String ID: 2482194542-3952168020
Opcode ID: 446edb5d6edf5a03033d490a84360d4f28d9e831f636781dffa54cefe110d4e2
Instruction ID: a659ad4066e1160cda3526112ac29b1182fb336350a128a24d088ba7c6354979
Opcode Fuzzy Hash: 446edb5d6edf5a03033d490a84360d4f28d9e831f636781dffa54cefe110d4e2
Instruction Fuzzy Hash: 573139B55047459FC304DF68E880A5ABBE4FB98718F408A2DF48A93341D775E949CB92

Function 004341B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,?), ref: 004341CF
ShowWindow.USER32(00000000,00000001,?,?,?,?,00531670,000000FF), ref: 00434262
SetForegroundWindow.USER32(00000000), ref: 00434269

Part of subcall function 0052BBEE: __EH_prolog.LIBCMT ref: 0052BBF3

Strings

Application not found : , xrefs: 004341F1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Window$FindForegroundH_prologShow
String ID: Application not found :
API String ID: 4101987014-1087846463
Opcode ID: e255e2d1caa861e298b0d50cf6d3e2080087fef476f2da3cb80040a5b5978e43
Instruction ID: ef24ce3002223e6157f82fe48b041df07e8cdefa5262eb26a71887510943841b
Opcode Fuzzy Hash: e255e2d1caa861e298b0d50cf6d3e2080087fef476f2da3cb80040a5b5978e43
Instruction Fuzzy Hash: A4218971104B419FD304DF68C806B16BBA8FF9A330F14465CF5268B2E2DB74A805CB91

Function 00458E50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(?), ref: 00458E85
InterlockedExchange.KERNEL32(?,00563014), ref: 00458EC8

Strings

BB, xrefs: 00458EA0
BB, xrefs: 00458E66

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalExchangeInitializeInterlockedSection
String ID: BB$BB
API String ID: 358915329-1157863849
Opcode ID: 3e81130d5d00f50448c51fde9a7f0f142b5c725556cd2edc4c53d1fa4ae9764a
Instruction ID: 83976bdabfc1085317e783f8995ad353456396b127ab29f7ebf702a8823bab33
Opcode Fuzzy Hash: 3e81130d5d00f50448c51fde9a7f0f142b5c725556cd2edc4c53d1fa4ae9764a
Instruction Fuzzy Hash: 1611E5B1501705AFC3208F9AD988457FFF8FF09715790892EE68A97B11C7B1E948CB90

Function 0045D2F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0045D325
CoTaskMemFree.COMBASE(?), ref: 0045D336
SysAllocString.OLEAUT32(application/octet-stream), ref: 0045D346

Strings

application/octet-stream, xrefs: 0045D341

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocString$FreeTask
String ID: application/octet-stream
API String ID: 700841234-3754511218
Opcode ID: e541ca13ce728b42f2f3ebe13ede54ebaeb341f3a40b3d2bda4a607c42fc0dcc
Instruction ID: 8a367538ebad7246b6f1cda6b76cf17213d63bc49380b189bb02ca85bc6e2866
Opcode Fuzzy Hash: e541ca13ce728b42f2f3ebe13ede54ebaeb341f3a40b3d2bda4a607c42fc0dcc
Instruction Fuzzy Hash: 1BF0F975244300BFD315DF60CD49F1BBBE8AF98B05F10884CB9888A2E1E7B4E804DB16

Function 004241F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00457A20: RtlEnterCriticalSection.NTDLL(0000000A), ref: 00457A33
Part of subcall function 00457A20: VariantClear.OLEAUT32(-00000006), ref: 00457A5B
Part of subcall function 00457A20: RtlLeaveCriticalSection.NTDLL(0000000A), ref: 00457A78

RtlDeleteCriticalSection.NTDLL ref: 00424248

Part of subcall function 0043DA40: RtlEnterCriticalSection.NTDLL(005722E0), ref: 0043DA87
Part of subcall function 0043DA40: RtlLeaveCriticalSection.NTDLL(005722E0), ref: 0043DAAE

Strings

0B, xrefs: 00424213
PB, xrefs: 00424220
@B, xrefs: 0042421A

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ClearDeleteVariant
String ID: 0B$@B$PB
API String ID: 4041465136-2697504630
Opcode ID: 1d98f4624ff24b1b232d68a8b55d067af53ed9943e11007e02856b2c229bcf1b
Instruction ID: c8a00610ef9688a5981ac494fd1a3cf8fa89a55c1bcc667c7e1b9cc5dae16406
Opcode Fuzzy Hash: 1d98f4624ff24b1b232d68a8b55d067af53ed9943e11007e02856b2c229bcf1b
Instruction Fuzzy Hash: D4F04FB1504B419FC320DF45D955B46BBF8FB44B24F104A1DE0A643B91D774A648CBA5

Function 004C5D06 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00548290,00000010,004BF1F7,00000000,00000FA0,00547350,00000008,004BF25F,?,?,?,004BAB38,00000004,005471E8,0000000C), ref: 004C5D29
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 004C5D39

Strings

kernel32.dll, xrefs: 004C5D24
InitializeCriticalSectionAndSpinCount, xrefs: 004C5D33

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: 553ecb6e5ac77a3d6125cf12d6fbf9957b6d090e620ba473ca961440effb8fd4
Instruction ID: 76bf7bc8a4f1bba71d5eb15b65527940e39ca1f3119be7390c9fa5dee367d0ec
Opcode Fuzzy Hash: 553ecb6e5ac77a3d6125cf12d6fbf9957b6d090e620ba473ca961440effb8fd4
Instruction Fuzzy Hash: 7BF0BB78644B05DFDB505FB58C09BAE3AB0BB10744B00C12EF412E6260E77899C49F15

Function 0043C3E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,00462408), ref: 0043C3EB
InterlockedExchange.KERNEL32(?,00000000), ref: 0043C3FE
RtlDeleteCriticalSection.NTDLL(?), ref: 0043C419

Strings

pm@, xrefs: 0043C41F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CloseCriticalDeleteExchangeHandleInterlockedSection
String ID: pm@
API String ID: 791496390-222291256
Opcode ID: 9587cd3a122ea833aa9865936252ea54537f0d233fb8d90346915009ec39044c
Instruction ID: d127b5890981d3b668f9bb279359a00f1eabcf791bb0a2d4b2d9c006dde22866
Opcode Fuzzy Hash: 9587cd3a122ea833aa9865936252ea54537f0d233fb8d90346915009ec39044c
Instruction Fuzzy Hash: D5E06D711007018FCB248FA4E94CB42B7ECFF18302F401819E446D7661DB74E889CB60

