Edit tour

Windows Analysis Report
cho_mea64.exe

Overview

General Information

Sample name:	cho_mea64.exe
Analysis ID:	1559669
MD5:	044f51347e293ac77de4cd47bdccbacf
SHA1:	4c67777228575ac317c62855e6d9dd0a6da48c2d
SHA256:	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2
Tags:	chomea64exeuser-JAMESWT_MHT
Infos:

Detection

MicroClip

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Yara detected MicroClip

AI detected suspicious sample

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

PE file contains section with special chars

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cho_mea64.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\cho_mea64.exe" MD5: 044F51347E293AC77DE4CD47BDCCBACF)

cho_mea64.tmp (PID: 7468 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe" MD5: DC63A4763A59D647C3D0C4480EAE0329)

20decf5c428.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: 545274EA5D70FF8BEB929CDA02BE53DE)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

62b24530.exe (PID: 7696 cmdline: "C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: CB8267B4B34F49626EAF67B562DC4C87)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

soiucosxz.exe (PID: 7824 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

svchost.exe (PID: 7520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 5508 cmdline: cmd /c start "" "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

soiucosxz.exe (PID: 6240 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

soiucosxz.exe (PID: 7716 cmdline: "C:\Windows\ksxvHQBlSOri\soiucosxz.exe" MD5: F6F6FF4E9B359BC005A25FADB3A0AA61)

soiucosxz.exe (PID: 336 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe" MD5: F6F6FF4E9B359BC005A25FADB3A0AA61)

soiucosxz.exe (PID: 1920 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

soiucosxz.exe (PID: 1876 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" "2fb5d34656b943d916e57e9120" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

RelPost.exe (PID: 3260 cmdline: C:\Windows\system32\RelPost.exe MD5: E351DDC4F470EDEF41D705315CA1F156)

msconfig.exe (PID: 3136 cmdline: C:\Windows\system32\msconfig.exe MD5: 39009536CAFE30C6EF2501FE46C9DF5E)

soiucosxz.exe (PID: 2384 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" bcbf6f4 1876 MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

cmd.exe (PID: 7700 cmdline: cmd /c start "" "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

soiucosxz.exe (PID: 7740 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

soiucosxz.exe (PID: 2840 cmdline: C:\Windows\ksxvHQBlSOri\soiucosxz.exe MD5: F6F6FF4E9B359BC005A25FADB3A0AA61)

soiucosxz.exe (PID: 5576 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe" MD5: F6F6FF4E9B359BC005A25FADB3A0AA61)

soiucosxz.exe (PID: 3896 cmdline: "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" MD5: 6CF29DBF1FA710CCCF6BA1C4C01F6B85)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2875747667.0000022F1E420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000017.00000002.3163426099.0000016095BB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000017.00000002.3163647071.0000016095E11000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000008.00000002.2875896834.0000022F1E681000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: soiucosxz.exe PID: 7824	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: soiucosxz.exe PID: 2384	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
23.2.soiucosxz.exe.16095bb0000.2.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
8.2.soiucosxz.exe.22f1e420000.2.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
8.2.soiucosxz.exe.22f1e420000.2.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
23.2.soiucosxz.exe.16095bb0000.2.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp, ParentCommandLine: "C:\Users\user\Desktop\cho_mea64.exe", ParentImage: C:\Users\user\Desktop\cho_mea64.exe, ParentProcessId: 7416, ParentProcessName: cho_mea64.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe" , ProcessId: 7468, ProcessName: cho_mea64.tmp

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 7520, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\zlibwapi.dll

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Machine Learning detection for dropped file

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll

Joe Sandbox ML: detected

Source: cho_mea64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cho_mea64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: O:\Projects\DSClock\Releasex64\DSClock.x64.pdb source: 62b24530.exe, 00000006.00000003.1387698113.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, 00000008.00000000.1390014706.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000008.00000002.2876430989.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000002.2722695776.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1969463418.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662654047.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000011.00000002.3162868206.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718384137.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000002.2895851602.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000000.2804109156.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3150573408.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000002.3164204207.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940163214.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\paulb\code\Squirrel\squirrel.windows\src\StubExecutable\bin\Release\StubExecutable.pdb source: soiucosxz.exe, 0000000F.00000002.2717694035.0000000000CFD000.00000002.00000001.01000000.00000010.sdmp, soiucosxz.exe, 0000000F.00000000.2661422003.0000000000CFD000.00000002.00000001.01000000.00000010.sdmp, soiucosxz.exe, 00000010.00000000.2661876558.0000000000E9D000.00000002.00000001.01000000.00000011.sdmp, soiucosxz.exe, 00000010.00000002.2718485911.0000000000E9D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: z:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: x:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: v:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: t:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: r:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: p:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: n:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: l:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: j:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: h:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: f:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: b:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: y:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: w:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: u:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: s:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: q:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: o:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: m:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: k:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: i:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: g:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: c:	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_00405A8D FindFirstFileW,

4_2_00405A8D

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\_isetup\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Code function: 4x nop then movzx eax, byte ptr [r8]

8_2_0000000180053140

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: boss.google.tw.cn

Source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/Sectig
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: soiucosxz.exe	String found in binary or memory: http://schemas.microsoft.c
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://support.google.com/installer/
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: 20decf5c428.exe, 00000004.00000003.1362558079.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: soiucosxz.exe	String found in binary or memory: https://curl.haxx.se/
Source: soiucosxz.exe, 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2719010918.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157360807.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887804207.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140670968.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157366347.0000000180085000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.haxx.se/V
Source: soiucosxz.exe	String found in binary or memory: https://curl.haxx.se/docs/copyright.html
Source: soiucosxz.exe, 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2719010918.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157360807.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887804207.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140670968.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157366347.0000000180085000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: soiucosxz.exe, soiucosxz.exe, 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2718786621.0000000180065000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157216682.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887401716.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140615540.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157216771.0000000180065000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/update2/installers/icons/
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: cho_mea64.exe, 00000000.00000000.1293880766.0000000000081000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json
Source: 20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
Source: cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: 62b24530.exe, 00000006.00000003.1387698113.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, soiucosxz.exe, 00000008.00000002.2876579041.00007FF60D102000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1970016412.00007FF60D102000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662735613.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718504010.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3151733980.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940238119.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.dualitysoft.com/dsclock/
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, 00000008.00000000.1390014706.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000008.00000002.2876430989.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000002.2722695776.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1969463418.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662654047.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000011.00000002.3162868206.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718384137.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000002.2895851602.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000000.2804109156.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3150573408.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000002.3164204207.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940163214.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.dualitysoft.comversion=/dsclock/?src=abouthttps://www.calendarscope.com/t/dsclock-info?s
Source: 62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, 62b24530.exe, 00000006.00000003.1387698113.0000000002847000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cho_mea64.exe, 00000000.00000003.1296126331.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.exe, 00000000.00000003.1296563735.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000000.1298384083.0000000000891000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: cho_mea64.exe, 00000000.00000003.1296126331.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.exe, 00000000.00000003.1296563735.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000000.1298384083.0000000000891000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: soiucosxz.exe, 00000008.00000002.2871732087.000000EF05AF8000.00000004.00000010.00020000.00000000.sdmp, soiucosxz.exe, 0000000D.00000002.2719044114.000000C5AF0F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://ziyong.0ray.cn/8FF3EF380313034D8D84BAF59.catC:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

System Summary

PE file contains section with special chars

Source: zlibwapi.dll.6.dr	Static PE information: section name: .7[D
Source: zlibwapi.dll.13.dr	Static PE information: section name: .;om
Source: zlibwapi.dll.13.dr	Static PE information: section name: .j;V
Source: zlibwapi.dll.13.dr	Static PE information: section name: .$c"

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E9AE20 NtDelayExecution,		13_2_0000026878E9AE20
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E9E5BC NtCreateFile,		13_2_0000026878E9E5BC

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\libcurl.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00414F30	4_2_00414F30
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_0040704D	4_2_0040704D
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004240A0	4_2_004240A0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_0041E1E0	4_2_0041E1E0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004212C0	4_2_004212C0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00425360	4_2_00425360
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004253EC	4_2_004253EC
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004194A9	4_2_004194A9
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00426620	4_2_00426620
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004226B0	4_2_004226B0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00402866	4_2_00402866
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_004248E0	4_2_004248E0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_0041E9A0	4_2_0041E9A0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00424AB0	4_2_00424AB0
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00420CA9	4_2_00420CA9
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_0041DDB0	4_2_0041DDB0
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 8_3_0000022F198400AA	8_3_0000022F198400AA
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 8_2_0000000180020108	8_2_0000000180020108
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 8_2_0000000180053140	8_2_0000000180053140
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C151000	13_2_00007FFB0C151000
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E8663A	13_2_0000026878E8663A
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E845BC	13_2_0000026878E845BC
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E84E84	13_2_0000026878E84E84

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: String function: 000000018000C000 appears 38 times
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: String function: 00425A80 appears 186 times
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: String function: 00403BA5 appears 61 times

Source: cho_mea64.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 997f54546.exe.4.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4

Source: cho_mea64.exe	Static PE information: Number of sections : 11 > 10
Source: zlibwapi.dll.6.dr	Static PE information: Number of sections : 12 > 10
Source: cho_mea64.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: cho_mea64.exe, 00000000.00000003.1296563735.000000007FA4B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs cho_mea64.exe
Source: cho_mea64.exe, 00000000.00000003.1296126331.00000000032FF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs cho_mea64.exe
Source: cho_mea64.exe, 00000000.00000000.1294075932.0000000000139000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs cho_mea64.exe

Source: cho_mea64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@34/26@2/1

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

File created: C:\Users\user\AppData\Roaming\611641ae7b4c35da

Jump to behavior

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Mutant created: \Sessions\1\BaseNamedObjects\bcbf6f4
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Mutant created: \BaseNamedObjects\B536033EFBCDD940C17C73E8F319DDFB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03

Source: C:\Users\user\Desktop\cho_mea64.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\cho_mea64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\cho_mea64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cho_mea64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: soiucosxz.exe

String found in binary or memory: ::/html/tips/addtimeserver.htm

Source: C:\Users\user\Desktop\cho_mea64.exe

File read: C:\Users\user\Desktop\cho_mea64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cho_mea64.exe "C:\Users\user\Desktop\cho_mea64.exe"
Source: C:\Users\user\Desktop\cho_mea64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe "C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe "C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start "" "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: unknown	Process created: C:\Windows\ksxvHQBlSOri\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\soiucosxz.exe"
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start "" "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" "2fb5d34656b943d916e57e9120"
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\System32\RelPost.exe C:\Windows\system32\RelPost.exe
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\System32\msconfig.exe C:\Windows\system32\msconfig.exe
Source: C:\Windows\System32\msconfig.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" bcbf6f4 1876
Source: unknown	Process created: C:\Windows\ksxvHQBlSOri\soiucosxz.exe C:\Windows\ksxvHQBlSOri\soiucosxz.exe
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"
Source: C:\Users\user\Desktop\cho_mea64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp "C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe "C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe "C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" "2fb5d34656b943d916e57e9120"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" bcbf6f4 1876	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cho_mea64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cho_mea64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: zlibwapi.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Section loaded: oleacc.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: ? ?.lnk.2.dr

LNK file: ..\..\user~1\AppData\Local\Temp\805444110049334163191123924\997f54546.exe

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

File written: C:\ProgramData\2779096548\config.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe

Window detected: Number of UI elements: 15

Source: cho_mea64.exe

Static file information: File size 21364502 > 1048576

Source: cho_mea64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: O:\Projects\DSClock\Releasex64\DSClock.x64.pdb source: 62b24530.exe, 00000006.00000003.1387698113.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, 00000008.00000000.1390014706.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000008.00000002.2876430989.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000002.2722695776.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1969463418.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662654047.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000011.00000002.3162868206.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718384137.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000002.2895851602.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000000.2804109156.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3150573408.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000002.3164204207.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940163214.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\paulb\code\Squirrel\squirrel.windows\src\StubExecutable\bin\Release\StubExecutable.pdb source: soiucosxz.exe, 0000000F.00000002.2717694035.0000000000CFD000.00000002.00000001.01000000.00000010.sdmp, soiucosxz.exe, 0000000F.00000000.2661422003.0000000000CFD000.00000002.00000001.01000000.00000010.sdmp, soiucosxz.exe, 00000010.00000000.2661876558.0000000000E9D000.00000002.00000001.01000000.00000011.sdmp, soiucosxz.exe, 00000010.00000002.2718485911.0000000000E9D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: 20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .O0j

Source: libcurl.dll.13.dr	Static PE information: real checksum: 0x0 should be: 0x91573
Source: libcurl.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x91573
Source: zlibwapi.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x331bef
Source: zlibwapi.dll.13.dr	Static PE information: real checksum: 0x0 should be: 0x1137ca
Source: 997f54546.exe.4.dr	Static PE information: real checksum: 0x88ceae should be: 0x889dcb
Source: cho_mea64.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x32aa80
Source: is-MTGFM.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x3c00fc

Source: cho_mea64.exe	Static PE information: section name: .didata
Source: cho_mea64.tmp.0.dr	Static PE information: section name: .didata
Source: is-MTGFM.tmp.2.dr	Static PE information: section name: .sxdata
Source: is-9G6TC.tmp.2.dr	Static PE information: section name: .sxdata
Source: zlibwapi.dll.6.dr	Static PE information: section name: .00cfg
Source: zlibwapi.dll.6.dr	Static PE information: section name: .gxfg
Source: zlibwapi.dll.6.dr	Static PE information: section name: .retplne
Source: zlibwapi.dll.6.dr	Static PE information: section name: _RDATA
Source: zlibwapi.dll.6.dr	Static PE information: section name: .7[D
Source: zlibwapi.dll.6.dr	Static PE information: section name: .cKM
Source: zlibwapi.dll.6.dr	Static PE information: section name: .O0j
Source: zlibwapi.dll.13.dr	Static PE information: section name: .;om
Source: zlibwapi.dll.13.dr	Static PE information: section name: .j;V
Source: zlibwapi.dll.13.dr	Static PE information: section name: .$c"

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00425A80 push eax; ret	4_2_00425A9E
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Code function: 4_2_00425E10 push eax; ret	4_2_00425E3E
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C1592B2 pushfq ; ret	13_2_00007FFB0C1592B3
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C153306 push rcx; retf	13_2_00007FFB0C153307
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C15339B push rsi; iretd	13_2_00007FFB0C15339C
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C1533B1 push rsi; iretd	13_2_00007FFB0C1533B2
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C154408 push B75ACB74h; ret	13_2_00007FFB0C154410
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C154C40 pushfq ; ret	13_2_00007FFB0C154C41
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C15903D push 161BD3F5h; ret	13_2_00007FFB0C159042
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C153883 push rbp; iretd	13_2_00007FFB0C153884
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C158E83 push rbp; iretd	13_2_00007FFB0C158E84
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_00007FFB0C153A73 push rax; ret	13_2_00007FFB0C153A74
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Code function: 13_2_0000026878E99716 push eax; iretd	13_2_0000026878E99719

Source: zlibwapi.dll.6.dr	Static PE information: section name: .text entropy: 7.292688173556342
Source: zlibwapi.dll.6.dr	Static PE information: section name: .O0j entropy: 7.850898190680083
Source: zlibwapi.dll.13.dr	Static PE information: section name: .;om entropy: 7.641847913458073
Source: zlibwapi.dll.13.dr	Static PE information: section name: .$c" entropy: 7.82054052425326

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Executable created and started: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Jump to behavior
Source: unknown	Executable created and started: C:\Windows\ksxvHQBlSOri\soiucosxz.exe
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Executable created and started: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	File created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\997f54546.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-9G6TC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe	File created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cho_mea64.exe	File created: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe	File created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\zlibwapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe	File created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-MTGFM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Users\user\Desktop\cho_mea64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cho_mea64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\997f54546.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

API coverage: 6.2 %

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe TID: 7828	Thread sleep count: 71 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe TID: 7828	Thread sleep time: -71000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	Last function: Thread delayed
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Last function: Thread delayed
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_00405A8D FindFirstFileW,

4_2_00405A8D

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_0040736E GetSystemInfo,

4_2_0040736E

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\_isetup\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: cho_mea64.tmp, 00000002.00000003.1392400068.0000000003EFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cho_mea64.tmp, 00000002.00000003.1392400068.0000000003EFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[[
Source: soiucosxz.exe, 00000008.00000002.2871894939.0000022F19741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!#%')+-/13579;=?ACEGIKMOQSUWY[]_acegikmoqsuwy{}
Source: svchost.exe, 00000003.00000002.3157808852.000001D5AAA32000.00000004.00000020.00020000.00000000.sdmp, soiucosxz.exe, 00000017.00000002.3158393406.0000016090F40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe

Process queried: DebugObjectHandle

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Code function: 8_2_0000000180057FB0 GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,FlsSetValue,GetCurrentThreadId,

8_2_0000000180057FB0

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Code function: 8_2_0000000180051090 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0000000180051090

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtClose: Indirect: 0x1D9C982E214
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C985E2A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQuerySystemInformation: Indirect: 0x22F1D23DD05	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x16094B8DE76	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x16094B8DECB	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtOpenKey: Indirect: 0x16094B8E10A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x22F1D23E01B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtClose: Indirect: 0x22F1D23E214
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x1D9C982E01B	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C98A175	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtClose: Indirect: 0x16094B88BE9
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQuerySystemInformation: Indirect: 0x16094B8DD05	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C94E172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C422237	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C43FF4E	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtDelayExecution: Indirect: 0x16094B8AE7E	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C9363B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C41F127	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C97D1F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtOpenKey: Indirect: 0x26878E9E10A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C42CF6A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryValueKey: Indirect: 0x26878E9DE76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryValueKey: Indirect: 0x26878E9DECB	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtClose: Indirect: 0x1B3076DE214
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C41836B	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C947BC2	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C95528D	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQuerySystemInformation: Indirect: 0x1B3076DDD05	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x1B3076DE01B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x26878E9E01B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C43FB72	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtCreateThreadEx: Indirect: 0x16094B88BBC	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtClose: Indirect: 0x21D0D38E214
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x21D0DB82E8A	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x21D0D38E01B	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x1B3076DDE76	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x1B3076DDECB	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtOpenKey: Indirect: 0x1B3076DE10A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryValueKey: Indirect: 0x22F1D23DE76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtQueryValueKey: Indirect: 0x22F1D23DECB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C4295BF	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C92E927	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtDelayExecution: Indirect: 0x26878E9AE7E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0C3FD79B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtOpenKey: Indirect: 0x22F1D23E10A	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryInformationProcess: Indirect: 0x16094B8E01B	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtDelayExecution: Indirect: 0x1D9C982AE7E	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x1D9C982DE76	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x1D9C982DECB	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtDelayExecution: Indirect: 0x21D0D38AE7E	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtOpenKey: Indirect: 0x1D9C982E10A	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtOpenKey: Indirect: 0x21D0D38E10A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtClose: Indirect: 0x26878E9E214
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtClose: Indirect: 0x16094B8E214
Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	NtCreateFile: Indirect: 0x26878E9E611	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtProtectVirtualMemory: Direct from: 0x7FFB1C98678A	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x21D0D38DE76	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	NtQueryValueKey: Indirect: 0x21D0D38DECB	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"	Jump to behavior
Source: C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	Process created: C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_00426100 cpuid

4_2_00426100

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Code function: GetLocaleInfoA,

8_2_00000001800610E0

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_00407455 GetSystemTimeAsFileTime,

4_2_00407455

Source: C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Code function: 4_2_00426040 GetVersion,

4_2_00426040

Source: C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: soiucosxz.exe, 00000008.00000002.2871732087.000000EF05AE1000.00000004.00000010.00020000.00000000.sdmp, soiucosxz.exe, 00000017.00000002.3157435411.000000166BCE2000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: 360Tray.exe

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match	File source: 23.2.soiucosxz.exe.16095bb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.soiucosxz.exe.22f1e420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.soiucosxz.exe.22f1e420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.soiucosxz.exe.16095bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2875747667.0000022F1E420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3163426099.0000016095BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3163647071.0000016095E11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2875896834.0000022F1E681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: soiucosxz.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: soiucosxz.exe PID: 2384, type: MEMORYSTR

Remote Access Functionality

Yara detected MicroClip

Source: Yara match	File source: 23.2.soiucosxz.exe.16095bb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.soiucosxz.exe.22f1e420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.soiucosxz.exe.22f1e420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.soiucosxz.exe.16095bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2875747667.0000022F1E420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3163426099.0000016095BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3163647071.0000016095E11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2875896834.0000022F1E681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: soiucosxz.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: soiucosxz.exe PID: 2384, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	121 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Scheduled Task/Job	11 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	4 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	27 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cho_mea64.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\805444110049334163191123924\997f54546.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\805444110049334163191123924\libcurl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\805444110049334163191123924\zlibwapi.dll	45%	ReversingLabs	Win64.Trojan.Midie
C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-9G6TC.tmp	0%	ReversingLabs
C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\libcurl.dll	0%	ReversingLabs
C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe	0%	ReversingLabs
C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll	5%	ReversingLabs
C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe	0%	ReversingLabs
C:\Windows\ksxvHQBlSOri\soiucosxz.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.dualitysoft.comversion=/dsclock/?src=abouthttps://www.calendarscope.com/t/dsclock-info?s	0%	Avira URL Cloud	safe
https://ziyong.0ray.cn/8FF3EF380313034D8D84BAF59.catC:	0%	Avira URL Cloud	safe
http://crl.usertr	0%	Avira URL Cloud	safe
https://www.dualitysoft.com/dsclock/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boss.google.tw.cn	8.210.144.166	true	false		unknown
time.windows.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	cho_mea64.exe, 00000000.00000000.1293880766.0000000000081000.00000020.00000001.01000000.00000003.sdmp	false		high
https://crashpad.chromium.org/	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/cscasha2.cer0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.usertr	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.microsoft.c	soiucosxz.exe	false		high
https://www.certum.pl/CPS0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://.css	20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.certum.pl/cscasha2.crl0q	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	soiucosxz.exe, soiucosxz.exe, 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2718786621.0000000180065000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157216682.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887401716.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140615540.0000000180065000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157216771.0000000180065000.00000002.00000001.01000000.00000013.sdmp	false		high
http://cscasha2.ocsp-certum.com04	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dualitysoft.com/dsclock/	62b24530.exe, 00000006.00000003.1387698113.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, soiucosxz.exe, 00000008.00000002.2876579041.00007FF60D102000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1970016412.00007FF60D102000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662735613.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718504010.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3151733980.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940238119.00007FF77EFE2000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://m.google.com/devicemanagement/data/api	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	cho_mea64.exe, 00000000.00000003.1296126331.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.exe, 00000000.00000003.1296563735.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000000.1298384083.0000000000891000.00000020.00000001.01000000.00000004.sdmp	false		high
http://crt.sectigo.com/Sectig	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/copyright.htmlD	soiucosxz.exe, 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2719010918.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157360807.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887804207.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140670968.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157366347.0000000180085000.00000002.00000001.01000000.00000013.sdmp	false		high
https://dl.google.com/update2/installers/icons/	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://support.google.com/installer/	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.haxx.se/V	soiucosxz.exe, 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 0000000D.00000002.2719010918.0000000180085000.00000002.00000001.01000000.0000000C.sdmp, soiucosxz.exe, 00000011.00000002.3157360807.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000013.00000002.2887804207.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000014.00000002.3140670968.0000000180085000.00000002.00000001.01000000.00000013.sdmp, soiucosxz.exe, 00000017.00000002.3157366347.0000000180085000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.innosetup.com/	cho_mea64.exe, 00000000.00000003.1296126331.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.exe, 00000000.00000003.1296563735.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000000.1298384083.0000000000891000.00000020.00000001.01000000.00000004.sdmp	false		high
https://sectigo.com/CPS0D	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://support.google.com/installer/%s?product=%s&error=%d	20decf5c428.exe, 00000004.00000003.1362765577.0000000002A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ziyong.0ray.cn/8FF3EF380313034D8D84BAF59.catC:	soiucosxz.exe, 00000008.00000002.2871732087.000000EF05AF8000.00000004.00000010.00020000.00000000.sdmp, soiucosxz.exe, 0000000D.00000002.2719044114.000000C5AF0F8000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://jrsoftware.org/	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dualitysoft.comversion=/dsclock/?src=abouthttps://www.calendarscope.com/t/dsclock-info?s	62b24530.exe, 00000006.00000003.1386822448.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, soiucosxz.exe, 00000008.00000000.1390014706.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000008.00000002.2876430989.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000002.2722695776.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 0000000D.00000000.1969463418.00007FF60D070000.00000002.00000001.01000000.0000000B.sdmp, soiucosxz.exe, 00000011.00000000.2662654047.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000011.00000002.3162868206.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000000.2718384137.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000013.00000002.2895851602.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000000.2804109156.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000014.00000002.3150573408.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000002.3164204207.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp, soiucosxz.exe, 00000017.00000000.2940163214.00007FF77EF50000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	20decf5c428.exe, 00000004.00000003.1362877018.0000000003080000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	cho_mea64.tmp, 00000002.00000003.1394142081.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, cho_mea64.tmp, 00000002.00000003.1300096518.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/copyright.html	soiucosxz.exe	false		high
https://curl.haxx.se/	soiucosxz.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.210.144.166	boss.google.tw.cn	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559669
Start date and time:	2024-11-20 20:14:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cho_mea64.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@34/26@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 56% Number of executed functions: 89 Number of non-executed functions: 63
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: cho_mea64.exe

Simulations

Behavior and APIs

Time	Type	Description
21:20:11	Task Scheduler	Run new task: MicrosoftEdgeUpdateUserUFN{69109F0E-2C27-205E-D36D-A4AFA4F8FD0F} path: C:\Windows\ksxvHQBlSOri\soiucosxz.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	mal.js	Get hash	malicious	Unknown	Browse	8.209.119.17
	m68k.elf	Get hash	malicious	Mirai	Browse	47.242.96.185
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	47.254.140.255
	PHA AL PO.exe	Get hash	malicious	FormBook	Browse	47.52.221.8
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.241.54.126
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	149.129.200.56
	https://experteau.lawgovexperts.com/Fp0c8/	Get hash	malicious	Unknown	Browse	147.139.142.100
	Play_vm_Message_for_Melissa.medina_wav_ .htm	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	198.11.172.91
	Order No 24.exe	Get hash	malicious	FormBook	Browse	47.242.89.146

Process:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
File Type:	data
Category:	dropped
Size (bytes):	88
Entropy (8bit):	5.005870220930083
Encrypted:	false
SSDEEP:	3:Ms0H9xjrmZ6mw360hC1QUlljW0U013gM9:MsY9BrYG60hCaUTjQM9
MD5:	DBBAFF9B3EF28EBAA4CB1CB5FDA1BB84
SHA1:	28C967208DFD24A62ADECD2545ED38A89094CCE9
SHA-256:	1B5B6D490FA8F919398B4ACC6C12ACEA383B400A4741A47434E6B945D483D049
SHA-512:	4C2801A9A0283144F4670807E4E235011D99C84DBBD987BF31D3A1CC6619A57C45FC59C7D99F00948051262873EA681977430D47AABE812C9ADA9A6FA49C107F
Malicious:	false
Preview:	.._ #M.Z[#&.Z'..3I..3#.!.h...._......__h....._Q,Q....R..5S....h......._.[!T..__h....._

C:\ProgramData\2779096548\config.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	data
Category:	dropped
Size (bytes):	88
Entropy (8bit):	5.005870220930083
Encrypted:	false
SSDEEP:	3:Ms0H9xjrmZ6mw360hC1QUlljW0U013gM9:MsY9BrYG60hCaUTjQM9
MD5:	DBBAFF9B3EF28EBAA4CB1CB5FDA1BB84
SHA1:	28C967208DFD24A62ADECD2545ED38A89094CCE9
SHA-256:	1B5B6D490FA8F919398B4ACC6C12ACEA383B400A4741A47434E6B945D483D049
SHA-512:	4C2801A9A0283144F4670807E4E235011D99C84DBBD987BF31D3A1CC6619A57C45FC59C7D99F00948051262873EA681977430D47AABE812C9ADA9A6FA49C107F
Malicious:	false
Preview:	.._ #M.Z[#&.Z'..3I..3#.!.h...._......__h....._Q,Q....R..5S....h......._.[!T..__h....._

C:\ProgramData\AB819CA4478D450CF3B95B908C7AD475

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	0.24111431133564631
Encrypted:	false
SSDEEP:	3:Nldlpkl1Xlkl/:NLkl
MD5:	061314D610CD56E687963F639197854C
SHA1:	33D076D2F9439EFA5DD5CC080B14D7E38B941008
SHA-256:	7244CD5F232967E300C7659D6CB524A2225AF4222E80CEB75BA760F20B57928B
SHA-512:	8850FE0840734FE62A2FC0A7B7335612657DFD3D4F0897D87B609BB840235523BAC35D0BD1655D64DE68C3FBDEDEE2ED68A0430BBE5F2F51C26D861EED521F97
Malicious:	false
Preview:	k.s.x.v.H.Q.B.l.S.O.r.i.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\8FF3EF380313034D8D84BAF59.cat

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
File Type:	data
Category:	dropped
Size (bytes):	11445507
Entropy (8bit):	7.999981572974584
Encrypted:	true
SSDEEP:	196608:Bdy9J3T1sQEnoawHdANsgUWtfDoExrNhgGdsibxilGbfH/K7fCsciYNWLV5Koa:uDx/EKONsg5LokrNhg8siJfAascKL/a
MD5:	9EA898B2095B6F751B020C3E294F2482
SHA1:	09380F3924A961C7899B4BFA5F5F91515F9221A5
SHA-256:	3C0A526440055C1140CD62D1942C5035BB378B99C6F48F7DEC0207E4791FA8E1
SHA-512:	E6A01F7D5E45AD65988B81107F10C15BCE37221EF1DA1D890FE2D1453EFC8C1C2B33FD5DE6C51BD72E18E9286C0FF06BD55D7FE2F068324AA15B0D34353476C5
Malicious:	false
Preview:	..>.'.<...Z...G...H......>.........M:.....l!?JU..{.....ooo.dooxcoo...of....YKOoooooooo-X][+WW\.X_\V-)]WWV..V^V_-YoooooooooooooooooooooooooooooooooH..(H...$........H..(.@UATH.l$.H..h...D..H..$`...L..3.I..$eH..%`...L.d$PH.H.H......H.A0.x8....t H..H..u.....H..$`...H..h...A\].H.X.H..u..C.H..$`...H..h...A\].HcC<H..$P...D.......L..A.H H..A9P.........H..H......H.......8GuuH.......x.euhH.......x.tu[H.......x.PuNH.......x.ruAH.......x.ou4H.......x.cu'H.......x.Au.H.......x.du.H.......x.dt...H...A;P...c.........V...A.@$Hc.H.....HA.@.H....<.H..H.}.t..E.L.E.o.E.a.E.d.E.L.E.i.E.b.E.r.E.a.E.r.E.y.E.AH.U.H...E..H..$X.....H..H.E.H..u..F.......D$pV.D$qi.D$rr.D$st.D$tu.D$ua.D$vl.D$wA.D$xl.D$yl.D$zo.D${cH.T$pH...D$\|.L..$@.....L..H..u.A.F..g....D$XV.D$Yi.D$Zr.D$[t.D$\u.D$]a.D$^l.D$_F.D$`r.D$ae.D$beH.T$XH...D$c...H.E.H..u............E.n.E.t.E.d.E.l.E.l.E...E.d.E.l.E.lH.M..E....H..H..u..C.......E.m.E.e.E.m.E.c.E.p.E.yH.U.H...E..L..$H.....L..H..u.A.E......D$0R.D$1t.D$2l.D$3D.D$4e.D$5c.D$6o.D$7m.D$8p.D$9r

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\997f54546.exe

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8950664
Entropy (8bit):	6.782867173374691
Encrypted:	false
SSDEEP:	196608:ILX8vpjby5OkoeYX706eGQ7WWbf6otLwGwP55ar9kCmlwe1Xf/Ohz2+K:IIvxy58eYX37Q7WWbf5L+5Mr9k3d1XfJ
MD5:	F37C52156F0782A8396B5E95C3960363
SHA1:	6E1F3D27AAC555EDBE5C83CFCDB6050E911BF937
SHA-256:	A6C7D50A959DCA5684D84C700C9A74591DB7BEF08F516EE15DF4C05A9F675F5B
SHA-512:	25CC70A70AEE6E8E041A6D1DFB1CFAE7796A6C86F5A29B250C4342B51EBCFD2724120CC33CC7E6BFE60EE4E7F91A8BA7B9EB2B95C0FFD87C4DF875C76C74C980
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....f..........".......+..^\...................@......................................@...........................4.U...D.4.,.....6.X.Q..........J...I...p...O....4.......................4.....h.,.............0.4..............................text.....+.......+................. ..`.rdata...4....,..6....+.............@..@.data........@5..N..."5.............@....tls..........6......p5.............@....rsrc...X.Q...6...Q..r5.............@..@.reloc...O...p...P..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\libcurl.dll

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	569856
Entropy (8bit):	6.3225742404603045
Encrypted:	false
SSDEEP:	12288:MoLVDsDp3Sx8rKASzlbMZO/IR+nyu20jlTov3+:35DEsxl6O/IRUT6
MD5:	6B2548CC404F3DD55634EFA291FA98D0
SHA1:	A076A60D99D70FD8AA7664A2534445A502FEBE27
SHA-256:	7AE384B8695D7A9C2B6640927CB6AC592229AEF9EBEEB80B91D556777C6DFB5D
SHA-512:	14068E9E7D5F7E4494FFA75D369068234CDB050286D3356298E0387CF13D7681C0D68B57B6B299958C86EE3AE1DC3E54ADC4C376E7B869D7D76FC2E91ED95009
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...O...O......I...9+..N...9+..E...O......9+..D...9+..]...hp..N...9+..N...hp..N...RichO...........................PE..d...C..Y.........." .....@.......................................................................................................... ...........x........B...P...U...................................................................P...............................text...N>.......@.................. ..`.rdata..%....P.......D..............@..@.data....;..........................@....pdata...U...P...V..................@..@.rsrc....B.......D...b..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2324480
Entropy (8bit):	6.283900113727005
Encrypted:	false
SSDEEP:	24576:GmKWcYmmUMlLklbOEyeeQaSpRnO9xGboTOLFI78hqT3tiBco21c6D5mHK+iwu7:Gm/mmUiLklb6e+YMDGaAhIt5o2WqmFXM
MD5:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
SHA1:	A1DEBDB076C8C655E3D78C6AE82F1BEBA386A2BA
SHA-256:	F85CE4492E1354F8310027C5F70EF73AAE654FCD8FD9A58034E4F82A41A9826B
SHA-512:	EBCC6599C33A80BB3E5C627A5F861FC9742D8558C4551544109288F80155885791A3F701AF1AA7A4513CC5D121B77678A4CD46CA38A7BDD3CF7288E58E01F4F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...Z...Z....=x.X...S.0.S...S.7.X...S.4.[....<}......<~.V....<\|.....}<..X...S. .}...Z........=\|......=z.[....=..[...RichZ...........................PE..d....nZd..........".................H..........@..............................#......#$...`..........................................................` ...... ...7....#..\...P#.pY......8...............................p.......................@....................text...s........................... ..`.rdata..V4.......6..................@..@.data........@...l... ..............@....pdata...7... ...8..................@..@.rsrc........` .....................@..@.reloc..^m...P#..n....".............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\zlibwapi.dll

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3286528
Entropy (8bit):	7.886298903522483
Encrypted:	false
SSDEEP:	98304:odsKtTlGQeqm5GcKQ4ZNMV2VYPE22RXiU7T:o3TEQeqcX4PMVzmRvv
MD5:	4D05D940FA3851C6322F11463F76FB85
SHA1:	5502F7BF7BDAED6861044CB34CFF08656C963775
SHA-256:	01F062FA5F11AEBF8C2CD57FC148C3B4B1A64E97DCF68194C0545361973D6E94
SHA-512:	5CF57118E70228AFAD77368277BD2FC8DE71172D9317B44B2147E68DD8DCBFAF3DCC052FCDF430870484EF281FFDDBEAEF96A9D00ACB8DE29B0D03BBA01AE34C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....g.........." ........................................................`2...........`.................................................8.0.d............$2.h.....1..\...P2.$....................................#2.@.............).h............................text............................... ..`.rdata....... ......................@..@.data....#..........................@....pdata..............................@..@.00cfg..8....0......................@..@.gxfg........@......................@..@.retplne.....`.........................._RDATA.......p......................@..@.7[D.....1$......2$................. ..`.cKM....h.....)......@).............@....O0j....Xq....)..r...H).............`..h.reloc..$....P2.......1.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