Function 00430590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Application was modified by a virus !!!,Virus Alert,00000000), ref: 0043059E
ExitProcess.KERNEL32 ref: 004305A6

Strings

Virus Alert, xrefs: 00430592
Application was modified by a virus !!!, xrefs: 00430597

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Application was modified by a virus !!!$Virus Alert
API String ID: 1220098344-294944521
Opcode ID: bec108e6821a99ef284c6a8c78ec4821ef74cff06f993a154b689751811c5041
Instruction ID: 0c5b74f4f52bd7ae600830c4c5c0bf6f433f38f8e12373078069987b5b4f06c3
Opcode Fuzzy Hash: bec108e6821a99ef284c6a8c78ec4821ef74cff06f993a154b689751811c5041
Instruction Fuzzy Hash: E0B002753C574477E1512BD06D0FF147E10B735F43F556505F3076E1E065D051449E16

Function 00439780 Relevance: 6.2, APIs: 4, Instructions: 200COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00439793

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e56bb97ce8c85fb20413f4a7c3c132d21953523df11f6dd3e32572f95278e12
Instruction ID: 8d7e61742a2b343267963bb4d461254c7bf2a1b79934fa31df6f4ac38350168c
Opcode Fuzzy Hash: 1e56bb97ce8c85fb20413f4a7c3c132d21953523df11f6dd3e32572f95278e12
Instruction Fuzzy Hash: AB5104729042015BD724AE2A9845BABB3D8FF88324F44553FFC48D2351E2BCDD49C7AA

Function 004C8850 Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 004C88CA
GetLastError.KERNEL32(?,?,?), ref: 004C88D4
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 004C899D
GetLastError.KERNEL32(?,?,?), ref: 004C89A7

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: c383c540762119a4440075e4285f6a4eccd3e527cae49f0c2cd0eb5cd133acda
Instruction ID: 589165c37725e04468f9904b6982c8ee9c49bbe09588b4f70d14e21890f8ffe0
Opcode Fuzzy Hash: c383c540762119a4440075e4285f6a4eccd3e527cae49f0c2cd0eb5cd133acda
Instruction Fuzzy Hash: 4461E578604385DFDB61CF98C880FBA7BB0AF05304F54419FE4559B292DB78D945CB1A

Function 004C4002 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 004C40EA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9c396fcd23f08378a8063081f8b299182a1811f4bb1dbeac36339acaca7cf68a
Instruction ID: 04f9bbae352949286be22f6cb7d94cf91496f36097c8b161db1ba162d3f66946
Opcode Fuzzy Hash: 9c396fcd23f08378a8063081f8b299182a1811f4bb1dbeac36339acaca7cf68a
Instruction Fuzzy Hash: DA516B75900248CFDB62CFA9CD84BDDBBB8BF95304F14011EE9959B252DB345A41CF15

Function 00431D30 Relevance: 6.1, APIs: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00431D73
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 00431DD1
lstrlenW.KERNEL32(?), ref: 00431DE7
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 00431E4B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID:
API String ID: 3109718747-0
Opcode ID: 78330dff4306cfb139eefe9577d8ba8a4e68d70a9204b98058e082f050fa832b
Instruction ID: e8d929be3a96793714fef16cf9a9830cd4c16b377c13725c4dfa9e8b781a877a
Opcode Fuzzy Hash: 78330dff4306cfb139eefe9577d8ba8a4e68d70a9204b98058e082f050fa832b
Instruction Fuzzy Hash: DE4149729006159BC710DB64CC42FABB7A8EF49710F14062BFC25AB3A1E73DAD00C7A5

Function 00431FC0 Relevance: 6.1, APIs: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00432003
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 00432061
lstrlenW.KERNEL32(?), ref: 00432077
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 004320DB

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID:
API String ID: 3109718747-0
Opcode ID: 1192c0f20e8e84c3aef3bdbbaa14bed9663036a37e37dc22934c327e297e354c
Instruction ID: c1470d72627c7b0caf93770f0eee8366122c2d4e409f2865808d8c72349d94a8
Opcode Fuzzy Hash: 1192c0f20e8e84c3aef3bdbbaa14bed9663036a37e37dc22934c327e297e354c
Instruction Fuzzy Hash: 5F414A729006159BCB10DB68CD41FABB7B8EF48710F18061AF915AB3D1E7B89D05C7A9

Function 00470FA0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 004575A0: VariantInit.OLEAUT32(00000040), ref: 0045763B
Part of subcall function 004575A0: InterlockedExchange.KERNEL32(00000050,?), ref: 00457668
Part of subcall function 004575A0: GetCurrentThreadId.KERNEL32 ref: 004576DA
Part of subcall function 004575A0: GetTopWindow.USER32(00000000), ref: 004576E5
Part of subcall function 004575A0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004576F3
Part of subcall function 004575A0: IsWindowEnabled.USER32(00000000), ref: 00457700

VariantInit.OLEAUT32(00000100), ref: 00471044
InterlockedExchange.KERNEL32(?,00000000), ref: 0047108B
InterlockedExchange.KERNEL32(?,00000000), ref: 0047110D
InterlockedExchange.KERNEL32(?,00000000), ref: 00471124

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ExchangeInterlocked$Window$InitThreadVariant$CurrentEnabledProcess
String ID:
API String ID: 556628112-0
Opcode ID: e61a4e03b7b6953d186a57953b18653d7cedf14e95653b4c6e52e3eaacc64955
Instruction ID: 09299d505f181848b869e4be54a088aa035e156d3432959fa0b0d6639b226e56
Opcode Fuzzy Hash: e61a4e03b7b6953d186a57953b18653d7cedf14e95653b4c6e52e3eaacc64955
Instruction Fuzzy Hash: C74180B11047859FC310DF64C884A6BBBE8FB94308F548D1DF18ACB261DB75D549CB66

Function 00458010 Relevance: 6.1, APIs: 4, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00458037
RtlEnterCriticalSection.NTDLL(?), ref: 00458075
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00458104
RtlLeaveCriticalSection.NTDLL(?), ref: 0045815B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSectionString$AllocEnterLeave
String ID:
API String ID: 3338872719-0
Opcode ID: 4ca1bd099c3fdeb9e03b1baa6facf57ae420371a721d3d82957b7dd4fb1ecc34
Instruction ID: 07ae2ce987468ec03c827476fc219faed36fe406ae6613b28b9e572ba3a1bda3
Opcode Fuzzy Hash: 4ca1bd099c3fdeb9e03b1baa6facf57ae420371a721d3d82957b7dd4fb1ecc34
Instruction Fuzzy Hash: 924195755057019BDB10AF25884066FB3E4AF84B05F05851EFC55A7342EF38E90DCBAA