Download File

Process:	C:\Users\user\Desktop\cho_mea64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3317248
Entropy (8bit):	6.606044750890488
Encrypted:	false
SSDEEP:	49152:tdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQG333rh1x:jJYVM+LtVt3P/KuG2ONG9iqLRQG333Nb
MD5:	DC63A4763A59D647C3D0C4480EAE0329
SHA1:	8D687E717ACE0D7D83A1EAA1C5B9EAEC168744E7
SHA-256:	6B9AB11E1A2A79B1A3D211422AC1E603578E7BCABA2917747D57CF8BEDAC238F
SHA-512:	39069E76DEE870831E1240315F61A9060920AB2DE85D1FEC0D789EEE8882E204414E0934681132EBBC5322D674B068471043859CCBDB869FB62BFA6FC5B741EB
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................p3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3888659
Entropy (8bit):	7.989732439997188
Encrypted:	false
SSDEEP:	98304:bPCtNgMX7ZYe50uLL+nXn9ca6DzLTZRAdsTBV5H5wju3:bPM3l0uLLWXnt63LdRAdsD5H5Ku3
MD5:	545274EA5D70FF8BEB929CDA02BE53DE
SHA1:	B06F26C7CD5CDA7BF1B8B04778DD157D1E499C35
SHA-256:	480C2895CAEE1029ED1160B69C68CA2838CA4FE113466D84DC8064AD28C012C2
SHA-512:	94924A8D39458BB57B6FE1A908B6E0796BBE6D4C6010505F185A7D89D057D73C707F4074B6589BA5B708BCE2AFB9F4DBAFFD2AD482FF49E31CDF3C2E40DDDFD1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15663521
Entropy (8bit):	7.999196663100135
Encrypted:	true
SSDEEP:	393216:Vb6UW+qxFebO68V6xdIhZC82F9MUjBajDHNg3:I9+8uWh0F9MOaDtO
MD5:	CB8267B4B34F49626EAF67B562DC4C87
SHA1:	45F12CDAD060B99D52345C3174AFB2A8014B67AB
SHA-256:	FA7FE6C1DEC39E41F15135ABB057AAA81D8C8AEEE56DFFDA46ABD2C0D9269643
SHA-512:	E8364BE88E66E3978DDC4841FBADA73EA052425A6B134CF96330D665D757DFF21DF6AB0D0F72B0FEEDE792DE2B59626DC5E132C8D22153FDE28E32F9E135DDC7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\611641ae7b4c35da\b2b01.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	MS Windows icon resource - 6 icons, 16x15 with PNG image data, 16 x 15, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 24x22 with PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	36944
Entropy (8bit):	7.988557580065026
Encrypted:	false
SSDEEP:	768:qXbwQ2FlEWPJ9LmEGfc8LyV8YMXK/dRduMBfgLUV/w8E/ExixX9xskFt1vK8xGg:UsQ2FlTJlnuaMenLBfgA5stX35X1H
MD5:	00A5C7EA56A5721D89CBF2A9CD387693
SHA1:	7B0CF07164FF3247ADE5E174B4533B700E4DFF43
SHA-256:	FD31FFC3ECD2B2A4BA39E8C49597EBE9E5EB8D6AE5C8A28B9DC1A5B1DE696D71
SHA-512:	48278E7B2FD422E3FAAEE5E2F7E13C96CB65208AE31D44C3F6C0919E5925A7663E74B9F0EA5A89F8F7AED0732CF74644FA2F22E3EFF314A65CBF3EBA8D69746F
Malicious:	false
Preview:	............ .,...f......... ......... ..... .....f...0,.... .@...m...@;.... .O....#...u.... .TQ...>...PNG........IHDR..............sO/....IDATx.-..o.e.....y...........%J(........E/..............4zi...`.b.C.......H......vvgg.y<..O....).y.....0@.Bi.A..\...l.C<.k...0...3.B@.q...J.Z.ov..r..=...6..J....l.0..D.[O.............1.s....#[..:......{.F.}f...(e1.n.v.....=...6K.."..s_.<.<.O.0...+....a..&..U.......K.XA\|...)....e..._....>.&....0.(......<....o3.4....L..0..>a..'..cs...{...p...+....\|.........{.L.Q<.I.M.k..0`s..Z...]\'fq....:K..x^B.Z.[......8...&.A...8...G2.S..._<V....f.og....4...%D....dy.C.(C....kw...~.W.;F..-...4G`.t..by'..b....[K..qx.\|..i..a..y.j.=.3../.m..t.H..F.'.v.(P."..H...=Gyj.0..-<...d...yzX.l...L2..-..i..Q.."m..r.s._.....?....4.&..,.J.c...\|...p..Y..Z..?..3.......'.@.k...n..X.......y......V,..........=D,ij.w{...{.......v(.Q.J.PC...b.:.rQ.!....IEND.B`..PNG........IHDR..............}\.....IDATx.E.].]W...k.}..3.Nf.L...L&.6&.IS.$X..H.J...

C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-9G6TC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15663521
Entropy (8bit):	7.999196663100135
Encrypted:	true
SSDEEP:	393216:Vb6UW+qxFebO68V6xdIhZC82F9MUjBajDHNg3:I9+8uWh0F9MOaDtO
MD5:	CB8267B4B34F49626EAF67B562DC4C87
SHA1:	45F12CDAD060B99D52345C3174AFB2A8014B67AB
SHA-256:	FA7FE6C1DEC39E41F15135ABB057AAA81D8C8AEEE56DFFDA46ABD2C0D9269643
SHA-512:	E8364BE88E66E3978DDC4841FBADA73EA052425A6B134CF96330D665D757DFF21DF6AB0D0F72B0FEEDE792DE2B59626DC5E132C8D22153FDE28E32F9E135DDC7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-MFD61.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	MS Windows icon resource - 6 icons, 16x15 with PNG image data, 16 x 15, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 24x22 with PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	36944
Entropy (8bit):	7.988557580065026
Encrypted:	false
SSDEEP:	768:qXbwQ2FlEWPJ9LmEGfc8LyV8YMXK/dRduMBfgLUV/w8E/ExixX9xskFt1vK8xGg:UsQ2FlTJlnuaMenLBfgA5stX35X1H
MD5:	00A5C7EA56A5721D89CBF2A9CD387693
SHA1:	7B0CF07164FF3247ADE5E174B4533B700E4DFF43
SHA-256:	FD31FFC3ECD2B2A4BA39E8C49597EBE9E5EB8D6AE5C8A28B9DC1A5B1DE696D71
SHA-512:	48278E7B2FD422E3FAAEE5E2F7E13C96CB65208AE31D44C3F6C0919E5925A7663E74B9F0EA5A89F8F7AED0732CF74644FA2F22E3EFF314A65CBF3EBA8D69746F
Malicious:	false
Preview:	............ .,...f......... ......... ..... .....f...0,.... .@...m...@;.... .O....#...u.... .TQ...>...PNG........IHDR..............sO/....IDATx.-..o.e.....y...........%J(........E/..............4zi...`.b.C.......H......vvgg.y<..O....).y.....0@.Bi.A..\...l.C<.k...0...3.B@.q...J.Z.ov..r..=...6..J....l.0..D.[O.............1.s....#[..:......{.F.}f...(e1.n.v.....=...6K.."..s_.<.<.O.0...+....a..&..U.......K.XA\|...)....e..._....>.&....0.(......<....o3.4....L..0..>a..'..cs...{...p...+....\|.........{.L.Q<.I.M.k..0`s..Z...]\'fq....:K..x^B.Z.[......8...&.A...8...G2.S..._<V....f.og....4...%D....dy.C.(C....kw...~.W.;F..-...4G`.t..by'..b....[K..qx.\|..i..a..y.j.=.3../.m..t.H..F.'.v.(P."..H...=Gyj.0..-<...d...yzX.l...L2..-..i..Q.."m..r.s._.....?....4.&..,.J.c...\|...p..Y..Z..?..3.......'.@.k...n..X.......y......V,..........=D,ij.w{...{.......v(.Q.J.PC...b.:.rQ.!....IEND.B`..PNG........IHDR..............}\.....IDATx.E.].]W...k.}..3.Nf.L...L&.6&.IS.$X..H.J...

C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-MTGFM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3888659
Entropy (8bit):	7.989732439997188
Encrypted:	false
SSDEEP:	98304:bPCtNgMX7ZYe50uLL+nXn9ca6DzLTZRAdsTBV5H5wju3:bPM3l0uLLWXnt63LdRAdsD5H5Ku3
MD5:	545274EA5D70FF8BEB929CDA02BE53DE
SHA1:	B06F26C7CD5CDA7BF1B8B04778DD157D1E499C35
SHA-256:	480C2895CAEE1029ED1160B69C68CA2838CA4FE113466D84DC8064AD28C012C2
SHA-512:	94924A8D39458BB57B6FE1A908B6E0796BBE6D4C6010505F185A7D89D057D73C707F4074B6589BA5B708BCE2AFB9F4DBAFFD2AD482FF49E31CDF3C2E40DDDFD1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\? ?.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	modified
Size (bytes):	2168
Entropy (8bit):	2.5139012557984763
Encrypted:	false
SSDEEP:	24:8z17aRMgKF9n55Doo+uG55i3KuG55fozgnLWI51Ognvvqy:8RuRwNkNuGEKuGv+gnLWI5kgnqy
MD5:	57E2A08873467491D4BAEFA901A26FD4
SHA1:	619F81D142B58D01AB41901583C7428D02F935F0
SHA-256:	7D02CC2872BFFB2E55718734D225770B01D181FF5A33E79BAFB032F3F6E3A75C
SHA-512:	7FCEC259B5F184D4293BEF7F922AE818E6F0DA3C27EA7566BF58353DEC0D38A91A4F0FB024B982C663079A32089C9E7B81F485AFC963AC5D4608787C1D42A70A
Malicious:	false
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user~1..B............................................F.R.O.N.T.D.~.1.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.......1...........805444110049334163191123924.h............................................8.0.5.4.4.4.1.1.0.0.4.9.3.3.4.1.6.3.1.9.1.1.2.3.9.2.4...*.h.2...........997f54546.exe.L............................................9.9.7.f.5.4.5.4.6...e.x.e.......K.....\.....\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.8.0.5.4.4.4.1.1.0.0.4.9.3.3.4.1.6.3.1.9.1.1.2.3.9.2.4.\.9.9.7.f.5.4.5.4.6...e.x.e.@.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c

C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	data
Category:	dropped
Size (bytes):	11445507
Entropy (8bit):	7.999981572974584
Encrypted:	true
SSDEEP:	196608:Bdy9J3T1sQEnoawHdANsgUWtfDoExrNhgGdsibxilGbfH/K7fCsciYNWLV5Koa:uDx/EKONsg5LokrNhg8siJfAascKL/a
MD5:	9EA898B2095B6F751B020C3E294F2482
SHA1:	09380F3924A961C7899B4BFA5F5F91515F9221A5
SHA-256:	3C0A526440055C1140CD62D1942C5035BB378B99C6F48F7DEC0207E4791FA8E1
SHA-512:	E6A01F7D5E45AD65988B81107F10C15BCE37221EF1DA1D890FE2D1453EFC8C1C2B33FD5DE6C51BD72E18E9286C0FF06BD55D7FE2F068324AA15B0D34353476C5
Malicious:	false
Preview:	..>.'.<...Z...G...H......>.........M:.....l!?JU..{.....ooo.dooxcoo...of....YKOoooooooo-X][+WW\.X_\V-)]WWV..V^V_-YoooooooooooooooooooooooooooooooooH..(H...$........H..(.@UATH.l$.H..h...D..H..$`...L..3.I..$eH..%`...L.d$PH.H.H......H.A0.x8....t H..H..u.....H..$`...H..h...A\].H.X.H..u..C.H..$`...H..h...A\].HcC<H..$P...D.......L..A.H H..A9P.........H..H......H.......8GuuH.......x.euhH.......x.tu[H.......x.PuNH.......x.ruAH.......x.ou4H.......x.cu'H.......x.Au.H.......x.du.H.......x.dt...H...A;P...c.........V...A.@$Hc.H.....HA.@.H....<.H..H.}.t..E.L.E.o.E.a.E.d.E.L.E.i.E.b.E.r.E.a.E.r.E.y.E.AH.U.H...E..H..$X.....H..H.E.H..u..F.......D$pV.D$qi.D$rr.D$st.D$tu.D$ua.D$vl.D$wA.D$xl.D$yl.D$zo.D${cH.T$pH...D$\|.L..$@.....L..H..u.A.F..g....D$XV.D$Yi.D$Zr.D$[t.D$\u.D$]a.D$^l.D$_F.D$`r.D$ae.D$beH.T$XH...D$c...H.E.H..u............E.n.E.t.E.d.E.l.E.l.E...E.d.E.l.E.lH.M..E....H..H..u..C.......E.m.E.e.E.m.E.c.E.p.E.yH.U.H...E..L..$H.....L..H..u.A.E......D$0R.D$1t.D$2l.D$3D.D$4e.D$5c.D$6o.D$7m.D$8p.D$9r

C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\libcurl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	569856
Entropy (8bit):	6.3225742404603045
Encrypted:	false
SSDEEP:	12288:MoLVDsDp3Sx8rKASzlbMZO/IR+nyu20jlTov3+:35DEsxl6O/IRUT6
MD5:	6B2548CC404F3DD55634EFA291FA98D0
SHA1:	A076A60D99D70FD8AA7664A2534445A502FEBE27
SHA-256:	7AE384B8695D7A9C2B6640927CB6AC592229AEF9EBEEB80B91D556777C6DFB5D
SHA-512:	14068E9E7D5F7E4494FFA75D369068234CDB050286D3356298E0387CF13D7681C0D68B57B6B299958C86EE3AE1DC3E54ADC4C376E7B869D7D76FC2E91ED95009
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...O...O......I...9+..N...9+..E...O......9+..D...9+..]...hp..N...9+..N...hp..N...RichO...........................PE..d...C..Y.........." .....@.......................................................................................................... ...........x........B...P...U...................................................................P...............................text...N>.......@.................. ..`.rdata..%....P.......D..............@..@.data....;..........................@....pdata...U...P...V..................@..@.rsrc....B.......D...b..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2324480
Entropy (8bit):	6.283900113727005
Encrypted:	false
SSDEEP:	24576:GmKWcYmmUMlLklbOEyeeQaSpRnO9xGboTOLFI78hqT3tiBco21c6D5mHK+iwu7:Gm/mmUiLklb6e+YMDGaAhIt5o2WqmFXM
MD5:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
SHA1:	A1DEBDB076C8C655E3D78C6AE82F1BEBA386A2BA
SHA-256:	F85CE4492E1354F8310027C5F70EF73AAE654FCD8FD9A58034E4F82A41A9826B
SHA-512:	EBCC6599C33A80BB3E5C627A5F861FC9742D8558C4551544109288F80155885791A3F701AF1AA7A4513CC5D121B77678A4CD46CA38A7BDD3CF7288E58E01F4F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...Z...Z....=x.X...S.0.S...S.7.X...S.4.[....<}......<~.V....<\|.....}<..X...S. .}...Z........=\|......=z.[....=..[...RichZ...........................PE..d....nZd..........".................H..........@..............................#......#$...`..........................................................` ...... ...7....#..\...P#.pY......8...............................p.......................@....................text...s........................... ..`.rdata..V4.......6..................@..@.data........@...l... ..............@....pdata...7... ...8..................@..@.rsrc........` .....................@..@.reloc..^m...P#..n....".............@..B........................................................................................................................................................................................................................

C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\zlibwapi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1088512
Entropy (8bit):	7.64154347671519
Encrypted:	false
SSDEEP:	24576:wIBoEkRkHr75NLbEE4pHgN/FahQ5KmT59znh7iiJeW:luo9bEEOHgNdahQ8y5VnhGxW
MD5:	24CB34CACC6E1C539E58BD5CDA620A29
SHA1:	C6AAF4CE2B51EC487632B41D16B812CBF6B240D9
SHA-256:	5E4B57F8B3D39CC6F90E0E17B7D12D9F3EEA67D1A1F2EE73C428C1388A7E65C3
SHA-512:	83D097955AF0844280EE2B6DF3173CB06275ED6BE085089E2898CACEDFC769C10C0870D2782F0180BEC4F0C32C02B418B34A8082C29784393A3A4B7C8AA834BA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...kw7g.........." ...(..................................................................`......................................... D..........x............T.......@...\...p..0....................................R..@...............x............................text............................... ..`.rdata..B...........................@..@.data...p....`.......L..............@....pdata...............X..............@..@.;om.................n.............. ..`.j;V....X............\|..............@....$c"...............................`..h.reloc..0....p.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601040
Entropy (8bit):	5.925895140664619
Encrypted:	false
SSDEEP:	6144:xc2XFRJ3DNuzAOS9FOU6CNmKQEiispigdlDAlZVl49q7r+:7FvYzU9QU6CNmKsPtdsXl49qX+
MD5:	F6F6FF4E9B359BC005A25FADB3A0AA61
SHA1:	831FE06CE2015E2D66467D04F2D46EC3E96524D3
SHA-256:	6EB2A5F8BA7B7E2438A9608B7A2D5EEFA1F8B66AAF7060C208678E47C3565324
SHA-512:	DB29271F28A3BFF4BD3F4073B522C662F70865CC1067E0DE2C11EF284D8D88FE9CA165485DA6FE52372BF3DB33764F195853B883D8FDAB1B502E960B0915DA14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~.p....~.p...B.~.p....~.Z....~.W.}..~.W.{...~.W.z..~..q....~......~...w...~.....~.....~...\|..~.Rich.~.........................PE..L......Y.....................V...................@..........................`......P.....@....................................<......../...................0..."..P...p...................(...........@...............8............................text...X........................... ..`.rdata..............................@..@.data....#..........................@....tls................................@....rsrc..../.......0..................@..@.reloc..."...0...$..................@..B........................................................................................................................................................................................................................................

C:\Windows\ksxvHQBlSOri\soiucosxz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601040
Entropy (8bit):	5.925895140664619
Encrypted:	false
SSDEEP:	6144:xc2XFRJ3DNuzAOS9FOU6CNmKQEiispigdlDAlZVl49q7r+:7FvYzU9QU6CNmKsPtdsXl49qX+
MD5:	F6F6FF4E9B359BC005A25FADB3A0AA61
SHA1:	831FE06CE2015E2D66467D04F2D46EC3E96524D3
SHA-256:	6EB2A5F8BA7B7E2438A9608B7A2D5EEFA1F8B66AAF7060C208678E47C3565324
SHA-512:	DB29271F28A3BFF4BD3F4073B522C662F70865CC1067E0DE2C11EF284D8D88FE9CA165485DA6FE52372BF3DB33764F195853B883D8FDAB1B502E960B0915DA14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~.p....~.p...B.~.p....~.Z....~.W.}..~.W.{...~.W.z..~..q....~......~...w...~.....~.....~...\|..~.Rich.~.........................PE..L......Y.....................V...................@..........................`......P.....@....................................<......../...................0..."..P...p...................(...........@...............8............................text...X........................... ..`.rdata..............................@..@.data....#..........................@....tls................................@....rsrc..../.......0..................@..@.reloc..."...0...$..................@..B........................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.2045589636936995
Encrypted:	false
SSDEEP:	6:AMuzkotkUCST3cNwiaZ5Vm4eov1AiecNwiaZ5Vm4Ds/FxcrBuDFNfpapP:p/6bTDNHVXeoqLNHVXDs//MEDXfAP
MD5:	1AD1FB02034A5525489764D121A41201
SHA1:	6704555873E9BBCBEC515F1001E1AB17E362E547
SHA-256:	7B0F9120F432B9BC9E163569A032D94D3164B236C72C6547FE29EF038145BA16
SHA-512:	0AB8E50C50840F7D7CBCF49B3328C61DA6AF00C36645222EAB055739D518103F2E0AD89389DBE7A2C858FB53FDF61319E0DC9BF6769F338AE725530DCD8AC8D3
Malicious:	false
Preview:	..7-Zip SFX 24.08 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11....Extracting archive: C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe..--..Path = C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe..Type = 7z.... 0%. . 75% 1 - libcurl.dll. .100% 4. .Everything is Ok..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.993561213295345
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	cho_mea64.exe
File size:	21'364'502 bytes
MD5:	044f51347e293ac77de4cd47bdccbacf
SHA1:	4c67777228575ac317c62855e6d9dd0a6da48c2d
SHA256:	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2
SHA512:	f3976170a7f965f9674712904a0effc8383ea1a7ac5961a746b319d4659f52f82578b5adf4a0ca52f0434a896d310268ac7e40391fb0ea929a2482bb78aa0775
SSDEEP:	393216:SiX7fx65E78eL1uwtkbZtqtQEt8+OIbyMl1PiT+KiSn7h6LPr8Y:bTxOEJuw+bP5krOIO3aKiSn7aPIY
TLSH:	8F273327B3C7A13DF01D0B3706B2F75894FB6A216923BE56C6E48498CE760641E2F746
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	ecce92ca8a86c46c

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F3A8107D875h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F3A8110F1FBh
call 00007F3A8110ED4Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F3A81109A28h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F3A81077923h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F3A8110AD53h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F3A8110F283h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F3A81115F6Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F3A8110B648h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0xc684	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0xc684	0xc800	eeb200832542c12ffaef95c98b99573a	False	0.81208984375	data	7.427007830413282	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb528	0x32c	PNG image data, 16 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0135467980295567
RT_ICON	0xcb854	0x5d4	PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced	English	United States	1.007372654155496
RT_ICON	0xcbe28	0x907	PNG image data, 32 x 29, 8-bit/color RGBA, non-interlaced	English	United States	1.00475984422328
RT_ICON	0xcc730	0x1140	PNG image data, 48 x 44, 8-bit/color RGBA, non-interlaced	English	United States	1.0024909420289856
RT_ICON	0xcd870	0x1b4f	PNG image data, 64 x 59, 8-bit/color RGBA, non-interlaced	English	United States	1.0015734515806036
RT_ICON	0xcf3c0	0x5154	PNG image data, 128 x 117, 8-bit/color RGBA, non-interlaced	English	United States	1.0007684918347743
RT_STRING	0xd4514	0x3f8	data			0.3198818897637795
RT_STRING	0xd490c	0x2dc	data			0.36475409836065575
RT_STRING	0xd4be8	0x430	data			0.40578358208955223
RT_STRING	0xd5018	0x44c	data			0.38636363636363635
RT_STRING	0xd5464	0x2d4	data			0.39226519337016574
RT_STRING	0xd5738	0xb8	data			0.6467391304347826
RT_STRING	0xd57f0	0x9c	data			0.6410256410256411
RT_STRING	0xd588c	0x374	data			0.4230769230769231
RT_STRING	0xd5c00	0x398	data			0.3358695652173913
RT_STRING	0xd5f98	0x368	data			0.3795871559633027
RT_STRING	0xd6300	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd65a4	0x10	data			1.5
RT_RCDATA	0xd65b4	0x310	data			0.6173469387755102
RT_RCDATA	0xd68c4	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd68f0	0x5a	data	English	United States	0.8333333333333334
RT_VERSION	0xd694c	0x584	data	English	United States	0.26628895184135976
RT_MANIFEST	0xd6ed0	0x7b3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3389142567224759

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 20:16:39.870997906 CET	49840	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:39.871026039 CET	443	49840	8.210.144.166	192.168.2.7
Nov 20, 2024 20:16:39.871088982 CET	49840	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:40.296859026 CET	49840	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:40.296889067 CET	443	49840	8.210.144.166	192.168.2.7
Nov 20, 2024 20:16:40.296958923 CET	443	49840	8.210.144.166	192.168.2.7
Nov 20, 2024 20:16:50.531661987 CET	49863	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:50.531727076 CET	443	49863	8.210.144.166	192.168.2.7
Nov 20, 2024 20:16:50.531805038 CET	49863	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:50.686229944 CET	49863	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:16:50.686275959 CET	443	49863	8.210.144.166	192.168.2.7
Nov 20, 2024 20:16:50.686392069 CET	443	49863	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:00.960289001 CET	49887	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:00.960340977 CET	443	49887	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:00.960541964 CET	49887	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:01.127716064 CET	49887	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:01.127765894 CET	443	49887	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:01.127835989 CET	443	49887	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:11.414879084 CET	49909	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:11.414932013 CET	443	49909	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:11.415016890 CET	49909	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:12.569518089 CET	49909	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:12.569605112 CET	443	49909	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:12.569673061 CET	443	49909	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:22.859251976 CET	49935	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:22.859291077 CET	443	49935	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:22.859373093 CET	49935	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:23.478312016 CET	49935	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:23.478339911 CET	443	49935	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:23.478477955 CET	443	49935	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:33.710055113 CET	49958	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:33.710089922 CET	443	49958	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:33.711909056 CET	49958	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:34.298319101 CET	49958	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:34.298353910 CET	443	49958	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:34.298446894 CET	443	49958	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:44.613343000 CET	49978	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:44.613404989 CET	443	49978	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:44.613728046 CET	49978	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:44.972527027 CET	49978	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:44.972553015 CET	443	49978	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:44.972698927 CET	443	49978	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:55.209722996 CET	49979	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:55.209784985 CET	443	49979	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:55.209888935 CET	49979	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:55.646051884 CET	49979	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:17:55.646070957 CET	443	49979	8.210.144.166	192.168.2.7
Nov 20, 2024 20:17:55.646152020 CET	443	49979	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:05.774130106 CET	49980	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:05.774188042 CET	443	49980	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:05.774277925 CET	49980	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:06.464062929 CET	49980	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:06.464102983 CET	443	49980	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:06.464174032 CET	443	49980	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:31.576598883 CET	49981	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:31.576651096 CET	443	49981	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:31.576751947 CET	49981	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:32.303360939 CET	49981	443	192.168.2.7	8.210.144.166
Nov 20, 2024 20:18:32.303390980 CET	443	49981	8.210.144.166	192.168.2.7
Nov 20, 2024 20:18:32.303472996 CET	443	49981	8.210.144.166	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 20:15:34.322462082 CET	49474	53	192.168.2.7	1.1.1.1
Nov 20, 2024 20:16:39.723750114 CET	53250	53	192.168.2.7	1.1.1.1
Nov 20, 2024 20:16:39.867177010 CET	53	53250	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 20:15:34.322462082 CET	192.168.2.7	1.1.1.1	0x6bdb	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 20:16:39.723750114 CET	192.168.2.7	1.1.1.1	0xd944	Standard query (0)	boss.google.tw.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 20:15:34.460069895 CET	1.1.1.1	192.168.2.7	0x6bdb	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 20:16:39.867177010 CET	1.1.1.1	192.168.2.7	0xd944	No error (0)	boss.google.tw.cn		8.210.144.166	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:15:30
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\cho_mea64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cho_mea64.exe"
Imagebase:	0x80000
File size:	21'364'502 bytes
MD5 hash:	044F51347E293AC77DE4CD47BDCCBACF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:15:31
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp" /SL5="$20404,20366305,827392,C:\Users\user\Desktop\cho_mea64.exe"
Imagebase:	0x890000
File size:	3'317'248 bytes
MD5 hash:	DC63A4763A59D647C3D0C4480EAE0329
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:15:32
Start date:	20/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:15:35
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x400000
File size:	3'888'659 bytes
MD5 hash:	545274EA5D70FF8BEB929CDA02BE53DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:15:35
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:15:37
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x400000
File size:	15'663'521 bytes
MD5 hash:	CB8267B4B34F49626EAF67B562DC4C87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:15:37
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:15:40
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe"
Imagebase:	0x7ff60cf10000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000008.00000002.2875747667.0000022F1E420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000008.00000002.2875896834.0000022F1E681000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:18:22
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start "" "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x7ff6a8e70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:18:22
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\soiucosxz.exe" 3aede031690535070f390095f2d2 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x7ff60cf10000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:19:32
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\soiucosxz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\ksxvHQBlSOri\soiucosxz.exe"
Imagebase:	0xce0000
File size:	601'040 bytes
MD5 hash:	F6F6FF4E9B359BC005A25FADB3A0AA61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:19:32
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"
Imagebase:	0xe80000
File size:	601'040 bytes
MD5 hash:	F6F6FF4E9B359BC005A25FADB3A0AA61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:19:32
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"
Imagebase:	0x7ff77edf0000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:19:37
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start "" "C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x7ff6a8e70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:19:37
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 7824 "C:\Users\user~1\AppData\Local\Temp\is-KDSFA.tmp\..\805444110049334163191123924\"
Imagebase:	0x7ff77edf0000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:19:46
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" "2fb5d34656b943d916e57e9120"
Imagebase:	0x7ff77edf0000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:19:59
Start date:	20/11/2024
Path:	C:\Windows\System32\RelPost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RelPost.exe
Imagebase:	0x7ff7fd800000
File size:	187'392 bytes
MD5 hash:	E351DDC4F470EDEF41D705315CA1F156
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:19:59
Start date:	20/11/2024
Path:	C:\Windows\System32\msconfig.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msconfig.exe
Imagebase:	0x7ff7f68a0000
File size:	197'632 bytes
MD5 hash:	39009536CAFE30C6EF2501FE46C9DF5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	15:19:59
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe" bcbf6f4 1876
Imagebase:	0x7ff77edf0000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000017.00000002.3163426099.0000016095BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000017.00000002.3163647071.0000016095E11000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	15:20:11
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\soiucosxz.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\ksxvHQBlSOri\soiucosxz.exe
Imagebase:	0xce0000
File size:	601'040 bytes
MD5 hash:	F6F6FF4E9B359BC005A25FADB3A0AA61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:20:12
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\soiucosxz.exe"
Imagebase:	0xe80000
File size:	601'040 bytes
MD5 hash:	F6F6FF4E9B359BC005A25FADB3A0AA61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:20:12
Start date:	20/11/2024
Path:	C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ksxvHQBlSOri\app-0.89.2\app-0.89.2\soiucosxz.exe"
Imagebase:	0x7ff77edf0000
File size:	2'324'480 bytes
MD5 hash:	6CF29DBF1FA710CCCF6BA1C4C01F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	20

Executed Functions

Function 00414F30 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 894COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414F35

Part of subcall function 0041836A: _CxxThrowException.MSVCRT(?,0042C050), ref: 004183B3

Strings

, xrefs: 00414F81

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: 4249ef1111995ac6341149bd16243148716db58c60e65aaca3a2581c99e17d69
Instruction ID: 9730df7e2326ecd6f3b7c656d3358000a3777ff4a4df54740873238864095401
Opcode Fuzzy Hash: 4249ef1111995ac6341149bd16243148716db58c60e65aaca3a2581c99e17d69
Instruction Fuzzy Hash: 1A829F30900659DFDB15DFA8C884BEEBBB1BF48314F14419EE815AB391C738AE85CB65

Function 00405A8D Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A6D: FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

FindFirstFileW.KERNELBASE(?,?), ref: 00405AAC

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d3e20e893d103623865192cbfbd50d7f980ab7106058d3680fa755dbd2b51631
Instruction ID: ed05b2355a57328246007ee694caf2b5fc6674e02e4ec3abcb408285466e3139
Opcode Fuzzy Hash: d3e20e893d103623865192cbfbd50d7f980ab7106058d3680fa755dbd2b51631
Instruction Fuzzy Hash: DBE0923020091857CF20AF64CCC55EB3768EF51318F104376A861A72D1E7389D4A8FA8

Function 0040100A Relevance: 49.6, APIs: 18, Strings: 10, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040100F

Part of subcall function 0041EBC0: GetVersion.KERNEL32 ref: 0041EBC7
Part of subcall function 0041EBC0: GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBDD
Part of subcall function 0041EBC0: GetProcAddress.KERNEL32(00000000), ref: 0041EBE4
Part of subcall function 0041EBC0: GetSystemDirectoryW.KERNEL32(?,00000106), ref: 0041EC07
Part of subcall function 0041EBC0: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0041EC8D

SetFileApisToOEM.KERNEL32 ref: 00401025
fputs.MSVCRT ref: 0040103D
GetCommandLineW.KERNEL32 ref: 0040104E

Part of subcall function 004023C8: __EH_prolog.LIBCMT ref: 004023CD

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 0040542C: GetModuleFileNameW.KERNEL32(00000000,00000000,00000105), ref: 0040545C

fputs.MSVCRT ref: 004010B2
fputs.MSVCRT ref: 0040111F
fputs.MSVCRT ref: 0040113B
_CxxThrowException.MSVCRT(?,0042BC68), ref: 00401864

Part of subcall function 00401E69: fputs.MSVCRT ref: 00401E75

Part of subcall function 004024D3: __EH_prolog.LIBCMT ref: 004024D8

Strings

Error: , xrefs: 00401562
ERROR: Unknown command:, xrefs: 004011E7
Archive Errors, xrefs: 0040170E
Open Errors: , xrefs: 00401785
F{v, xrefs: 00401122, 004011EF, 00401437, 0040143D, 0040155A
Can't open as archive, xrefs: 004016D9
Command line error:, xrefs: 0040111A
Sub items Errors: , xrefs: 00401740
@F{v, xrefs: 00401438
GetFullPathName Error, xrefs: 004010AD

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$H_prolog$FileModule$AddressApisCommandDirectoryExceptionHandleLibraryLineLoadNameProcSystemThrowVersionfree
String ID: F{v$@F{v$Archive Errors$Can't open as archive$Command line error:$ERROR: Unknown command:$Error: $GetFullPathName Error$Open Errors: $Sub items Errors:
API String ID: 1316033296-242411509
Opcode ID: 8a9c492448bef55a61859c969b5a1dbe21ce475c0d18a2cff95548d716863a0e
Instruction ID: 37754d37836912fedcf3d689fcb171cea941b93a5e0cdad8537999c6aa24026e
Opcode Fuzzy Hash: 8a9c492448bef55a61859c969b5a1dbe21ce475c0d18a2cff95548d716863a0e
Instruction Fuzzy Hash: 47428D31900259DFDF25EFA5D895AEDBBB4AF04304F1440AFE44AB72E2DB381A45CB19

Function 0041171E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411723
fputs.MSVCRT ref: 00411759
fputs.MSVCRT ref: 0041177E

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

Part of subcall function 00406F66: VariantClear.OLEAUT32(?), ref: 00406F88

SysFreeString.OLEAUT32(00000000), ref: 004118B0
fputs.MSVCRT ref: 004118D3
SysFreeString.OLEAUT32(00000000), ref: 0041196D
SysFreeString.OLEAUT32(00000000), ref: 004119B7

Strings

----, xrefs: 004118CE
--, xrefs: 0041174E
Warning: The archive is open with offset, xrefs: 00411779
Type, xrefs: 004117EB

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FreeStringfputs$ClearH_prologVariantfputc
String ID: --$----$Type$Warning: The archive is open with offset
API String ID: 2072268484-1245056967
Opcode ID: fb3390146c81334d396c99daa6d3461159feaf5986877ce0f5b400962f183e80
Instruction ID: a3d5f6d9cfde6feea9fdbc4782c9a90494907b9087194ce7bf4d0a7410971838
Opcode Fuzzy Hash: fb3390146c81334d396c99daa6d3461159feaf5986877ce0f5b400962f183e80
Instruction Fuzzy Hash: D491AC71A10209EFDB14DFA5D981AEEB7B5FF48314F10412EE512A72A0DB38AD85CB58

Function 00425E4C Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00425E78
__p__fmode.MSVCRT ref: 00425E8D
__p__commode.MSVCRT ref: 00425E9B
__setusermatherr.MSVCRT ref: 00425EC8
_initterm.MSVCRT ref: 00425EDE
__getmainargs.MSVCRT ref: 00425F01
_initterm.MSVCRT ref: 00425F11
__p___initenv.MSVCRT ref: 00425F16
exit.KERNELBASE ref: 00425F36
_XcptFilter.MSVCRT ref: 00425F48

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 167530163-0
Opcode ID: d4e87e20f13268a2368b37537ec0d8a4c7ebd2ceb8382e40c53da9a686bd4e22
Instruction ID: 5d8486ae153206ccce82f6c4c9ba7e61262e203fc83edcfd9949eb2a5c758f24
Opcode Fuzzy Hash: d4e87e20f13268a2368b37537ec0d8a4c7ebd2ceb8382e40c53da9a686bd4e22
Instruction Fuzzy Hash: 16318575A00719EFDB14DFA0ED4AEAD7B74FB08321F50022AF515A32A0DB785900CF28

Function 00401190 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004011EC
_CxxThrowException.MSVCRT(?,0042BC88), ref: 004012F2
_CxxThrowException.MSVCRT(?,0042BC78), ref: 00401307

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

Error: , xrefs: 00401562
F{v, xrefs: 00401437, 0040143D, 0040155A
@F{v, xrefs: 00401438

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrow$fputsfree
String ID: F{v$@F{v$Error:
API String ID: 3322102733-619697466
Opcode ID: 2f78c6be662f9775f649687e13d4bd9369e6b82b5191ee238eda4f6237683049
Instruction ID: 4a2e7b9742cb2017b67176a9351b53f13f8677fefdef250d775b56a696d96fcd
Opcode Fuzzy Hash: 2f78c6be662f9775f649687e13d4bd9369e6b82b5191ee238eda4f6237683049
Instruction Fuzzy Hash: 3FE16C31900259DEDF21EFA4C991BEDBBB4AF14304F1444AFE449B72A2DB385A49CF25

Function 004110B7 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004110BC
fputs.MSVCRT ref: 004111D2
fputs.MSVCRT ref: 004112BA
fputs.MSVCRT ref: 004113D2
fputs.MSVCRT ref: 00411421

Part of subcall function 00403CDF: fflush.MSVCRT ref: 00403CE1

Part of subcall function 00403D01: __EH_prolog.LIBCMT ref: 00403D06

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

ERRORS:, xrefs: 00411193, 004111CD
WARNINGS:, xrefs: 0041127B, 004112B5
Can't allocate required memory, xrefs: 0041141C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$H_prolog$fflushfree
String ID: Can't allocate required memory$ERRORS:$WARNINGS:
API String ID: 1750297421-1898165966
Opcode ID: 8f306ed1555abaf5623ad89e118a3c979d97054053c85260dd150c3e60813d3e
Instruction ID: 33d289f6b5c606ebc4a1115891c26e2319c58622cdac9781428c791bf3c2c158
Opcode Fuzzy Hash: 8f306ed1555abaf5623ad89e118a3c979d97054053c85260dd150c3e60813d3e
Instruction Fuzzy Hash: 2FB1A4306017059FEB24DF61C891BEAB7E1BF44308F04852FD65AA76A1CB39BD84CB59