Function 00421D30 Relevance: 6.1, APIs: 4, Instructions: 121networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00421D64
socket.WS2_32(00000002,00000001,00000000), ref: 00421D77
setsockopt.WS2_32 ref: 00421DA0
htons.WS2_32(?), ref: 00421E4F

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: closesockethtonssetsockoptsocket
String ID:
API String ID: 1846511824-0
Opcode ID: 7fa1ab6600a6e84fd1b7b46a72bcdfe6d79f3373903afe6a96c21dc74315d430
Instruction ID: 651bd4a91691f88f66d9a3cc3dd0d6747f7b2ab35d49516518f20f01c5d77175
Opcode Fuzzy Hash: 7fa1ab6600a6e84fd1b7b46a72bcdfe6d79f3373903afe6a96c21dc74315d430
Instruction Fuzzy Hash: 684158752047009FC300DF69D885B1ABBE4FFA8720F508A1EF956973A0DB74E809CB96

Function 00455010 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004550E6
GetClientRect.USER32(?,?), ref: 004550F1
CreateAcceleratorTableA.USER32 ref: 00455117
GetParent.USER32(?), ref: 0045513D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: bb5a472e3be2820df3ba91110171af60e6fbf339b153e840a5ea4877149e48c5
Instruction ID: 06ff57dee2f5bf3ad8258d249025d07cab5c79fe7a6500abb7fc62ef37f4c98d
Opcode Fuzzy Hash: bb5a472e3be2820df3ba91110171af60e6fbf339b153e840a5ea4877149e48c5
Instruction Fuzzy Hash: CB413275604B059FD310DF29C890A6BBBF8FF88705F14881DE88A87352E735E909CBA1

Function 00525F75 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00525F99
lstrlen.KERNEL32(?), ref: 00525FDD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID:
API String ID: 1144527523-0
Opcode ID: 6fbe16ae5682bd16e8d024a29e9aaaf8509b7f8afad774084deadef9ca591498
Instruction ID: 6b8da0ecbcdcc7969eb967420648bbc24094bf2bb827606e5cd479cc1545daf6
Opcode Fuzzy Hash: 6fbe16ae5682bd16e8d024a29e9aaaf8509b7f8afad774084deadef9ca591498
Instruction Fuzzy Hash: 7741F67280061AEFCF14DFB4D98989EBFB9FF05354B24852AE416DB280E734E955CB90

Function 00441590 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004415B1
VariantInit.OLEAUT32(?), ref: 004415C8

Part of subcall function 0043B260: SafeArrayUnlock.OLEAUT32(?), ref: 0043B270
Part of subcall function 0043B260: SafeArrayDestroy.OLEAUT32(00000000), ref: 0043B27D

SafeArrayUnlock.OLEAUT32(?), ref: 0044169D
VariantClear.OLEAUT32(?), ref: 004416BC

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$UnlockVariant$ClearDestroyInitString
String ID:
API String ID: 448001473-0
Opcode ID: 39a25abefa18a1fdbeac4311bf43edb3fc96b5338f521a50f0f4498ea14a7d6f
Instruction ID: 3d83136dbf735729959a27a76575626540021dbe3826b27d46757740518d8d1b
Opcode Fuzzy Hash: 39a25abefa18a1fdbeac4311bf43edb3fc96b5338f521a50f0f4498ea14a7d6f
Instruction Fuzzy Hash: C931F3B55043058BE724EF14C8906AFB7A1FB99750F89492FF556433A0D73CC8C68A0E

Function 0052022B Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,00000104), ref: 00520256
GetFileTime.KERNEL32(?,?,?,?), ref: 00520278
GetFileSize.KERNEL32(?,00000000), ref: 00520286
GetFileAttributesA.KERNEL32(?), ref: 005202B0

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 5e8021a4110924b59613ebaec2558edc796afd176e9f4af1c305557962da613b
Instruction ID: 4bc18a0278f4c669b8d464fa585e731fa0d98b0ca7fcf2653fde768d02bfb07e
Opcode Fuzzy Hash: 5e8021a4110924b59613ebaec2558edc796afd176e9f4af1c305557962da613b
Instruction Fuzzy Hash: 48414C75501615DFC724DF68D885CAABBF8FF193207104A2EE1A6976E1EB30F904CB64

Function 00431890 Relevance: 6.1, APIs: 4, Instructions: 103stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 004318CB
lstrlenW.KERNEL32(?), ref: 004318E1
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,00000002,00000000,00000000), ref: 00431946
RtlLeaveCriticalSection.NTDLL(?), ref: 0043197D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterLeaveMultiWidelstrlen
String ID:
API String ID: 2873600341-0
Opcode ID: 6a04898c80ae225166c7520325d61e8f53a2b60503ebb3896c693daa701f3048
Instruction ID: 7ed377008b84050530c1e2c0ec5d17ce053cddd058d15711ea495f504602f20c
Opcode Fuzzy Hash: 6a04898c80ae225166c7520325d61e8f53a2b60503ebb3896c693daa701f3048
Instruction Fuzzy Hash: D03149B2900616ABCB10DF24CC51BAFB7A8FF44714F14562AF815B73A0E73CA940C795

Function 004C8F56 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 004BA887: VirtualQuery.KERNEL32(?,?,0000001C), ref: 004BA8A1
Part of subcall function 004BA887: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 004BA8B2
Part of subcall function 004BA887: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004BA8F8

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C8F99
MultiByteToWideChar.KERNEL32(?,00000009,000007D0,?,00000000,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C8FB6
MultiByteToWideChar.KERNEL32(?,00000001,000007D0,?,?,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000,004C42BE,00548074), ref: 004C902C
CompareStringW.KERNEL32(?,?,?,00000000,?,00000000,?,00000000,?,004C7706,00000000,?,00000000,00000000,00000000,00000000), ref: 004C9042

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: 92ceb0dc6226d7bc210903a66b2b2c23f71bb25b279cf44699aca0bb74bc538f
Instruction ID: a3f43f96d98c2dd7c85728cc35c56a1e082022b2c094f8468f8515115ec22518
Opcode Fuzzy Hash: 92ceb0dc6226d7bc210903a66b2b2c23f71bb25b279cf44699aca0bb74bc538f
Instruction Fuzzy Hash: F2317A36800608ABCF219FA1DC49FDEBB76FF04714F20010AF924A62A0E7398D61DB59

Function 004103C0 Relevance: 6.1, APIs: 4, Instructions: 91memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004103DA
lstrlen.KERNEL32(?), ref: 004103ED
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000008,00000000), ref: 00410452
SysAllocString.OLEAUT32(00000000), ref: 00410469

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: AllocByteCharClearMultiStringVariantWidelstrlen
String ID:
API String ID: 3257503732-0
Opcode ID: f03f6e415dbfcf5af972f690d787dce038440e1dac8f08e27c6f787d8420ec47
Instruction ID: 290fc443bdc29d821da694111096d239307fc80a79457aa7d80a71492a872895
Opcode Fuzzy Hash: f03f6e415dbfcf5af972f690d787dce038440e1dac8f08e27c6f787d8420ec47
Instruction Fuzzy Hash: 9831DF72A002149BCB20DFA5DC85B9BB3A8EF14315F18412AEA05DB350F7B8EDC587A5

Function 00418DF0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00418E56
VariantChangeType.OLEAUT32(?,?,00000000,00000003), ref: 00418EBC
VariantClear.OLEAUT32(?), ref: 00418ED1
VariantClear.OLEAUT32(00000009), ref: 00418ED8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1e7c68da2abb0e9868772a00a55bcb3c96c4b79aaf43c7669089f7f7972ed378
Instruction ID: c0dd8826b1a12e0ad8fbd4ea4a65c60886f4c127c247474eeb7b693faf8f2623
Opcode Fuzzy Hash: 1e7c68da2abb0e9868772a00a55bcb3c96c4b79aaf43c7669089f7f7972ed378
Instruction Fuzzy Hash: 05313871204341AFD714DB69D884FABB7E8BFC8B08F04491EF545D7290EB74E8488B66

Function 00414840 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00414190: SafeArrayUnlock.OLEAUT32(?), ref: 0041419B
Part of subcall function 00414190: VariantClear.OLEAUT32(0000000A), ref: 004141B3
Part of subcall function 00414190: SafeArrayCreate.OLEAUT32(00000011,00000001), ref: 004141D3
Part of subcall function 00414190: SafeArrayLock.OLEAUT32(00000000), ref: 004141E1

SafeArrayUnlock.OLEAUT32(?), ref: 004148E4
VariantClear.OLEAUT32(0000000A), ref: 004148F9
SafeArrayUnlock.OLEAUT32(?), ref: 00414908
SafeArrayDestroy.OLEAUT32(?), ref: 00414913

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$ClearVariant$CreateDestroyLock
String ID:
API String ID: 3721687632-0
Opcode ID: d9599242a6f04246a48c98a9f4f6fc194e31ba57ec77359522394f82ba606929
Instruction ID: b6a022cc977c6f63c284aa1d686c2a98a399a69f207b48d42e3d4a8b2e88a1df
Opcode Fuzzy Hash: d9599242a6f04246a48c98a9f4f6fc194e31ba57ec77359522394f82ba606929
Instruction Fuzzy Hash: B3219E756083419BC314DF69D884A9BBBE4BB88714F400E2EF095D3350D738E9888B96

Function 00414BC0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf546d393fe142806c67db3de69866591dd9bc95246d7e4250dbf2cc5a72db5
Instruction ID: 3b19d8c16c4eac11c7278142c13d69a633862cdde0c044f66a0dfd68921dc6a0
Opcode Fuzzy Hash: 0bf546d393fe142806c67db3de69866591dd9bc95246d7e4250dbf2cc5a72db5
Instruction Fuzzy Hash: EB21A47A544B419BC714EF18D841B96B3E4FBC8B10F804D1EF85993790E73C9949CB96

Function 0042D4B0 Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0042D4E4
VariantClear.OLEAUT32(00000000), ref: 0042D518
SysAllocString.OLEAUT32 ref: 0042D524
RtlLeaveCriticalSection.NTDLL(?), ref: 0042D54D

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$AllocClearEnterLeaveStringVariant
String ID:
API String ID: 2346153933-0
Opcode ID: 961f5a419055de4c13da43dbfb02dfba568ff0ce8c95d9c0de04968b8842c0ea
Instruction ID: c656383b86f2e82aeb1e28b1ea1fbface8b606ed2c281ed2d9eac81e3446422d
Opcode Fuzzy Hash: 961f5a419055de4c13da43dbfb02dfba568ff0ce8c95d9c0de04968b8842c0ea
Instruction Fuzzy Hash: F521B0B16007019BD314CF19D844B1BB7E8FF98728F54862DF895933A1E738E944CB95

Function 00481A70 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00481A9B
SetFilePointer.KERNEL32 ref: 00481ACB
RtlLeaveCriticalSection.NTDLL(?), ref: 00481AED
RtlLeaveCriticalSection.NTDLL(?), ref: 00481B1E

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$Leave$EnterFilePointer
String ID:
API String ID: 4135349045-0
Opcode ID: 43f952e025562aa704cf9487eb77303049127262f6f5439cfe6c20e2c2712751
Instruction ID: 954e276e6f843dc3a29eb77b43b6132499ffdfb39fecd65cd6d31b50395fd7c9
Opcode Fuzzy Hash: 43f952e025562aa704cf9487eb77303049127262f6f5439cfe6c20e2c2712751
Instruction Fuzzy Hash: 1F2149752006019FC714DF29D880B5BB3E9FF98725F04882EE859C3361E734E85ACBA1

Function 00419940 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(?,?), ref: 00419979
VariantClear.OLEAUT32(?), ref: 004199AC
VariantCopy.OLEAUT32(?,?), ref: 004199D0
VariantClear.OLEAUT32(?), ref: 004199E8

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: f6016de38c2ccef689109c9f0271091e9085b294f1e855131295a6489f770dbb
Instruction ID: bb49fc63ef43e5c9442214a70b537bd58f0957cfb0925d5256e6a35f50e4d700
Opcode Fuzzy Hash: f6016de38c2ccef689109c9f0271091e9085b294f1e855131295a6489f770dbb
Instruction Fuzzy Hash: 6C2139B1614745ABC704DF19C880A5ABBE8FF88710F508A2EE058C7710E774E944CBA6