Function 004114D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004114DE
EnterCriticalSection.KERNEL32(00430538), ref: 004114F4
fputs.MSVCRT ref: 00411586
fputs.MSVCRT ref: 004115CC
fputs.MSVCRT ref: 00411652
fputs.MSVCRT ref: 0041166F

Part of subcall function 004123AF: fputs.MSVCRT ref: 00412418

Part of subcall function 00403D01: __EH_prolog.LIBCMT ref: 00403D06

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

LeaveCriticalSection.KERNEL32(00430538), ref: 004116BD

Strings

Sub items Errors: , xrefs: 004115C7

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$CriticalH_prologSection$EnterLeavefree
String ID: Sub items Errors:
API String ID: 777174534-2637271492
Opcode ID: 7fae9a088714fc38a6a925baca4c77656e155b9a6abe2461155d56a4988a5f7c
Instruction ID: c436f3324885b6c5f0cde1dde4f741d5a44cae6dcfed69199f3fe9034af22f22
Opcode Fuzzy Hash: 7fae9a088714fc38a6a925baca4c77656e155b9a6abe2461155d56a4988a5f7c
Instruction Fuzzy Hash: 36519D32601600DFDB25DF65D884AEABBE2FF84310F54852FE15B97261DB3A6D90CB09

Function 0040739D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 004073C1
GetProcAddress.KERNEL32(00000000), ref: 004073C8
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004073D6
GlobalMemoryStatus.KERNEL32(?), ref: 00407408

Strings

@, xrefs: 004073BA
GlobalMemoryStatusEx, xrefs: 004073A6
, xrefs: 00407400
kernel32.dll, xrefs: 004073AB

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: 2a986c63f2b6fa7951a361114db15d026d7f1eb5d0adc5c4a8a9ed1fa11470ce
Instruction ID: bd3d2fabc704362d9ca5d338a6c6718327ec6968a32443d636c6e2c65d652486
Opcode Fuzzy Hash: 2a986c63f2b6fa7951a361114db15d026d7f1eb5d0adc5c4a8a9ed1fa11470ce
Instruction Fuzzy Hash: 41113970E04219DBEB20DF94D989BAEBBF5FB04341F50042AE942F7280D778B844DB59

Function 00411E83 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411E88

Part of subcall function 00412153: GetVersionExW.KERNEL32(?), ref: 0041216D

fputs.MSVCRT ref: 00411EBF

Strings

F{v, xrefs: 00411EA0, 00411EB8
@F{v, xrefs: 00411E93
Unsupported Windows version, xrefs: 00411EBA

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prologVersionfputs
String ID: F{v$@F{v$Unsupported Windows version
API String ID: 1051792753-1168572466
Opcode ID: 6c2c40629df218334bec5ec3bc1302cec0765b107ed07878728180e7a12435a0
Instruction ID: a092db236a47294cc3f6e096509d2604d9432d6bca79f67c2c86b4b3dc796ef4
Opcode Fuzzy Hash: 6c2c40629df218334bec5ec3bc1302cec0765b107ed07878728180e7a12435a0
Instruction Fuzzy Hash: 8C01D871900245EFDB00EF99E9567EE77B0EB04329F20465FE502B31A1D7B81A458F59

Function 00404CBA Relevance: 7.7, APIs: 5, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00404CBF
_CxxThrowException.MSVCRT(?,0042BC78), ref: 00404CE5
wcscmp.MSVCRT ref: 00404D83
wcscmp.MSVCRT ref: 00404DDD
wcscmp.MSVCRT ref: 00404DED

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: wcscmp$ExceptionH_prologThrow
String ID:
API String ID: 2750596395-0
Opcode ID: f23e2ef40910e6ffc54e826b8d0121cb1542fb9c33c64a9faf08078d31a669d3
Instruction ID: a49034ca18766dd2985d6115f704c3eb646d16e2e938f66f16f9e822e2dcca93
Opcode Fuzzy Hash: f23e2ef40910e6ffc54e826b8d0121cb1542fb9c33c64a9faf08078d31a669d3
Instruction Fuzzy Hash: 4791BF71D002499FCF15DFA8C845AEEBBB0BF95304F54806EE500B72D1CB385A45CB58

Function 00417DFD Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00417E02

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6465af3b85f9c6ec0544edb33d8b4d85580d0812a5a0e51c2c98df890fa78ea5
Instruction ID: fc13bfd809c8fc2b6a0ab506a486224924f27f492ec3e4f1722cabba43a86d91
Opcode Fuzzy Hash: 6465af3b85f9c6ec0544edb33d8b4d85580d0812a5a0e51c2c98df890fa78ea5
Instruction Fuzzy Hash: 9A519B76A043159FDB10DFA4C881BFFB7B5BF88314F14441AE905AB341D778AD868BA8

Function 00405C98 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00405C9D
SetLastError.KERNEL32(00000002,?,?,0000FBEF,:$DATA,?,00000000,00000000,?,00000001), ref: 00405DEC

Part of subcall function 00405C98: wcscmp.MSVCRT ref: 00405FC6

Part of subcall function 00405C89: GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Strings

:$DATA, xrefs: 00405D02, 00405D14

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AttributesErrorFileH_prologLastwcscmp
String ID: :$DATA
API String ID: 3506966624-2587938151
Opcode ID: 87bfde631d3deb79e08e3bd7bfe69129d78864a065144b55b4a4eba179ff856b
Instruction ID: 07b953e3390746c4a9dc82bd7aadb35804c006ab05ede8c66105daedd2d37e57
Opcode Fuzzy Hash: 87bfde631d3deb79e08e3bd7bfe69129d78864a065144b55b4a4eba179ff856b
Instruction Fuzzy Hash: E6C1D030900A059ADF25EFA5C485AEEBBB5EF14318F10813FE882772D2DB3D5A55CB18

Function 0040EFA5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040EFAA

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 0040ED49: __EH_prolog.LIBCMT ref: 0040ED4E

Strings

Split, xrefs: 0040F125
.001, xrefs: 0040F188
.exe, xrefs: 0040F0E3

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID: .001$.exe$Split
API String ID: 3744649731-1819480430
Opcode ID: b0caf2b682cef3c7a4c66ef42f6e36627b6efe1c141464d3df3cc4290bd1e483
Instruction ID: 6ee4b62a70a765373665152c840579a13589d10806b9eb9c9327f76c0b6f4a6d
Opcode Fuzzy Hash: b0caf2b682cef3c7a4c66ef42f6e36627b6efe1c141464d3df3cc4290bd1e483
Instruction Fuzzy Hash: 8AA1D334A00205DBCF21DFA5C445BAEBBB4AF45314F1445BEE845BB6D2CB39AE49CB14

Function 00411A47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411A4C
fputs.MSVCRT ref: 00411A61
fputs.MSVCRT ref: 00411A6A

Part of subcall function 00411AD2: __EH_prolog.LIBCMT ref: 00411AD7
Part of subcall function 00411AD2: fputs.MSVCRT ref: 00411B17
Part of subcall function 00411AD2: fputs.MSVCRT ref: 00411BA6

Strings

= , xrefs: 00411A65

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: cb02bf5d739171821884010db5d4c3a9afc62b04c47f741bb3b2f8847e761e53
Instruction ID: 4685179e67a5387b9933c8bac1fb032a3b631e83bc1fbaf7f8a336648ebc960e
Opcode Fuzzy Hash: cb02bf5d739171821884010db5d4c3a9afc62b04c47f741bb3b2f8847e761e53
Instruction Fuzzy Hash: 84012831A00005ABDF15BF66D802BEE7F79AF80359F00402FF841622A1CB7C5A91CB9A

Function 00424660 Relevance: 6.0, APIs: 4, Instructions: 38
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042466A
GetLastError.KERNEL32(?,000000FF), ref: 0042467B
CloseHandle.KERNELBASE(00000000,?,000000FF), ref: 0042468F
GetLastError.KERNEL32(?,000000FF), ref: 00424699

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast$CloseHandleObjectSingleWait
String ID:
API String ID: 1796208289-0
Opcode ID: 9ad817bcdee8a37bd63ddf115caa5bcabacb03681436272bee2871554aa3e524
Instruction ID: 0e6695afe9b1d70dfe2be0eee00a61d69e8467993ccb29156463d7536a55e89f
Opcode Fuzzy Hash: 9ad817bcdee8a37bd63ddf115caa5bcabacb03681436272bee2871554aa3e524
Instruction Fuzzy Hash: 01F05E713046324BDB305AB9AC44A1776DCDFD2774BA10737E960C33D0DA6CCC028A68

Function 0040C369 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 733COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C36E

Part of subcall function 004062C4: GetLastError.KERNEL32(0040CC4F,?,00000001,?,00000010,00000000,00000000), ref: 004062C4

Part of subcall function 0040CF00: __EH_prolog.LIBCMT ref: 0040CF05

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

Cannot find archive file, xrefs: 0040C526, 0040CC56
The item is a directory, xrefs: 0040C539

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID: Cannot find archive file$The item is a directory
API String ID: 683690243-1569138187
Opcode ID: ba4e93d295138a7c7a93445b13343d5f42624c3586502f83140f31495d1f815e
Instruction ID: b5a1b32bc12d711d5e0a8161568501f8c01d54cd71bc8ef7c26888fa0a065d70
Opcode Fuzzy Hash: ba4e93d295138a7c7a93445b13343d5f42624c3586502f83140f31495d1f815e
Instruction Fuzzy Hash: D6724970900258DFDB21DF68C884BDEBBB5AF59304F1441AAE849B7392C778AE81CF55

Function 004124E9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0041250B
fputs.MSVCRT ref: 0041271D

Strings

. , xrefs: 0041269B

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CountTickfputs
String ID: .
API String ID: 290905099-4150638102
Opcode ID: 62978d2e05be1da6066eb87697aec2cc0ac5a4a437e1c063d05335f7abfea39d
Instruction ID: cb26736c674bc8d9c7ca26a32cfd03a69c5f5ceaab9adc37427ae5af0aaaee1d
Opcode Fuzzy Hash: 62978d2e05be1da6066eb87697aec2cc0ac5a4a437e1c063d05335f7abfea39d
Instruction Fuzzy Hash: 21814C30600B459FCB25DF65C6D0AABB7F6AF40304F10482EE496D7691DBB8F989CB18

Function 00416E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0040739D: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 004073C1
Part of subcall function 0040739D: GetProcAddress.KERNEL32(00000000), ref: 004073C8
Part of subcall function 0040739D: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004073D6

__aulldiv.LIBCMT ref: 00416ECD
__aulldiv.LIBCMT ref: 00416ED9

Strings

3333, xrefs: 00416EB7

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
String ID: 3333
API String ID: 3520896023-2924271548
Opcode ID: 14d98df592c1ed9401447ad19b8c5cbbf4c4088a852356cff76e661ec3d3721c
Instruction ID: 5119751143de8b55060969e9aa1b5a70445e0105ff33e8ddafc95c9096c2d0b2
Opcode Fuzzy Hash: 14d98df592c1ed9401447ad19b8c5cbbf4c4088a852356cff76e661ec3d3721c
Instruction Fuzzy Hash: 6521B7B5A00704AFE730DF6A9881A6FFAF8EB84714F44892FB145D3641D674ED408B59

Function 004063E4 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,?,80004004,80004004,?,?,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000), ref: 00406404
GetLastError.KERNEL32(?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?,?,0040AE79,?), ref: 00406411

Part of subcall function 00406389: SetFilePointer.KERNEL32(?,00000000,?,00000001,00000000,?,?,?,00406427,?,?,0040646C,80004004,80004004,00000000,?), ref: 0040639D
Part of subcall function 00406389: GetLastError.KERNEL32(?,00406427,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?), ref: 004063AA

SetLastError.KERNEL32(00000000,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?), ref: 00406428

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 0b05d6185b408afcdee46b4b0f28ff2912608ed381f3cb98e0708fe1c876e7e2
Instruction ID: 864dc6c6c593cf8bf19505ec3c4d2a71f9220abb1ddbe6d7f18ae570c31cdd18
Opcode Fuzzy Hash: 0b05d6185b408afcdee46b4b0f28ff2912608ed381f3cb98e0708fe1c876e7e2
Instruction Fuzzy Hash: 89018475300208AFCB119F68EC45A9F3BE9AF48320F51813AF906E7391D6758D119668

Function 00405759 Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040575E
CreateDirectoryW.KERNELBASE(?,00000000,80004004,00000000), ref: 0040576E
GetLastError.KERNEL32(?,00000000,80004004,00000000), ref: 0040577C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CreateDirectoryErrorH_prologLast
String ID:
API String ID: 2841023564-0
Opcode ID: 9cacd7261072eef841eea90e155f46b680eb7036377b12a0fd961b6c2ca1e33c
Instruction ID: 079377e55826ee0f4379d49620bbc90c1195ddaef26b68593b7f8623b37cd9bc
Opcode Fuzzy Hash: 9cacd7261072eef841eea90e155f46b680eb7036377b12a0fd961b6c2ca1e33c
Instruction Fuzzy Hash: E2F06D75A01A18DEDB14AF54E985AEF7778EB15348F50003EE802B72D2CA385E06DE69

Function 0040E825 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E82A

Strings

Split, xrefs: 0040E97F

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID: Split
API String ID: 3519838083-1882502421
Opcode ID: d2399743dbce8c0cfa1657e305499ecf9d3750d973dcb538bf738901abf4c24c
Instruction ID: 736ae2316e5d0145198b9a3bf66f2ac6d4ce90c3458676da96f14d14a3bbf3ba
Opcode Fuzzy Hash: d2399743dbce8c0cfa1657e305499ecf9d3750d973dcb538bf738901abf4c24c
Instruction Fuzzy Hash: 6F025070A00249DFDB11DFA6C884AAEBBB5BF08304F14887EE446BB391D739AD55CB54

Function 0040CF6F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CF74

Part of subcall function 00405618: __EH_prolog.LIBCMT ref: 0040561D

Strings

Cannot create output directory, xrefs: 0040D32C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID: Cannot create output directory
API String ID: 3519838083-1181934277
Opcode ID: e65345c544e7efc1230a7093f43446513c1aad28dde1dd46808d5c34d966500d
Instruction ID: 1cab3c87023adceb4cf1cff07f82d3cc3a0dce552b336292f606194224630fe1
Opcode Fuzzy Hash: e65345c544e7efc1230a7093f43446513c1aad28dde1dd46808d5c34d966500d
Instruction Fuzzy Hash: 2FF18E31D00249DFCF11EFE4C8949EEBBB5AF59308F14806EE84577292DB389A49CB55

Function 0040A565 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A56A

Part of subcall function 00409F0A: __EH_prolog.LIBCMT ref: 00409F0F

Part of subcall function 0040D993: __EH_prolog.LIBCMT ref: 0040D998

Part of subcall function 0040A130: __EH_prolog.LIBCMT ref: 0040A135

Part of subcall function 0040A23C: __EH_prolog.LIBCMT ref: 0040A241

Strings

Cannot seek to begin of file, xrefs: 0040A8C0

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID: Cannot seek to begin of file
API String ID: 3519838083-2298593816
Opcode ID: bee1894de2faad67771b6db50f6893a6025d9f0d75ec941aa60c9f0f82a65786
Instruction ID: ecade97c4e2ac40fd8b16c0bf8f986f2c90cabb7ab41a2d788bc46ed2bc5babc
Opcode Fuzzy Hash: bee1894de2faad67771b6db50f6893a6025d9f0d75ec941aa60c9f0f82a65786
Instruction Fuzzy Hash: B6C1F171A003419EDB21DB64C484BAEBBF4AF40304F14887FE486B72D2DB78AD55C75A

Function 004123AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

fputs.MSVCRT ref: 00412418

Part of subcall function 00402CC8: _CxxThrowException.MSVCRT(00000000,0042C050), ref: 00402CEA

Strings

, xrefs: 004123E7

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrowfputs
String ID:
API String ID: 1334390793-399585960
Opcode ID: ec99868a2370106556cac535b7a6e100cd634181ff94c6eddc8767ec8ac5bdfa
Instruction ID: d8e4c1249425f7f36e7589520ef7ed907c8d3a90e64baa80d70663753212215a
Opcode Fuzzy Hash: ec99868a2370106556cac535b7a6e100cd634181ff94c6eddc8767ec8ac5bdfa
Instruction Fuzzy Hash: 6711DD716047049FEB25CF59D881BAABBE6FF4A304F44406EE186CB281C7B9BC54CB64

Function 00410DC7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00410E4B

Strings

Open, xrefs: 00410E7D

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs
String ID: Open
API String ID: 1795875747-71445658
Opcode ID: dc1672cedb5b06db92c9f3a5834d7b7fcc6fc189d1a6f73a6a8db1cb7b33b2b4
Instruction ID: b3d4efdce60f7cf7a5ac5682edf5dbbf603c16c6f2166bcf7d74fcf7ccc6ffd6
Opcode Fuzzy Hash: dc1672cedb5b06db92c9f3a5834d7b7fcc6fc189d1a6f73a6a8db1cb7b33b2b4
Instruction Fuzzy Hash: A811EE321047449FE721EF32D891ADBBBA5BF10314F00882FE49A83291DB766994CF49

Function 0040A23C Relevance: 3.3, APIs: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A241

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 3cad1ab7b769f2d1acacac0414ec1099ca9b1d7be8c662c3c923ed6bed840f9a
Instruction ID: 119d2db5184c98bb620e655760488671e2cf7285567f933d7f5c7ab3a4145e28
Opcode Fuzzy Hash: 3cad1ab7b769f2d1acacac0414ec1099ca9b1d7be8c662c3c923ed6bed840f9a
Instruction Fuzzy Hash: F291D431900204ABCF21EFA5D885AAEBBB5AF85308F14403FE841B72D1CB395E55CB5A

Function 0041923A Relevance: 3.2, APIs: 2, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041923F
_CxxThrowException.MSVCRT(?,0042E810), ref: 00419459

Part of subcall function 00414F30: __EH_prolog.LIBCMT ref: 00414F35

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 5b91504e9a128caa8ba8520bba2a7aec4533bf77359d1d494c76c090470ab4c4
Instruction ID: 4dd68368b573ab2b3fbb2926aa4f54af7d60f28f21f52d43cd7d550c9688040f
Opcode Fuzzy Hash: 5b91504e9a128caa8ba8520bba2a7aec4533bf77359d1d494c76c090470ab4c4
Instruction Fuzzy Hash: 2B816D70D00159DFCB11DFA4C891AEEBBB5BF09308F10809AE455B7292DB38AE95CF64