Function 0052496D Relevance: 6.1, APIs: 4, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0052498A
lstrcmp.KERNEL32(?,?), ref: 00524996
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 005249D0
GlobalLock.KERNEL32(00000000), ref: 005249DA

Part of subcall function 005267E6: GlobalFlags.KERNEL32(?), ref: 005267F0
Part of subcall function 005267E6: GlobalUnlock.KERNEL32(?), ref: 00526801
Part of subcall function 005267E6: GlobalFree.KERNEL32(?), ref: 0052680C

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: aa5f0a2c75832641a09d76990c691e9128ab4f4db872343fc95769cec3838421
Instruction ID: 2319d1c52c0755cf4f47d4f3e6061aa654cfdc81c732ed98591a0925ff5bb7f1
Opcode Fuzzy Hash: aa5f0a2c75832641a09d76990c691e9128ab4f4db872343fc95769cec3838421
Instruction Fuzzy Hash: 16119A76100644BECB21ABA6EC89E7FBEADFF8A744B14441DFA01D11A1E735CD40EB24

Function 005294FF Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0052955C
RtlLeaveCriticalSection.NTDLL(?), ref: 0052956C
LocalFree.KERNEL32(?), ref: 00529575
TlsSetValue.KERNEL32(?,00000000), ref: 00529587

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 197e1e5d2bff9830eedb5c1c59ec46a840c3999cf50bf668b61330efd4dcbc32
Instruction ID: 446bcdc010729078bcacbf5a2c2aecb13f3a6ddb1b520e648a35cba899ec96ce
Opcode Fuzzy Hash: 197e1e5d2bff9830eedb5c1c59ec46a840c3999cf50bf668b61330efd4dcbc32
Instruction Fuzzy Hash: 9C117971700615EFCB25CF58E884B9ABBB4FF46316F109429F146876A1CB70E985CB20

Function 005258B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 005258DF
LoadResource.KERNEL32(?,00000000), ref: 005258E7
LockResource.KERNEL32(00000000), ref: 005258F9
FreeResource.KERNEL32(00000000), ref: 00525943

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: cf0d0ab88e52764d6a0b18659f9ede48bcc77352f89865e0a8fdc42af0316b7a
Instruction ID: f5bbd3cd392a4b2887f3ce1ddf18af4a0e0a013b29efd342fbbf135e83269e46
Opcode Fuzzy Hash: cf0d0ab88e52764d6a0b18659f9ede48bcc77352f89865e0a8fdc42af0316b7a
Instruction Fuzzy Hash: A711A73A501B25EFCB249F54E948AA6BBB4FF05765F00442DE94253790F3709D84DB60

Function 00419320 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,00418322), ref: 00419341
VariantCopy.OLEAUT32 ref: 00419379
VariantClear.OLEAUT32(?), ref: 004193B0
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 004193C5

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$ClearCopyObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 2128365860-0
Opcode ID: d80a20a6af638114736e9f2f584bfde6c978379253939605dabf26238ec3c69a
Instruction ID: db0f1231220d01509dcad3d535e8587093a145e269bab23b440d0c082a92729c
Opcode Fuzzy Hash: d80a20a6af638114736e9f2f584bfde6c978379253939605dabf26238ec3c69a
Instruction Fuzzy Hash: 2F117CB6144B40AFC314EF14C944B9AB7E8FF88B04F008A1DF45A93790D738E908CB66

Function 00478EA0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00478EC3
VariantClear.OLEAUT32(?), ref: 00478EEC
RtlLeaveCriticalSection.NTDLL(?), ref: 00478F04

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$ClearEnterLeaveVariant
String ID:
API String ID: 3955881063-0
Opcode ID: 2778b57cdaee2fb5795aa9d1f7d7afc109dcf07a14af4616084150699f4b3804
Instruction ID: 10d93292005edbdac15a03c616b7593d5c886496f97e756b1720f8d1802a1a33
Opcode Fuzzy Hash: 2778b57cdaee2fb5795aa9d1f7d7afc109dcf07a14af4616084150699f4b3804
Instruction Fuzzy Hash: 1C0180323406009BEB20DB2DAC84A5FF3AABBA4311754C91EF449D7355DB34E84987A4

Function 005208AC Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 005208E0
GetCurrentProcess.KERNEL32(?,00000000), ref: 005208E6
DuplicateHandle.KERNEL32(00000000), ref: 005208E9
GetLastError.KERNEL32(?), ref: 00520904

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 99bf231439c7e79cabb1e265d25867e8d13aaea2bd25d37b33920b95287d95a0
Instruction ID: be1350532cb9896ee688b3d9239ec0ab1286ea30a1f60022536f657ff51148f4
Opcode Fuzzy Hash: 99bf231439c7e79cabb1e265d25867e8d13aaea2bd25d37b33920b95287d95a0
Instruction Fuzzy Hash: 2D017171701214ABEB14ABA59C89F5A7FA9EF85320F144525FA05CB2D2EAB1DC409BA0

Function 00414DA0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00414DF1
VariantChangeType.OLEAUT32(?,?,00000000,00000003), ref: 00414E01
VariantClear.OLEAUT32(?), ref: 00414E10
VariantClear.OLEAUT32(?), ref: 00414E28

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 97b01de370f59bb403228e1fa4bb25b8a270df79705570e9fc4e0f1f4a693d66
Instruction ID: cf5d5f2e16480b0e97e87e1d46fd17c49074a9ca07472f70c5976b4ecdc16f96
Opcode Fuzzy Hash: 97b01de370f59bb403228e1fa4bb25b8a270df79705570e9fc4e0f1f4a693d66
Instruction Fuzzy Hash: 4501C43A1007219BD710EB1CDC41AEA73E4FF84715FC84899F4A8C3361E338D9989A85

Function 004794C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

VariantCopyInd.OLEAUT32 ref: 004794EC
RtlEnterCriticalSection.NTDLL(?), ref: 00479501
RtlLeaveCriticalSection.NTDLL(?), ref: 00479533
VariantClear.OLEAUT32(?), ref: 00479542

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSectionVariant$ClearCopyEnterLeave
String ID:
API String ID: 3257703411-0
Opcode ID: 65faa28a97a41e205f54130d5cb1beaa360bb427e55b12e9ad1962dd3d8ac198
Instruction ID: 4a9b1ff4c1f5046ccb44fbfe796febc818b7f50573e7592403b8ab85955acc42
Opcode Fuzzy Hash: 65faa28a97a41e205f54130d5cb1beaa360bb427e55b12e9ad1962dd3d8ac198
Instruction Fuzzy Hash: 70117076204711ABD315DF25D8809ABB3F8FF98704F048A1EF849D2251E734EA0D8BA6

Function 00458570 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00458593
VariantCopyInd.OLEAUT32(?,?), ref: 004585BC
RtlLeaveCriticalSection.NTDLL(?), ref: 004585CA

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$CopyEnterLeaveVariant
String ID:
API String ID: 1374279021-0
Opcode ID: ad58b8709156361c91d14d0cb1fdac72d71a886207fa9e0fb43acdd8f04ce4cf
Instruction ID: 1505687b5e6c4ca13c9f184359758a02fa3d3a75fa1e481962fabd2016c1990f
Opcode Fuzzy Hash: ad58b8709156361c91d14d0cb1fdac72d71a886207fa9e0fb43acdd8f04ce4cf
Instruction Fuzzy Hash: DD017932200515ABD711DF19E8C0D9B73E4AB94752711852EFC09F7202EB34ED8ADBE4

Function 00415BF0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 004155C0: VariantInit.OLEAUT32(?), ref: 0041561A
Part of subcall function 004155C0: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00415626
Part of subcall function 004155C0: SysStringByteLen.OLEAUT32(?), ref: 00415640

SafeArrayUnlock.OLEAUT32(?), ref: 00415C41
VariantClear.OLEAUT32(0000000A), ref: 00415C56
SafeArrayUnlock.OLEAUT32(?), ref: 00415C65
SafeArrayDestroy.OLEAUT32(?), ref: 00415C70

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafeVariant$Unlock$ByteChangeClearDestroyInitStringType
String ID:
API String ID: 907576721-0
Opcode ID: aa3d1a0eb6d65c5dae8f2a2da4d61d18945387395fd43406dec4ffdae6f8d4b0
Instruction ID: b4b700c7ed93df2d3ca6bfcc9a8673938764574921bac235df0ec38bab329656
Opcode Fuzzy Hash: aa3d1a0eb6d65c5dae8f2a2da4d61d18945387395fd43406dec4ffdae6f8d4b0
Instruction Fuzzy Hash: EB012775604741EBC314DF64C844B9BBBE8BB88760F044A1EB855D3350E738E888CB92

Function 00529BAB Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 00529BBF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0052AD6E,00000000), ref: 00529BD5
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00529BDD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,0052AD6E,00000000), ref: 00529BF2

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 3d9bfc4eac56b4e6d78bd9b18c9ec781336e932b261841afd3e3550804dc8414
Instruction ID: 7e82fbf02055956094504e893cfc3b916dccc213e2405186d88a1fe9de2e607b
Opcode Fuzzy Hash: 3d9bfc4eac56b4e6d78bd9b18c9ec781336e932b261841afd3e3550804dc8414
Instruction Fuzzy Hash: 43F054711063347F96219B67AC48CBBBF9CFE9B2A5B11491AF549C2200D6755805CBF1

Function 0043D480 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0043D4A2
SysFreeString.OLEAUT32(?), ref: 0043D4BF
SysFreeString.OLEAUT32(?), ref: 0043D4DC
SysAllocString.OLEAUT32(00474517), ref: 0043D500

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5b4ca4c08b49a7dcd8ce3bd764d29719301d684eca6c3d61bda006b24db82878
Instruction ID: 62a64588263b558d563252b7224198887876c306fd216870858dee1d20e1946a
Opcode Fuzzy Hash: 5b4ca4c08b49a7dcd8ce3bd764d29719301d684eca6c3d61bda006b24db82878
Instruction Fuzzy Hash: 6511EE30601B009FD761CF29E884B53B3ECAF58260F19C899E84ECB311DB39E889CB50

Function 00435000 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 00435017
TranslateMessage.USER32(?), ref: 00435035
DispatchMessageA.USER32(?), ref: 0043503C
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0043504B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 33a4735c80b5a92dfa41baa08d2495e2a291b579891f56345516c810eab0549d
Instruction ID: 0b9f05a873d07764d2e5e4a1cc5898e1fd903ae67aff0432700c1acb6b85c256
Opcode Fuzzy Hash: 33a4735c80b5a92dfa41baa08d2495e2a291b579891f56345516c810eab0549d
Instruction Fuzzy Hash: 56F0A772654700BAE524EB64DD82F9B73AC6B98B50FD04406F740EB1C0E6B5E5088BB6

Function 00414190 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

SafeArrayUnlock.OLEAUT32(?), ref: 0041419B
VariantClear.OLEAUT32(0000000A), ref: 004141B3
SafeArrayCreate.OLEAUT32(00000011,00000001), ref: 004141D3
SafeArrayLock.OLEAUT32(00000000), ref: 004141E1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$ClearCreateLockUnlockVariant
String ID:
API String ID: 1435955220-0
Opcode ID: 9cfd499443e52d839e1220e562493a4e99221b6e6f10776b8345ccf90a435da6
Instruction ID: 1d2b40a960ae52d4b73a617fc4c53f670b11f8e43739f60f1ea86f1dc7c68aa1
Opcode Fuzzy Hash: 9cfd499443e52d839e1220e562493a4e99221b6e6f10776b8345ccf90a435da6
Instruction Fuzzy Hash: F3012874600B01AFEB209F25D888B56BBE4BF64301F40881DE8AAC3350E778E4C89A11

Function 00529ABA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0058A4CC), ref: 00529AE8
RtlInitializeCriticalSection.NTDLL(00000000), ref: 00529AFA
RtlLeaveCriticalSection.NTDLL(0058A4CC), ref: 00529B03
RtlEnterCriticalSection.NTDLL(00000000), ref: 00529B15

Part of subcall function 00529A51: RtlInitializeCriticalSection.NTDLL(0058A4CC), ref: 00529A69

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 1e2912c196dc4d0229547183792d68f9a23e1450328bdba0083691c11f92855d
Instruction ID: 9ac9d50cf6df511b9db17a663e380633fbac45234719bd574d6e9ebc984ac7d6
Opcode Fuzzy Hash: 1e2912c196dc4d0229547183792d68f9a23e1450328bdba0083691c11f92855d
Instruction Fuzzy Hash: FDF0CD3540021ADFDF109F48FC88E66B7ACFF61312F402427EA4592121E730E05EDBA0