Function 00405618 Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040561D

Part of subcall function 00405C89: GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 7307f15d7dcd26a1028437531f8b3d46531374772733964b746c2e4a545ecfa4
Instruction ID: 1ec97c357641f2a95409124c811880a2bc8558c2d5f8d70d5842d2e5aa1dfbfc
Opcode Fuzzy Hash: 7307f15d7dcd26a1028437531f8b3d46531374772733964b746c2e4a545ecfa4
Instruction Fuzzy Hash: 96318A31900916DACF24ABA8C5814FFB775EF11318F90047BD802B72D1DB3A6E469FA9

Function 00419F2B Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419F30

Part of subcall function 00419C39: __EH_prolog.LIBCMT ref: 00419C3E

_CxxThrowException.MSVCRT(?,0042E810), ref: 00419F7B

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: f3ed8672d2c2e4200345710861aa6959bc24473354d3664b997b8fe4b6267530
Instruction ID: 46f78fe5ae91ca0ba6bfca82b63fd184bcf2fa2220459aed858054068ed78b21
Opcode Fuzzy Hash: f3ed8672d2c2e4200345710861aa6959bc24473354d3664b997b8fe4b6267530
Instruction Fuzzy Hash: 0401DF32500248BFDF118F54C816BEE7BA4EB45314F44414AF4489B211C3BA9990CBA4

Function 004246C0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 004246D4
GetLastError.KERNEL32 ref: 004246E8

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: 84ad473c3d34086ae7fede349773d0ba2c5fd96f40ec9ed9a40fef1eb1428159
Instruction ID: 467cfe1d8112a966019ebae5ced0304520bc6109d9d80bdd01151506748d1c69
Opcode Fuzzy Hash: 84ad473c3d34086ae7fede349773d0ba2c5fd96f40ec9ed9a40fef1eb1428159
Instruction Fuzzy Hash: C2E0CDB63042115FF3109B54AC01F7771DCDBD0701F80443EBA44CA180E6A5CD00C379

Function 0040735B Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0040737C), ref: 00407360
GetProcessAffinityMask.KERNEL32(00000000), ref: 00407367

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 81c132c54f17672c127dd815764c6083acefeaec05c63578e1865d3c67dcce40
Instruction ID: 6c427cee417cddacfba452fddf0a978d30e57e06aa7b4599873eb5b06c94d529
Opcode Fuzzy Hash: 81c132c54f17672c127dd815764c6083acefeaec05c63578e1865d3c67dcce40
Instruction Fuzzy Hash: C9B092B1500108ABCE209BA09D0CC163B2CBB052017508464B101C2010C636C802CB24

Function 004220D0 Relevance: 2.5, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00422E61,?,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004220D8
LeaveCriticalSection.KERNEL32(?), ref: 0042213C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: eac4f34b2d8b9f95b90929ce9a24efbc20dc996e9036948340617c887f31075f
Instruction ID: f50e5a8d1bc7c2573474e86cbefc73510f32451a4931060e28914d4ecc17dea9
Opcode Fuzzy Hash: eac4f34b2d8b9f95b90929ce9a24efbc20dc996e9036948340617c887f31075f
Instruction Fuzzy Hash: DC11CE75700B019FC734CF19D980A2BB3F6AF88B10B44892DE59AD3B10D774F8068B61

Function 004105CF Relevance: 2.5, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 004105D7
LeaveCriticalSection.KERNEL32(00430538), ref: 00410616

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b241e6e0a0e399f6be3b330eef631e663d5ca75de7b7d6124f0b7a41341d90da
Instruction ID: 685853894ae39eee227984b1d0e7600127116368531782c57f48b05f3866eb5d
Opcode Fuzzy Hash: b241e6e0a0e399f6be3b330eef631e663d5ca75de7b7d6124f0b7a41341d90da
Instruction Fuzzy Hash: 04F058346412109FD318DF16C808FAA37A1AFD5315F1A80BEE00587362CB78CCC6CB94

Function 00424610 Relevance: 2.5, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,00413A40,?,00413773,00000000,?,?,0041309F,?), ref: 0042461A
GetLastError.KERNEL32(?,0041309F,?), ref: 00424624

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: aa73dd18d57520f207ceaa29438d66ae8266170de33677e67130023f0a0b4a7c
Instruction ID: 24836bce18bb2cca70c93d26269989a30084265c515bb5c490de6bd10a7965fa
Opcode Fuzzy Hash: aa73dd18d57520f207ceaa29438d66ae8266170de33677e67130023f0a0b4a7c
Instruction Fuzzy Hash: 4ED09E713141614BEB705F79BD087977ADCDF51B54F85086EF958C7240EA6CCC834658

Function 00403B71 Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00403B84
_CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: 3e791b120deac60a940b24b1a74ec80c1e3bf78372a8eec457417a2a87f4d28b
Instruction ID: 413c76808b874f20dff1fc6092fe03bbab6c47668a85a4a3cdc964c164a5b717
Opcode Fuzzy Hash: 3e791b120deac60a940b24b1a74ec80c1e3bf78372a8eec457417a2a87f4d28b
Instruction Fuzzy Hash: E2E0CD3120460C69DF105F50D8467AD3F7C5F10355F809026FC0C5D142C278D7D48744

Function 00416494 Relevance: 2.1, APIs: 1, Instructions: 649COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416499

Part of subcall function 00415A25: memset.MSVCRT ref: 00415A39

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prologfreememset
String ID:
API String ID: 743394225-0
Opcode ID: 87a9a78664fd45122a5da8fb1cfe3d7209b2e8fe7d627238ec6be8498e6135af
Instruction ID: 2c44f47edba988f8aeb80a4babf8dfcf021c45bdc66655be1d995d0b6d76fbbe
Opcode Fuzzy Hash: 87a9a78664fd45122a5da8fb1cfe3d7209b2e8fe7d627238ec6be8498e6135af
Instruction Fuzzy Hash: B5528170900249DFDB15CFA8C588BEEBBB5AF49304F19409EE445AB391DB38DE85CB25

Function 0040F345 Relevance: 2.0, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F34A

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1aee6a2b02e4ed9202893e1c1d1e0e5268040115cd70fa0940a311bbe32e592f
Instruction ID: 82ec2a547574f120ef1af248452345df4ce190c02b8900f5607f34d2821a8202
Opcode Fuzzy Hash: 1aee6a2b02e4ed9202893e1c1d1e0e5268040115cd70fa0940a311bbe32e592f
Instruction Fuzzy Hash: 5B128F71D00209DFCF24DFA4C984ADEBBB5AF45314F2441BAE445BB291DB38AE49CB15

Function 0040AA7B Relevance: 1.7, APIs: 1, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AA80

Part of subcall function 0040A565: __EH_prolog.LIBCMT ref: 0040A56A

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f93629fd31d4145120887d0a92158bcee26909b0a10fb315d0658743ecffe3ce
Instruction ID: 0ab7f169d6ce1dd3c498451d8d56829bda81e7c46dbb63c9e1e9485555b509e8
Opcode Fuzzy Hash: f93629fd31d4145120887d0a92158bcee26909b0a10fb315d0658743ecffe3ce
Instruction Fuzzy Hash: 57A1B071504385DFDB21DF68C190AAABBE1BF15300F54887FE58AAB781D338A954CB1A

Function 00419C39 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419C3E

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0ab9992a353954d997e20637339cdba53e6d589b3b11fbd1ffc9004d5494e72c
Instruction ID: 1255ca181abffa466eb45554b4903856dd8a335ef0234f0ec3abff0dd25b2713
Opcode Fuzzy Hash: 0ab9992a353954d997e20637339cdba53e6d589b3b11fbd1ffc9004d5494e72c
Instruction Fuzzy Hash: F5A1A930A04646AFDB29DF65C4907EEFBF1BF18304F10452EE55AA3291C779AD80CB99

Function 0040ED49 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ED4E

Part of subcall function 0040E825: __EH_prolog.LIBCMT ref: 0040E82A

Part of subcall function 0040C1DC: __EH_prolog.LIBCMT ref: 0040C1E1

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 1563f0183111ff3756f6a4956a005afc579fd9423b9086b0a952e52ce037ac1c
Instruction ID: f06d9fa28c26d18b38afae9a2a45c1291361f954b2c40a63c05487aefbd1d087
Opcode Fuzzy Hash: 1563f0183111ff3756f6a4956a005afc579fd9423b9086b0a952e52ce037ac1c
Instruction Fuzzy Hash: CF51B570600206AFDB24EF62C891DAEBBB9AF54308F10487FF141B72D1DB78A945CB54

Function 0040F9E0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F9E5

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 0040FB8E: __EH_prolog.LIBCMT ref: 0040FB93

Part of subcall function 0040F345: __EH_prolog.LIBCMT ref: 0040F34A

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: f2c6da9c2af833501a3f0a98a90cce2383feebc1580640127ebe05efa80fc277
Instruction ID: f917c622738c18646c6016d604920ad8a146ceec9960691556415646441905d3
Opcode Fuzzy Hash: f2c6da9c2af833501a3f0a98a90cce2383feebc1580640127ebe05efa80fc277
Instruction Fuzzy Hash: C9518131900605DFCB25DFA5C48499EBBB4AF08328F14827FE455B76D2CB38AA45CF54

Function 00417701 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417706

Part of subcall function 00419F2B: __EH_prolog.LIBCMT ref: 00419F30
Part of subcall function 00419F2B: _CxxThrowException.MSVCRT(?,0042E810), ref: 00419F7B

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 83cab5e49b25565b3939891e45a9a10d77df0106bca05394c1e75b10824dee2a
Instruction ID: bd9aade3164a5327875f6b72e53f7940bc2ea94ed18cba3f1a24b0faa07c9e4a
Opcode Fuzzy Hash: 83cab5e49b25565b3939891e45a9a10d77df0106bca05394c1e75b10824dee2a
Instruction Fuzzy Hash: 1B515D74904249DFCB11DFA8C888BDEBBB4AF49304F1444AEE44AD7341C779AE85DB21

Function 00412ED4 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412ED9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9d3f9eba52a6049b96d43d4433ba62f4fc9a9c7786f44eb93216ddbc3de23f8f
Instruction ID: d11674bc6fe02063f26dadcb6afdd03e26e0ef6b4e536af382a12bfe63abda49
Opcode Fuzzy Hash: 9d3f9eba52a6049b96d43d4433ba62f4fc9a9c7786f44eb93216ddbc3de23f8f
Instruction Fuzzy Hash: 82518A74A00606CFCB14CF68C5809ABFBB2FF49304B10895EE5929B750D375E9A2DF94

Function 00416171 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416176

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a997c84d03bd27bc7c58f18df43cd408c6534c18cfdddf53a5232f7de0750d7b
Instruction ID: 8cea611797d63b8bfc20365acd018897896d5ffa812fa3ec194bbb2aa7859777
Opcode Fuzzy Hash: a997c84d03bd27bc7c58f18df43cd408c6534c18cfdddf53a5232f7de0750d7b
Instruction Fuzzy Hash: F541C070A00256EFDB20CF54C488BAABBE0BF15314F1586AED49A97791C774EDC0CB44

Function 0040AF6F Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AF74

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 99f0c1ea61ba1c17496419a7e591ea91786ec0a304dbe574bacff4d7304d9231
Instruction ID: 5b8ce99cd93288b9b3622ce56f3a952f4719c764294ef63b1931a13ebe5bf3d5
Opcode Fuzzy Hash: 99f0c1ea61ba1c17496419a7e591ea91786ec0a304dbe574bacff4d7304d9231
Instruction Fuzzy Hash: 4211B2B1900B909FD765DF24C48099BBBA4BF84308F44886FE0876B642D738BC04C715

Function 0040B564 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B569

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 004062C4: GetLastError.KERNEL32(0040CC4F,?,00000001,?,00000010,00000000,00000000), ref: 004062C4

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID:
API String ID: 683690243-0
Opcode ID: 7e91c0dde115849d1ad0c908fe74a0a5c3d4acead8dbe92c6034b86eb64ab493
Instruction ID: fb4660edd494918f797c6894fe9440a752d3d01a1d336716f1c709085ebbaccd
Opcode Fuzzy Hash: 7e91c0dde115849d1ad0c908fe74a0a5c3d4acead8dbe92c6034b86eb64ab493
Instruction Fuzzy Hash: F901AD726407009EC725FF76D8929DEBBB5EF55314B00463FE883636D2CB78A609CA58

Function 00413856 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041385B

Part of subcall function 004139DF: __EH_prolog.LIBCMT ref: 004139E4

Part of subcall function 00413989: __EH_prolog.LIBCMT ref: 0041398E

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 004138CF: __EH_prolog.LIBCMT ref: 004138D4

Part of subcall function 00413938: __EH_prolog.LIBCMT ref: 0041393D

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: aab47c9550c61e81e4e4e96012b6a7bc3c1ee662ec5293290cb8e2509aa26bae
Instruction ID: e175e7f10f43f6cca05f6be96f189574f0e094f52caf40dd2350f9aae9621fc3
Opcode Fuzzy Hash: aab47c9550c61e81e4e4e96012b6a7bc3c1ee662ec5293290cb8e2509aa26bae
Instruction Fuzzy Hash: D0F0D170914A60DEEB19EF68D81639CBBE0AF04308F50429FE092622D2CBBC2B04874D

Function 004061C1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004061C6

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4a6112fb950159eaf5e83c92a170fb4a182376475d04aa02fba525872de66c1e
Instruction ID: e5ddfb142680ed3c69e4bb472637a6dcbd7afa6831621fbacd83d8a3cc0fb80d
Opcode Fuzzy Hash: 4a6112fb950159eaf5e83c92a170fb4a182376475d04aa02fba525872de66c1e
Instruction Fuzzy Hash: 2CF08932D415049ADB15EB94E991BEEB374DF1535DF10016FE852771C2CB396E09CA18

Function 0040649E Relevance: 1.5, APIs: 1, Instructions: 34timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32(00000018,00000000,000000FF,00000000,00000013,80000000,00000000,?,?,?,00000018,00000018,?,00406515,?,00000013), ref: 004064E9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 59be36acff0148b2a6399661b1d03899d1d288337076d1e5c4a00da86c42ff5d
Instruction ID: 49423b807954fbf5132eddd10db361c8cf6ef33813656f7b93e5a35af05f7635
Opcode Fuzzy Hash: 59be36acff0148b2a6399661b1d03899d1d288337076d1e5c4a00da86c42ff5d
Instruction Fuzzy Hash: 1CF0F630100248BFEF228F14CD05BEA3FA8AB05324F14426EF9A6622E1C375DE20C758

Function 00405276 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040527B

Part of subcall function 0040D5C9: _CxxThrowException.MSVCRT(?,0042C050), ref: 0040D5EF

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID:
API String ID: 3044594480-0
Opcode ID: f1bc381dacc679d8993db77570641906362337e7e61615f70a1999bd743c8d60
Instruction ID: 856f92cbb3ab1a9cb96c509d1022807d22edc14e61e6e41c3b87f0c8937366d3
Opcode Fuzzy Hash: f1bc381dacc679d8993db77570641906362337e7e61615f70a1999bd743c8d60
Instruction Fuzzy Hash: ECF09071A006009FC714EF69D442AAEFBE5EF88318F00866FE406E7381DB78A900CE94

Function 00416DC8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416DCD

Part of subcall function 00416E44: __aulldiv.LIBCMT ref: 00416ECD

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog__aulldiv
String ID:
API String ID: 4125985754-0
Opcode ID: 8bf19885dd5ea0e2f94d69bfacb549f2fcc5b7e4eebcd9df4adba7efa0999e04
Instruction ID: f8137897850cfe31c0c95d7590cf4b9d67ad1fbb95bcf970c06535ca175f3cf8
Opcode Fuzzy Hash: 8bf19885dd5ea0e2f94d69bfacb549f2fcc5b7e4eebcd9df4adba7efa0999e04
Instruction Fuzzy Hash: FD0146B1A01BA0DFC325DF64D4A12DAFBE4FB04308F808A5FD5DA53601C7B8A504CB98

Function 004122DD Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00412322

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: ee2f4b612f09316191009abfdc84f3a107c383a2d7f7fa7f0d7bdf75c4bc9c97
Instruction ID: 84edb9678b7a745c0b725e3e0dbbada79bae0bb88cc8bfe653711e49ff3b59e2
Opcode Fuzzy Hash: ee2f4b612f09316191009abfdc84f3a107c383a2d7f7fa7f0d7bdf75c4bc9c97
Instruction Fuzzy Hash: 1AF027312007078AF7305B31DD01BDBB7D09F61318F14462EE8A9D3250EBBC98A4C769

Function 00416FA9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416FAE

Part of subcall function 00417899: __EH_prolog.LIBCMT ref: 0041789E

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: eb0fa4d0185cf915b7e1cd56f291fcce4e57fc542e8566139852d541875939b9
Instruction ID: 410289a83d4ed025744fd943b1f64dcfed9d5ec8ab00e327c3d154e98af9d3b0
Opcode Fuzzy Hash: eb0fa4d0185cf915b7e1cd56f291fcce4e57fc542e8566139852d541875939b9
Instruction Fuzzy Hash: 82F0BE31901A20DBC322AF14D906ADEB7F4FF04324F00465FE4D263691CBB8AA408B88

Function 0040E7DB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E7E0

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 573a2cf2bc836b99d9609f8487cba32822be38598a2facaf8ebd2ea7fbb3612e
Instruction ID: 1b364a8ab76887425b7e3a6f64e7fe538d72e94d07a99577154da66e0cac4a81
Opcode Fuzzy Hash: 573a2cf2bc836b99d9609f8487cba32822be38598a2facaf8ebd2ea7fbb3612e
Instruction Fuzzy Hash: 7AE06D76B04204EFC700EF99D445F9EB7A8FF48314F40855EB00A97241C7389900CA68

Function 004062E1 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040631A: CloseHandle.KERNELBASE(00000000,000000FF,004062EC,?,?,0040612D,?,00000000,00000001,00000003,02000000,?,?,?,004060AB), ref: 00406325

CreateFileW.KERNELBASE(004060AB,?,?,00000000,?,02000000,00000000,?,?,0040612D,?,00000000,00000001,00000003,02000000), ref: 00406303

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 019bf48367bcf98dcb756a2f82181cd61b9fe9e8a00531e4bac9db3451219804
Instruction ID: adc6e9f92411e864d9c6c7b87d178177d260d9e0db269cc12a015677b2bab9cc
Opcode Fuzzy Hash: 019bf48367bcf98dcb756a2f82181cd61b9fe9e8a00531e4bac9db3451219804
Instruction Fuzzy Hash: 4CE086321002197BCF215F649C01BCE3B55AF19370F100126FE15AA1E1D772C871AF98