Function 00414140 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

SafeArrayUnlock.OLEAUT32(?), ref: 0041414F
VariantClear.OLEAUT32(0000000A), ref: 00414163
SafeArrayUnlock.OLEAUT32(?), ref: 00414171
SafeArrayDestroy.OLEAUT32(?), ref: 0041417B

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: ArraySafe$Unlock$ClearDestroyVariant
String ID:
API String ID: 909254826-0
Opcode ID: d48adeaff4b3e16410bb4dcc975bf9bcc1e447e690b83e7b3ebecb3c05079dd7
Instruction ID: e17e047a276688d47a229b95eb0932a8947b4cf9d3f5949b41857e70ff375d7d
Opcode Fuzzy Hash: d48adeaff4b3e16410bb4dcc975bf9bcc1e447e690b83e7b3ebecb3c05079dd7
Instruction Fuzzy Hash: FCF01C71600B02BBD7609F66DC4CB53B3ECAFA1315B04491EA456C3720E778E4C88B64

Function 0049C880 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00588754), ref: 0049C89C
Sleep.KERNEL32(00000001), ref: 0049C8A5
RtlInitializeCriticalSection.NTDLL(00588728), ref: 0049C8B7
RtlEnterCriticalSection.NTDLL(00588728), ref: 0049C8CE

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterIncrementInitializeInterlockedSleep
String ID:
API String ID: 1132449946-0
Opcode ID: 2772ca6e5a47e10cccda717775d92e78a32e9df4949594dc855ea362c39265d0
Instruction ID: 1227f843d9b8267a0fec69bacec7337044a3bd8f63a81b0bf5406d6279e946d9
Opcode Fuzzy Hash: 2772ca6e5a47e10cccda717775d92e78a32e9df4949594dc855ea362c39265d0
Instruction Fuzzy Hash: D5F065312402109BDB10AF59AC447667FF4FB64752BE05426EC01E3360DBB7944CAB91

Function 0047CAB0 Relevance: 6.0, APIs: 4, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 0047CAC0
StringFromCLSID.COMBASE(?), ref: 0047CAD3
SysAllocString.OLEAUT32(00000000), ref: 0047CAE1
CoTaskMemFree.COMBASE ref: 0047CAF1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: String$AllocCreateFreeFromGuidTask
String ID:
API String ID: 2288247322-0
Opcode ID: 97671131b83ae506343904b6f9a18d6e7893a68cba150d0abcb6f769e4f1b741
Instruction ID: e4864e7a36a57b3efabc1fc5662f0b5fc7e28ad0a0d24dce21c228d12172520d
Opcode Fuzzy Hash: 97671131b83ae506343904b6f9a18d6e7893a68cba150d0abcb6f769e4f1b741
Instruction Fuzzy Hash: 10F0A5B5208601DBC304EFA5D988E4BBBE8EF98745F40891DA59AC6220E774D40DDB62

Function 00419E80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

text/html, xrefs: 0041A0BA
netbox:, xrefs: 00419EB3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID:
String ID: netbox:$text/html
API String ID: 0-3738157085
Opcode ID: 3395b6c223ed65b4d3d5b6d62a70521b0a9f6868b27a54aae6319ceaaa19a495
Instruction ID: b08717ff39b4d09cd9173a8d7441f3bf0d243f177b3cc7717457d06d29e4fde9
Opcode Fuzzy Hash: 3395b6c223ed65b4d3d5b6d62a70521b0a9f6868b27a54aae6319ceaaa19a495
Instruction Fuzzy Hash: ED819E71604301ABD310EF25C841B9BB7E8AF84724F044A2EF955A73D2DB78E945CBA6

Function 004A17C9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004A17E5

Strings

, xrefs: 004A20A6, 004A20BA, 004A2124, 004A2138
-x0, xrefs: 004A1852

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: __aulldvrm
String ID: $-x0
API String ID: 1302938615-814009424
Opcode ID: d19733f5eb7c3c3a25eefc17ddecfab361d35d2a467d263e75908783eed57378
Instruction ID: 83debc4b278b199d917e9e3eb57053435cbc0abeb23eb173b4bf48a473c9e8b2
Opcode Fuzzy Hash: d19733f5eb7c3c3a25eefc17ddecfab361d35d2a467d263e75908783eed57378
Instruction Fuzzy Hash: 2C5127752083414FC714CF1D899066BBBE5AFEA348F08096EFA889B351D779DD04C79A

Function 004086E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 00527DCD: __EH_prolog.LIBCMT ref: 00527DD2

VariantInit.OLEAUT32(?), ref: 00408717

Strings

3}R, xrefs: 0040872D
3}R, xrefs: 00408711

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: H_prologInitVariant
String ID: 3}R$3}R
API String ID: 473307198-3875649222
Opcode ID: 6d0b5f1e90bbec393d62e6babbb1eb19483c8861ade12fbbc0ffe0fbf8e87f37
Instruction ID: b17323ad3eec55fcb135e5dc41be5a61541aa35b7a33473ddc4c6e450c51fdc9
Opcode Fuzzy Hash: 6d0b5f1e90bbec393d62e6babbb1eb19483c8861ade12fbbc0ffe0fbf8e87f37
Instruction Fuzzy Hash: 8F5108B0605B42AFD30ADF3A8095286FFA4BF59304F44462ED16C87342C774A269CFD2

Function 00424950 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(0000001C), ref: 00424986

Strings

`B, xrefs: 0042496A
pB, xrefs: 00424971

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: `B$pB
API String ID: 32694325-407398055
Opcode ID: 77d0483a3dc29b9c9b0fb72ce7825633c428d49af25b3f4be9702cc79e3188ce
Instruction ID: 10b92b8622d670e5ae421893f57abd5ec4ebae3521f901e4efc416b8bd2c1e32
Opcode Fuzzy Hash: 77d0483a3dc29b9c9b0fb72ce7825633c428d49af25b3f4be9702cc79e3188ce
Instruction Fuzzy Hash: 791134B4901B008FD3648F2AE548546FBF8BFA4714B118A5FC5DA83B21DBB0A588DF80

Function 004552E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 00455512
RtlDeleteCriticalSection.NTDLL(00000004), ref: 00455522

Strings

@RE, xrefs: 004552E3

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: @RE
API String ID: 166494926-31514139
Opcode ID: e9c0adc58dc15e7b97f5912f308c0ac90adaed0077a512d86eaaccc34e8e9bae
Instruction ID: 305186ccfefdfe52cf6c1af96d28b7f9ed0f8db9725e62b3b59c0da321c67eb2
Opcode Fuzzy Hash: e9c0adc58dc15e7b97f5912f308c0ac90adaed0077a512d86eaaccc34e8e9bae
Instruction Fuzzy Hash: 35F0B1712007109FC714EF55E41869777E4EF4871A705045DF94AD7321DB74EC84C798