Function 004065C6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004065E9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fe5bcde431ae922a75e4756504e17ece85435cb636739ef29d2279dd80125517
Instruction ID: da683ac8c70a974cc3f8237807a5398f2218d9b128b4c0510ef96a262ff81173
Opcode Fuzzy Hash: fe5bcde431ae922a75e4756504e17ece85435cb636739ef29d2279dd80125517
Instruction Fuzzy Hash: 63E0E575600208FBCB11CFA5D801F8E7BB9AB08358F20C16AF919AA290D739DA10DF54

Function 00415BE9 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415BEE

Part of subcall function 00415FA4: __EH_prolog.LIBCMT ref: 00415FA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 80e3150f7c2d9fd7c4f1173715c9fe5ffee53762babf6db31bc0c1742898919b
Instruction ID: ce869e3aab6ace1ce8533568d57fd8f5675fbc5f5a758563eac7a77371b3ba82
Opcode Fuzzy Hash: 80e3150f7c2d9fd7c4f1173715c9fe5ffee53762babf6db31bc0c1742898919b
Instruction Fuzzy Hash: 62E09AB1A10920CADB19EB64E4127EDB7A4EF44708F00065EA08393281CBB82A04C799

Function 00412E95 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412E9A

Part of subcall function 00412ED4: __EH_prolog.LIBCMT ref: 00412ED9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 15cde52958b12ac71acc7ce77910ede0c9b1ca9d699d2a10452ac9265fe0c123
Instruction ID: 69d3665519c70779c744395f10d9950b652281d112e39adaa058e3f3ba64c18f
Opcode Fuzzy Hash: 15cde52958b12ac71acc7ce77910ede0c9b1ca9d699d2a10452ac9265fe0c123
Instruction Fuzzy Hash: B6D01271A14218AFD718DB45D947BEEB778EB41758F10465FF001A1240C3B95E008668

Function 00406526 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040653C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7b95e35fa55aa0e0c3428753206580943a288fc2de83e1cadcb6ea6cb1f466f9
Instruction ID: aa511b6798c59930b0405c074b109464cadd0f08f127264607b407b712c08231
Opcode Fuzzy Hash: 7b95e35fa55aa0e0c3428753206580943a288fc2de83e1cadcb6ea6cb1f466f9
Instruction Fuzzy Hash: 97E0EC75600208FBCB11CF90CD01FCE7BBAAB49754F208158E90596160C375AA14EB54

Function 0041A2A6 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A2AB

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 00416DC8: __EH_prolog.LIBCMT ref: 00416DCD

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 66064fe4f8ad07cd0b864954b09a8cbe68f0ebe80e91fc1e077c362eaa252818
Instruction ID: bffb35fe6662f17f768acfd319c4c1181e1a9fa832d6402326a06ee7331dc0b5
Opcode Fuzzy Hash: 66064fe4f8ad07cd0b864954b09a8cbe68f0ebe80e91fc1e077c362eaa252818
Instruction Fuzzy Hash: 9DD05E71B01514AFCB4CEFB8A447BADB6E0EB44348F50467FA012E2781EF7899408629

Function 00405A6D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 771ecb549d2df5e9db96aaaa111c166b5f13e32054afe09ecd2ab3c97690b28b
Instruction ID: fa3dde25846cff55b07d37752d80c8345f1936d69bcc94e9975f1054c5fe9f6f
Opcode Fuzzy Hash: 771ecb549d2df5e9db96aaaa111c166b5f13e32054afe09ecd2ab3c97690b28b
Instruction Fuzzy Hash: 81D012312045214ADA745E7C78849E333D89A12330321076AF4B4D32E0D3748C834E98

Function 00403D5E Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00403D74

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: c078ba7b642f1437405dd27f64575dd6badec6b4367417118eb25951d77006ff
Instruction ID: 1fba68da9fe9ae202432a53fb8ce6af3c3a1bc415edf3b5a9342c634e64c5272
Opcode Fuzzy Hash: c078ba7b642f1437405dd27f64575dd6badec6b4367417118eb25951d77006ff
Instruction Fuzzy Hash: 92D0C7361082519FE6155F16EC09C87FFA5FFD5321B11082FF450511609B726C26DA64

Function 00403CEE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00403CF5

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: ca0c3902a19e84967535e1b89705d167b4bdcf58c56db1bb82e36f2fb91b2edc
Instruction ID: bdcaa610731fbb92d061b186abac76fc107d3a3afa5d30b62c2ee034d17f0ff1
Opcode Fuzzy Hash: ca0c3902a19e84967535e1b89705d167b4bdcf58c56db1bb82e36f2fb91b2edc
Instruction Fuzzy Hash: 7FB092323082209BE7281A99BC0AA946794EB0D721F25006BF544C21909A911C528A99

Function 004065A9 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040AEEE,00000000,00000000,?,00000000,?,?,?,?,?,0040B26E,?), ref: 004065B7

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: c1faabe7ee04c17a3e9dedf9d691a06c13326f8eaf91e6cc6540484f6927ee96
Instruction ID: dd5313f992c8f3caee4660e88009fcd1fa651df6d34ad12b859f3340a0bd94a5
Opcode Fuzzy Hash: c1faabe7ee04c17a3e9dedf9d691a06c13326f8eaf91e6cc6540484f6927ee96
Instruction Fuzzy Hash: 4DC04C36158105FF8F120F70CC04D1ABBB2BB95315F10D918B155C5070C7328424EB02

Function 004055CD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 004055CF

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dabda50b76c128f6b582b6eece111edba8ad408e96a23e841a2b7badc71f8a96
Instruction ID: 414952e8fe1a2e075d93a374d6099bf3f4316265d06550280dff1d114576109c
Opcode Fuzzy Hash: dabda50b76c128f6b582b6eece111edba8ad408e96a23e841a2b7badc71f8a96
Instruction Fuzzy Hash: 53A002A0312216DBAA241B329E09A2F256DAEC1AD1B45C96C7401C5170DA2DCC515535

Function 00406645 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0040668A,00000000,?,00000000,?,?,?,?,0040AE79,?,80004004,?,00000000,?), ref: 00406647

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: dbc56d001a548cd5070795bd2d90de6a3695ba147366a044821af2c85d996497
Instruction ID: 86e43d1d87ccd767641ce6018b972dd42dd26830d60569e3cf728c40a3797de3
Opcode Fuzzy Hash: dbc56d001a548cd5070795bd2d90de6a3695ba147366a044821af2c85d996497
Instruction Fuzzy Hash: CFA002703E502FCB8F211F34DC098243AA6AB96707B6057B4B103D95F4DF224819AA15

Function 00405C89 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 79a2f7dced282e2fb32e550a1d2b0904197e204eb4e7884ebd859e13ad972910
Instruction ID: 880e6c9350023c768339967658fda1199bc4c9145147cf13f7093929cf76d2ce
Opcode Fuzzy Hash: 79a2f7dced282e2fb32e550a1d2b0904197e204eb4e7884ebd859e13ad972910
Instruction Fuzzy Hash: 91A001A0A26A04469A341B346C4899A29A5A996736BA00B75F132D01E4DB79C881A919

Function 004084F5 Relevance: 1.5, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?), ref: 004086B9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 4549de4e085ce23c5d742228b4179348cb2073e1a461e3f40e03bd9db6ea1aff
Instruction ID: e6815487489208ab39f33fed76fb0e7ab78d55a9c6f4cab8f9f9bf2c978d5583
Opcode Fuzzy Hash: 4549de4e085ce23c5d742228b4179348cb2073e1a461e3f40e03bd9db6ea1aff
Instruction Fuzzy Hash: F2814171D002499FDF14CFA8C680AAEB7B1AB48304F24447FD581B7781DB39A980CF59

Function 00407B7E Relevance: 1.3, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00407BAB

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8c18664cc0e2afd8735706c9fad17548e6b9e64cdc38ad65294e7055b2357f7f
Instruction ID: 540c822f5f08825451efabc7153c463d8467db7d585d389fc5b2ba1f3b10f2b9
Opcode Fuzzy Hash: 8c18664cc0e2afd8735706c9fad17548e6b9e64cdc38ad65294e7055b2357f7f
Instruction Fuzzy Hash: 53F04471A0820B9BCB14DE54DC40AB777B9FF44318B14843AAD17EB290D379FC119B9A

Function 0041E080 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041E092

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4f3d972a2cc645180b03ab5989da7a7abdbb96092aef46b131a3a4169954ef89
Instruction ID: 6a611e0c24855a470b21982780ef0240856e0dbfab85deb95be053ee113d5378
Opcode Fuzzy Hash: 4f3d972a2cc645180b03ab5989da7a7abdbb96092aef46b131a3a4169954ef89
Instruction Fuzzy Hash: A3D0A774A5251146CF8486328949B9735A83F04306F58857EEC13CE681FB6EC497C708

Function 0040631A Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,000000FF,004062EC,?,?,0040612D,?,00000000,00000001,00000003,02000000,?,?,?,004060AB), ref: 00406325

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 63bd52484c3e27620c52f78d23f88a666e8d75c923b48dba9752bb41ea792720
Instruction ID: 37909153597268066c058ee49dc1832c7f7ed1a892d8ea3123e2061e027ab4fe
Opcode Fuzzy Hash: 63bd52484c3e27620c52f78d23f88a666e8d75c923b48dba9752bb41ea792720
Instruction Fuzzy Hash: 23D0123160417157DA741E3C7D455C233D85E1237032207AAF4B5D32E0D3748C9346D4

Function 0041E043 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0041E051

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f56809b49086c6ed513efbd4586875a7e0a01cfb318715d2f5b7dbd5dc263cde
Instruction ID: 37d545aa3dd278780438cb9abc06a095e6c0b675cb82c61b18e0c7a60c84fb8a
Opcode Fuzzy Hash: f56809b49086c6ed513efbd4586875a7e0a01cfb318715d2f5b7dbd5dc263cde
Instruction Fuzzy Hash: D2C09BE1E4E290DFDF0657109C55B603F319F97741F4A10C5E4445B0D3D5551D19C727

Function 0041E010 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041E018

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 896ef36176023112d6443d1c7dbb081b3f05f1399666896d001e6a3ed2194474
Instruction ID: 2cf01b38eb4ee948cf265c98e74a8636803a57433c2cd1d462a5ffe318260026
Opcode Fuzzy Hash: 896ef36176023112d6443d1c7dbb081b3f05f1399666896d001e6a3ed2194474
Instruction Fuzzy Hash: CDA012CDE1001100994411322C41053101221E16057C8C479A80144104FF2DC804700A

Function 0041E063 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041E06C

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b969455fa2f22fc73ea04ac6af0352f9a8db9e597e97f0f7f8fcdc9855555cef
Instruction ID: e16472afc0667f0882427de6cdc1df0a5e98d7cfee31e37e763c24b0fda5beb4
Opcode Fuzzy Hash: b969455fa2f22fc73ea04ac6af0352f9a8db9e597e97f0f7f8fcdc9855555cef
Instruction Fuzzy Hash: 71A00278F80714B6ED7467306D4FF6525246784F01F60C594B241681D49DE464459A2C

Function 0041E030 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041E031

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 215540552cff86145e4461e69ebfb5076cc52fc8c4b4bc72fa675cccf62c4148
Instruction ID: 317c144e9e448446760cd229ef9c40f20c29eefaa629672554263170cc7ba9b1
Opcode Fuzzy Hash: 215540552cff86145e4461e69ebfb5076cc52fc8c4b4bc72fa675cccf62c4148
Instruction Fuzzy Hash:

Function 00403BA5 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c77b473b94ae96f42027579122339939922c3ef578ecea1100068d67e2cb92de
Instruction ID: 8a4addd67d1395683a601ebee97e0ac27b042bf7b24b100f5c4dc94180559340
Opcode Fuzzy Hash: c77b473b94ae96f42027579122339939922c3ef578ecea1100068d67e2cb92de
Instruction Fuzzy Hash: 83A00271105101DBDB551B91ED0D55A7B61FB84652F654469F04B405708B314C31FA05

Non-executed Functions

Function 0040704D Relevance: 4.7, APIs: 3, Instructions: 225timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00407091
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 004070A3
__aullrem.LIBCMT ref: 00407205

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Time$File$LocalSystem__aullrem
String ID:
API String ID: 2417234408-0
Opcode ID: e2ea9a577c3c03632edbf28e011eeb485c98ebec837ccdf391d33486ad268604
Instruction ID: 097ebb133b43d6c75499fc9ab10b51d9df6370fde1c7953e3ae636fd5b3e94c1
Opcode Fuzzy Hash: e2ea9a577c3c03632edbf28e011eeb485c98ebec837ccdf391d33486ad268604
Instruction Fuzzy Hash: 4271BC71E09345DBD711CF6984C06EEFBF69F79314F14806EE884A3282D27A5D5AC721

Function 004194A9 Relevance: 3.5, APIs: 2, Instructions: 509COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004194AE

Part of subcall function 004191A2: __EH_prolog.LIBCMT ref: 004191A7

_CxxThrowException.MSVCRT(?,0042E810), ref: 00419986

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 800fb9f3c2d82f9e2b0987539adecd0ab6a29e1bc71cd275f5283ebc7644eb9a
Instruction ID: 3bae86e87b3cf8b9d8377ed57d25004214f6e4a97d94b5689226fb05ce5736f1
Opcode Fuzzy Hash: 800fb9f3c2d82f9e2b0987539adecd0ab6a29e1bc71cd275f5283ebc7644eb9a
Instruction Fuzzy Hash: 10325A7090424ADFCF14DF65C5A0AEEBBB1BF05308F14806EE449AB252D738AE95CF95

Function 00425360 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

@, xrefs: 004257ED

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 387d9f5b0d722e16858b989fb5cf058498023d896b5906e39b88b724edac5b15
Instruction ID: c4327a5b03a4357bab17156b007e5d35fc2f343ba8ec6b5de1daa222e62ab7b1
Opcode Fuzzy Hash: 387d9f5b0d722e16858b989fb5cf058498023d896b5906e39b88b724edac5b15
Instruction Fuzzy Hash: E8020AB16083058FC358DF4AD88045BF7E2BFC8314F58892EF59997315DB70A95ACB86

Function 004253EC Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

@, xrefs: 004257ED

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 20fb1e679b1ea7c9bc9397992702f5c06c27ebda3db9de964d82a84f63a00d7a
Instruction ID: a5a46c98ad045cca7d8d22a35470739b0e600e8396af2da8c62bd07726d085e0
Opcode Fuzzy Hash: 20fb1e679b1ea7c9bc9397992702f5c06c27ebda3db9de964d82a84f63a00d7a
Instruction Fuzzy Hash: B3E11BB160C3058FC358DF4AD88045BF7E2BFC8314F58892DF59983356DB70A95ACA8A

Function 0040736E Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0040735B: GetCurrentProcess.KERNEL32(?,?,0040737C), ref: 00407360
Part of subcall function 0040735B: GetProcessAffinityMask.KERNEL32(00000000), ref: 00407367

GetSystemInfo.KERNEL32(?), ref: 00407392

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: 12424a63e269e0877277bfdfa86892c8ee2fc88c8c4c8b17476209747d2dff76
Instruction ID: 37ac09f4e8775b3dc7db151483154f559ecac358ef485f747e15dc97df7041dd
Opcode Fuzzy Hash: 12424a63e269e0877277bfdfa86892c8ee2fc88c8c4c8b17476209747d2dff76
Instruction Fuzzy Hash: F2D01270E0420997DF54E7F5D44699E77785E44348F0400799C01F21D0DB78F945D65A

Function 00426040 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00426043

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a8b240aa1cb2597892d2c620267438a9b7ed24a8c987694d8ca527b9fca9a5f6
Instruction ID: 1a04f80bb725c75d3dd7a7d213ed030404e6ca71b9454b7eb32c971da4491ff5
Opcode Fuzzy Hash: a8b240aa1cb2597892d2c620267438a9b7ed24a8c987694d8ca527b9fca9a5f6
Instruction Fuzzy Hash: 55D05E71E5042443DB04B72CD94A12933E2F741300FC608EAD498C5226E92DAA16D64B

Function 00407455 Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,004059CA,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010), ref: 00407456

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: dd4d65d4735ecad5eff269bcc9c5ffcae217ccde2733e6e548aead3813e70d00
Instruction ID: 03b31f416222a043bea4c947158f1946739afe019085366f262c6bff39aea67e
Opcode Fuzzy Hash: dd4d65d4735ecad5eff269bcc9c5ffcae217ccde2733e6e548aead3813e70d00
Instruction Fuzzy Hash:

Function 0041DDB0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

PbB, xrefs: 004251A4, 004251AB

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID: PbB
API String ID: 0-1558502971
Opcode ID: 47ff404f096a15f6be07cdd7ff47f7c3a4c0280c46258968b647365bbcb83ffc
Instruction ID: a90cc3db49980fd9bdf7688ba4c454fc12f945e6fdca8d25ef6de79eb1c97d35
Opcode Fuzzy Hash: 47ff404f096a15f6be07cdd7ff47f7c3a4c0280c46258968b647365bbcb83ffc
Instruction Fuzzy Hash: 4D41E432F10A3006B34CCE3AAC851662BC3DBC9382785D739D565C66D9D9BDC413D1A8

Function 004226B0 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveObjectSingleWait
String ID:
API String ID: 1001467830-0
Opcode ID: c2e93f49e507dd83a320957035e7cc1bd384210c5e44b5caa0bc2a24e808fe7a
Instruction ID: a07709ed0249790d25947c5d4043c77be657826ad63f2b176fd792c5173063d6
Opcode Fuzzy Hash: c2e93f49e507dd83a320957035e7cc1bd384210c5e44b5caa0bc2a24e808fe7a
Instruction Fuzzy Hash: 8A621771A083519FCB24CF19D68052BFBE1BFC8740F948A2EE89597315D7B8E845CB46

Function 00420CA9 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction ID: 6779b2a74973eff395bcc09e7ec8ee8c4b47229ef48312d7df48326998885e9a
Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction Fuzzy Hash: 60022A73B0836047D718CE19DD80229B7E3FBD0380FAA492FF89647395DAB49946C799

Function 004212C0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction ID: 5fbcdf7e76c78e01b99a8ca8083e79c7bf9a59bce4f2b0593f3807deda067ad1
Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction Fuzzy Hash: 18024A32B043218BD708CE28D58027DBBE3FBE4345F550A3FE896976A4D7789845CB89

Function 004240A0 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
Instruction ID: 2dae5d15b16d92ed7caafcb73801ff926bcdae23959ce8009c2e2d6f19409047
Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
Instruction Fuzzy Hash: 2A028C706047208FC328CF2EE49422AFBE1EFC5301F548A6EE5DA87791D23AE559CB55

Function 00424AB0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec21f2bc10a4140bfded27c6d5d1301f13af393237b8a6ab6090c49201403264
Instruction ID: 9dbdf3cc36c0871e00d70d1cf73c890cd0849f4c1b349caee6c3423430388a93
Opcode Fuzzy Hash: ec21f2bc10a4140bfded27c6d5d1301f13af393237b8a6ab6090c49201403264
Instruction Fuzzy Hash: 95E1F6729043AA4FD31CEF58EC91635B7A1FF88380F09457DCA560B3B2D6746A01DB94

Function 0041E1E0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction ID: 180b3774adec75c40f857ab56fa67e51ed4644e1aa4a0a04af6b9390553663a5
Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction Fuzzy Hash: D2B192766012118FC750CF2EC8801597BA2BFC532977997AEC8A48F746D33AE857CB94

Function 0041E9A0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction ID: 586f8480fd11126397f6699f5bfc9f0ef5ac81eadabf3b744486f71cccb0705d
Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction Fuzzy Hash: 3231277B600A054EF620852B89883E77213FFD63A0F19C727DD16873E8CA399DC6814D

Function 00426620 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b992da0320ec3f814fb582ec4cb6330d05488eb9d43a721a90b87cbfbd9ca5c7
Instruction ID: 8a31634d1fb8d893b677315f844586136606d247691434bc821e591bcdba7911
Opcode Fuzzy Hash: b992da0320ec3f814fb582ec4cb6330d05488eb9d43a721a90b87cbfbd9ca5c7
Instruction Fuzzy Hash: FA5186315102399BC782EF5DF8D4AEA73E5FB4434EFD34A26DE8257141C624E826D6A0

Function 00402866 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8755404496fa14fc5fc9ac73b9f104171496fa033ba51e4f77bd0a7ed76c6b
Instruction ID: cec01148624ff6002e8d78b3abb26f3a7b04ecb4e699d004dc871b06b6aa27d5
Opcode Fuzzy Hash: fc8755404496fa14fc5fc9ac73b9f104171496fa033ba51e4f77bd0a7ed76c6b
Instruction Fuzzy Hash: 69217137AA0D1707D70C8A28EC37AB93281E744305F89567EE94BCB3D1DEAC8800C648

Function 004248E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e3b7086b35622f3edc5cc23a5ba1f7ddd0fc26d22bb20063e423d6306cc5fe
Instruction ID: 3f22e8bbf1c80f18dc348f81ee196079cd90f877339ced02ae457c1f152bd803
Opcode Fuzzy Hash: 77e3b7086b35622f3edc5cc23a5ba1f7ddd0fc26d22bb20063e423d6306cc5fe
Instruction Fuzzy Hash: C8214BB1B043BA07E310BE7CDC8027777E6EBC1301F884276D9948F646D679889297A4

Function 00426100 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64

Function 004185F9 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004185FE

Part of subcall function 00417D89: _CxxThrowException.MSVCRT(?,0042E810), ref: 00417DAC

memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000B,00000000,?,?), ref: 004189F0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418A8C
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AA0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AB4
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AC8
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418ADC
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AF0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B04
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B18
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B2C
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B40
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B54

Part of subcall function 00417BB2: _CxxThrowException.MSVCRT(?,0042E7D0), ref: 00417BC5

Strings

!, xrefs: 004187FE
, xrefs: 004187DC
@, xrefs: 004187D2

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 86ab02d0ed812b2bc682d74ebd8090e91257ed431655c286634e8f5cefe57a90
Instruction ID: a8af2338d33f97ab3af66800fc8919b7e7d9159ea038428e72aaae9fbbebb504
Opcode Fuzzy Hash: 86ab02d0ed812b2bc682d74ebd8090e91257ed431655c286634e8f5cefe57a90
Instruction Fuzzy Hash: 92126C74E05249EFCF04DFA5C981AEEBBB1BF09304F54845EE445AB352DB38A981CB58

Function 0041078C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410791
fputs.MSVCRT ref: 004107AE
fputs.MSVCRT ref: 004107B7

Part of subcall function 00403EB1: __EH_prolog.LIBCMT ref: 00403EB6

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

fputs.MSVCRT ref: 004107FD
fputs.MSVCRT ref: 00410806
fputs.MSVCRT ref: 0041080D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

fputs.MSVCRT ref: 0041083F
fputs.MSVCRT ref: 00410848
fputs.MSVCRT ref: 00410850

Strings

Size: , xrefs: 00410801
Path: , xrefs: 004107B2
Modified: , xrefs: 00410843

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$H_prolog$fputcfree
String ID: Modified: $Path: $Size:
API String ID: 2632947726-3207571042
Opcode ID: dad6ea9b37028dc7d9b6d66f9ca6d710003fafdbd0f38657ec1ce368b28c369f
Instruction ID: b65d724bde5c915c69112c2f50a2259a5a42bfe36314ecb7860c7f1e00933a31
Opcode Fuzzy Hash: dad6ea9b37028dc7d9b6d66f9ca6d710003fafdbd0f38657ec1ce368b28c369f
Instruction Fuzzy Hash: 5121C431A00014ABCF11BFA6DC81AAE7F36EF44354F54402BF805662A1EB7A49A1DF95

Function 0040822B Relevance: 16.4, APIs: 13, Instructions: 196COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00408244
memcmp.MSVCRT(?,004293D8,00000010), ref: 00408261
memcmp.MSVCRT(?,004294C8,00000010), ref: 00408274

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8910d6305239276ff3f7db42ecd347003804e214d9e1dbdd8d8a49be33777170
Instruction ID: e96827f4b63efecacfe58e3eea22b3fe6ab2bc99bd733a1cd9902dd8c249a16e
Opcode Fuzzy Hash: 8910d6305239276ff3f7db42ecd347003804e214d9e1dbdd8d8a49be33777170
Instruction Fuzzy Hash: 1951AA72B00625ABE7105A15ED41FA733AC9E20754B40412EFD86E7381FB38FE05CA99

Function 0041EBC0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0041EBC7
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBDD
GetProcAddress.KERNEL32(00000000), ref: 0041EBE4
GetSystemDirectoryW.KERNEL32(?,00000106), ref: 0041EC07
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0041EC8D

Strings

\, xrefs: 0041EC1C
SetDefaultDllDirectories, xrefs: 0041EBD3
\, xrefs: 0041EC24
kernel32.dll, xrefs: 0041EBD8

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersion
String ID: SetDefaultDllDirectories$\$\$kernel32.dll
API String ID: 2515194075-2532076501
Opcode ID: 82f5796dbf9e0cdcb216b5097f80af6bf4f1409dd4f72cd67fc1d0562e83a76e
Instruction ID: 913686e8244bd061a2bcb12ad3078c3bbff088274ca3bb4e53c0d7fdda3888e6
Opcode Fuzzy Hash: 82f5796dbf9e0cdcb216b5097f80af6bf4f1409dd4f72cd67fc1d0562e83a76e
Instruction Fuzzy Hash: 2321C3346043159AE7349F59EC08F97BBE4AF40700F58942AD984D72A0F77998C5C79E

Function 00411D49 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411D6F
fputs.MSVCRT ref: 00411D74
fputs.MSVCRT ref: 00411D7D
fputs.MSVCRT ref: 00411D93

Strings

: Cannot open the file as [, xrefs: 00411D78
Open , xrefs: 00411D6A
] archive, xrefs: 00411D8E
ERROR, xrefs: 00411D5B, 00411D73
WARNING, xrefs: 00411D54

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs
String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
API String ID: 1795875747-657955069
Opcode ID: 64877689ad02330c930da7756644846f4b0a693915e548a7d511e3b40fd6094c
Instruction ID: 9c73f5e0e90770f140b12c62cfba92fc1376db5acbc4535256ac5aafa418b3ee
Opcode Fuzzy Hash: 64877689ad02330c930da7756644846f4b0a693915e548a7d511e3b40fd6094c
Instruction Fuzzy Hash: 8FF0E9327001257BD6102766BC40E6FBF1ADF89761F600027FD0493241EB3E1830DA69

Function 00402576 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040257B

Strings

Multiple instances for switch:, xrefs: 0040262C
Too short switch:, xrefs: 0040264A
Incorrect switch postfix:, xrefs: 0040268A
Unknown switch:, xrefs: 00402601
Too long switch:, xrefs: 004026E3

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
API String ID: 3519838083-2104980125
Opcode ID: d9e00402a8267a82a38b1fd4dfc1d301fca588ab41393d797d9d01ba006b6064
Instruction ID: 801a60c05f7d27c0b30539d6495d90dca1c7defda93e75e34d4a3a70a0fcaa99
Opcode Fuzzy Hash: d9e00402a8267a82a38b1fd4dfc1d301fca588ab41393d797d9d01ba006b6064
Instruction Fuzzy Hash: C051B330A002569FCF24DF14CA88AAEBBB1BF11304F5444AFD845BB2D2D7BA9D41CB59

Function 00410623 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 0041062E
fputs.MSVCRT ref: 0041066D
fputs.MSVCRT ref: 00410692
LeaveCriticalSection.KERNEL32(00430538), ref: 0041072E

Strings

Would you like to replace the existing file:, xrefs: 00410668
with the file from archive:, xrefs: 0041068D

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: Would you like to replace the existing file:$with the file from archive:
API String ID: 3346953513-686978020
Opcode ID: 182b8e36cb8f0a887b3cc39515999b9dcb11ba1838c4aa99133f64ed9c068234
Instruction ID: 8d30f5c3a769b9b05dc9022ead1e570209d6b32d37c02158444c586a9a64ffd4
Opcode Fuzzy Hash: 182b8e36cb8f0a887b3cc39515999b9dcb11ba1838c4aa99133f64ed9c068234
Instruction Fuzzy Hash: 2A317F75200204DBDB11AF25D940BDA77E1EF88314F11416BF92A97291CBB9ACE2CF5D

Function 00410FA2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410FA7
fputs.MSVCRT ref: 00410FC0

Part of subcall function 00403E56: __EH_prolog.LIBCMT ref: 00403E5B

Strings

WARNING:, xrefs: 00410FBB
The archive is open with offset, xrefs: 00410FF5
The file is open, xrefs: 0041103B
Cannot open the file, xrefs: 00411016

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog$fputs
String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
API String ID: 3822167597-1259944392
Opcode ID: 3769bc2594a60d947f324f43e162f9542d25cae14344e564b9194a4f14147df9
Instruction ID: 2fe33cfd7bd924c02116d12d6cc5e0899d97df651c7911a456f6b34765396213
Opcode Fuzzy Hash: 3769bc2594a60d947f324f43e162f9542d25cae14344e564b9194a4f14147df9
Instruction Fuzzy Hash: 6921C431B00511DFCB14EF65D542AAEBBB4EF48345B80442FE602E7691CB3DADC68B49

Function 0041290F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 0041292A

Part of subcall function 00403CDF: fflush.MSVCRT ref: 00403CE1

GetStdHandle.KERNEL32(000000F6), ref: 0041293C
GetConsoleMode.KERNEL32(00000000,00000000), ref: 0041295E
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041296F
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041298F

Strings

Enter password (will not be echoed):, xrefs: 00412925

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ConsoleMode$Handlefflushfputs
String ID: Enter password (will not be echoed):
API String ID: 108775803-3720017889
Opcode ID: 25c804d01db33c1ab0bc5cb966c29544ee48e5892db4f5b428a53a560feb2906
Instruction ID: 06c9a69e81cbb5c5db69f777e7cc9e6c7d4d2dc80c9e68aa15962718b8ebadc6
Opcode Fuzzy Hash: 25c804d01db33c1ab0bc5cb966c29544ee48e5892db4f5b428a53a560feb2906
Instruction Fuzzy Hash: 21110A76B041196BDB115BA99D056EEBFB9AF81724F14416BE810F32D0CB780D51CB9C

Function 00405B34 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405B4D
GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 00405B61
GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 00405B6E

Strings

kernel32.dll, xrefs: 00405B48
FindFirstStreamW, xrefs: 00405B5B
FindNextStreamW, xrefs: 00405B63

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 667068680-4044117955
Opcode ID: 209bc51a69cd21a9cb9a554d552f349016e7f251f682d818fccc93cde8e55180
Instruction ID: 993e4fd1b4b43a4bdfd4fb802b812d309aec3832960eb3898a326147e7614a50
Opcode Fuzzy Hash: 209bc51a69cd21a9cb9a554d552f349016e7f251f682d818fccc93cde8e55180
Instruction Fuzzy Hash: 74E0C231B043246BD3104BAABC89877FEECEAC4760760017BB509E3260E6F82C028F5D

Function 00407A1B Relevance: 8.8, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00407A34
memcmp.MSVCRT(?,004291F8,00000010), ref: 00407A51
memcmp.MSVCRT(?,004291D8,00000010), ref: 00407A64
memcmp.MSVCRT(?,00429218,00000010), ref: 00407A77

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1906f6f9a3bc8567207bf16f5b12049dd60c52ce4a1937d7281cae0f19a5e01e
Instruction ID: 09fc6409721d384321c9daad9889d0c59f869200ca07e15681de2c6d8400d0c6
Opcode Fuzzy Hash: 1906f6f9a3bc8567207bf16f5b12049dd60c52ce4a1937d7281cae0f19a5e01e
Instruction Fuzzy Hash: 1721A372B442156BE7008A15AC82F7F33AC9A50754B54852AFD05E7381F678EE009AAB

Function 00410BF5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 00410C02
fputs.MSVCRT ref: 00410CA2
fputs.MSVCRT ref: 00410CBB
LeaveCriticalSection.KERNEL32(00430538), ref: 00410CFD

Strings

: , xrefs: 00410CB6

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: :
API String ID: 3346953513-3653984579
Opcode ID: a61e537f1a5ebc49ed7eb163dcc44a7e566cab02f14b4025be8a2cde46201e41
Instruction ID: 09d9808faf5bd919de83ef7c98426f172d115119e5f1a576890054117d399c7e
Opcode Fuzzy Hash: a61e537f1a5ebc49ed7eb163dcc44a7e566cab02f14b4025be8a2cde46201e41
Instruction Fuzzy Hash: EC319C31500208DFD714EF65D894EDAB7B4FF44318F50826FE81A9B252DB78A980CF58

Function 0041EB90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00411EE8), ref: 0041EB90
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBA6
GetProcAddress.KERNEL32(00000000), ref: 0041EBAD

Strings

SetDefaultDllDirectories, xrefs: 0041EB9C
kernel32.dll, xrefs: 0041EBA1

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 3310240892-2102062458
Opcode ID: 612a3b4ddb9acc66ff93ecbb857bc4bfeff86ee96ca2284e8fffde39a6173eaf
Instruction ID: 0862184ad8ba24335b569b053d5d12c6817f75253087d21a0b209ed3f2b8ea95
Opcode Fuzzy Hash: 612a3b4ddb9acc66ff93ecbb857bc4bfeff86ee96ca2284e8fffde39a6173eaf
Instruction Fuzzy Hash: 27C01234B4421D96DB2417A5AD0DF963666E7C4702FD80062BD03D00E4CF789982C61C

Function 0041086D Relevance: 7.7, APIs: 5, Instructions: 152COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 00410878
fputs.MSVCRT ref: 00410924
fputs.MSVCRT ref: 0041099C
fputs.MSVCRT ref: 004109B6
LeaveCriticalSection.KERNEL32(00430538,?), ref: 00410A46

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$CriticalSection$EnterLeave
String ID:
API String ID: 1081906680-0
Opcode ID: 5e82338f592fc34e1cc404cf4d0de40915fd742753c2a9b8b9984db827fb2d4d
Instruction ID: 027993372e94a90fe108f72b057ff34fb2b178c490f9bd66c7364564f43692ce
Opcode Fuzzy Hash: 5e82338f592fc34e1cc404cf4d0de40915fd742753c2a9b8b9984db827fb2d4d
Instruction Fuzzy Hash: 7351D231604306DFEB24DF20C955BEA7BA1FF48314F04842FE45A6B291CBB8A9D5CB59

Function 004040B6 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 004040EE
GetLastError.KERNEL32(?,00000000,?,?,?,00000000), ref: 004040F7
_CxxThrowException.MSVCRT(?,0042C050), ref: 00404115
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000001,00000001,?,00000000,?,?), ref: 0040417C
_CxxThrowException.MSVCRT(0000FDE9,0042C050), ref: 004041A4

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: cfd6c78358ac07a3c2f5c7783267483c925d2c8b350aec6f244fbd3ed4ca990f
Instruction ID: ddf483936085a76ef41ae3a6c868e145893958370a6de898f5c65fa482b2d003
Opcode Fuzzy Hash: cfd6c78358ac07a3c2f5c7783267483c925d2c8b350aec6f244fbd3ed4ca990f
Instruction Fuzzy Hash: 8631E3B1604205BFDB11CFA4CC85BBEBBF8AF55344F10806AE544EB280C7789D85CBA4

Function 00414792 Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 004147AB
memcmp.MSVCRT(?,004293D8,00000010), ref: 004147C8
memcmp.MSVCRT(?,004294A8,00000010), ref: 004147DB

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: d1d27eebe698f95dafb466b7f552e0a33d146d414f17f5489ccea16cbcc13696
Instruction ID: ab4dab2fae12ce32b20b6cfbf363ba4071ac0056bfb13e88cb7f35a40cc3fbe5
Opcode Fuzzy Hash: d1d27eebe698f95dafb466b7f552e0a33d146d414f17f5489ccea16cbcc13696
Instruction Fuzzy Hash: B221C576B00215ABE700AE15EC82FBB73A89BA07A4F14412AFD05DB341E678DD4146AA

Function 004059A9 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00407455: GetSystemTimeAsFileTime.KERNEL32(?,004059CA,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010), ref: 00407456

SetLastError.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000), ref: 004059E8
GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 004059EC
GetFileInformationByHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A00
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A58
SetLastError.KERNEL32(00000006,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A64

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast$FileHandleTime$InformationSystem
String ID:
API String ID: 1030185623-0
Opcode ID: 491123aa0d19b53963d0ba5624d9c6b6f027d198acf0d456067b5beaa04c73dd
Instruction ID: 43247151832c92c783002a763622c32ca72b9f62b1d40b072dcd93f988fba4cd
Opcode Fuzzy Hash: 491123aa0d19b53963d0ba5624d9c6b6f027d198acf0d456067b5beaa04c73dd
Instruction Fuzzy Hash: 9421F774A00B059FCB20DF69D885A5BBBF4FF08320B10462AE569E3790E734E905CF54

Function 00411C2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411C2F
fputs.MSVCRT ref: 00411C98
fputs.MSVCRT ref: 00411CAF

Strings

= , xrefs: 00411CAA

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: 6c471a2ef6530a59ec5113148ca7b72510f446cde176fcdeb89754153c16460e
Instruction ID: 1b0edf4538b9036d1089c6cef4bedea74b82e6cb5f1a31546f15677c97918bcb
Opcode Fuzzy Hash: 6c471a2ef6530a59ec5113148ca7b72510f446cde176fcdeb89754153c16460e
Instruction Fuzzy Hash: EA219F32900118AFDF05EB95D842BEDBBB5AF44319F20402FE401721A1EB792E81CB98

Function 0040FC60 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040FC76
memcmp.MSVCRT(?,00429278,00000010), ref: 0040