Function 004588A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00458460: RtlEnterCriticalSection.NTDLL(?), ref: 00458476
Part of subcall function 00458460: VariantClear.OLEAUT32(?), ref: 00458497
Part of subcall function 00458460: RtlLeaveCriticalSection.NTDLL(?), ref: 004584B0

RtlDeleteCriticalSection.NTDLL ref: 00458900

Part of subcall function 004BAB15: __lock.LIBCMT ref: 004BAB33
Part of subcall function 004BAB15: RtlFreeHeap.NTDLL(00000000,?,005471E8,0000000C,004BE880,?), ref: 004BAB7A

Strings

mS8CB, xrefs: 00458915
BB, xrefs: 004588BD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$ClearDeleteEnterFreeHeapLeaveVariant__lock
String ID: BB$mS8CB
API String ID: 3361730157-3534282540
Opcode ID: c7eeb66afc6ee73d77a19dc3c2776b07fac6126f2f19ffdb3aaa6ff5cfe6c306
Instruction ID: c1c9cefcbf1a14da700381c8dc731d0e125fca0fb67109014ab1eb86d6faa906
Opcode Fuzzy Hash: c7eeb66afc6ee73d77a19dc3c2776b07fac6126f2f19ffdb3aaa6ff5cfe6c306
Instruction Fuzzy Hash: 34016DB1504B51DBC320DF49D909746BBE8FB05B24F400A1EA46583791DBB8D54CCBA1

Function 00455490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 00455512

Strings

PTE, xrefs: 00455499
@RE, xrefs: 00455493

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: @RE$PTE
API String ID: 166494926-2478829396
Opcode ID: a92f4eecbc17837eb6c1b3020e77576cfba3686c8cb676e20bd031edd997151a
Instruction ID: 4244783795d06ea57e78f8d5d80f45348ce95059cd1c75f6b6d660efc399a7e7
Opcode Fuzzy Hash: a92f4eecbc17837eb6c1b3020e77576cfba3686c8cb676e20bd031edd997151a
Instruction Fuzzy Hash: A1F089312007249BC714DF18D41456677E4EF4971A704056EEC4AD7321DB74EC44CB98

Function 0042C590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00000018), ref: 0042C5C0

Strings

B, xrefs: 0042C5E6
BB, xrefs: 0042C5A1

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: BB$B
API String ID: 32694325-2087430830
Opcode ID: d9b34a4036f67593e37542112f79b1b5660f1399e63ac31eaf55ba935e9a4225
Instruction ID: b7daff4bc619f434d9ac3cc22068bf85c553a39b54707f7df99dca63227de984
Opcode Fuzzy Hash: d9b34a4036f67593e37542112f79b1b5660f1399e63ac31eaf55ba935e9a4225
Instruction Fuzzy Hash: C50148B4501B019BC7348F1AD98810AFEF8BFA57187909A1EC19697B20C7B1E28CCF90

Function 00410EE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00000018), ref: 00410F13

Strings

`>A, xrefs: 00410EF6
p>A, xrefs: 00410EFD

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: `>A$p>A
API String ID: 32694325-1988542205
Opcode ID: f81c784559724ede16f1a9f53c7692d4a92441cb63167d82f5c0f33cd06a0a2a
Instruction ID: 15961272348996a6279a27507c327f12e2fc298970ef6aecec532f8bb05598e8
Opcode Fuzzy Hash: f81c784559724ede16f1a9f53c7692d4a92441cb63167d82f5c0f33cd06a0a2a
Instruction Fuzzy Hash: B5F057B4901B408FD3308F1AD544246FFF8BFA0709B509A1FC59687A20C3F6B0888F40

Function 0045C6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005734F4), ref: 0045C6EE
RtlLeaveCriticalSection.NTDLL(005734F4), ref: 0045C716

Strings

(wX, xrefs: 0045C6F4

Memory Dump Source

Source File: 00000000.00000002.3248859647.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3248838318.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3248859647.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249103560.0000000000594000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249118409.0000000000595000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3249143956.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aspweb88.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: (wX
API String ID: 3168844106-3436312765
Opcode ID: 362613a61b4f841d08ed5dd12b5f267a71d0924a2c9511a36c18e6378c55293f
Instruction ID: 6b13428b63f5dd94f03cbf8af1e2ee39e31432798b4d9a0976ecadad86157512
Opcode Fuzzy Hash: 362613a61b4f841d08ed5dd12b5f267a71d0924a2c9511a36c18e6378c55293f
Instruction Fuzzy Hash: 71D05B303003165F5F0C77756CC69263FD1F6657567048055AC05D5353DE54C54CFA25

Source: global traffic	TCP traffic: 192.168.2.8:63744 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.8:51896 -> 162.159.36.2:53

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LwwWeu4XSHsKZAa&MD=hCl5DCpY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.netbox.cn

Input	Output
URL: http://127.0.0.1 Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": true, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: http://127.0.0.1
URL: http://127.0.0.1:88/ Model: Joe Sandbox AI	```json { "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: http://127.0.0.1:88/ Model: Joe Sandbox AI	```json { "brands": [ "NetBox" ] }
	```json { "brands": [ "NetBox" ] }

Source: C:\Users\user\Desktop\aspweb88.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\aspweb88.exe	File opened: a:	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aspweb88.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1076048168\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7692_1236646328\manifest.json

Windows Analysis Report
aspweb88.exe

Function 004CB880 Relevance: 117.8, APIs: 40, Strings: 27, Instructions: 501
libraryloadermemoryCOMMON

Function 0046F030 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 633
registrylibraryloaderCOMMON

Function 0041F4F0 Relevance: 88.0, APIs: 46, Strings: 4, Instructions: 546
windownativetimeCOMMON

Function 005287EA Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Function 0046FB20 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 219
COMMON

Function 00520980 Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Function 0046E4F0 Relevance: 109.2, APIs: 18, Strings: 44, Instructions: 726
registryCOMMON

Function 00455B50 Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 383
windowCOMMON

Function 0041EDE0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 140
windowregistrylibraryCOMMON

Function 004279C0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 333
librarycomloaderCOMMON

Function 0046F8E0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 161
registryCOMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre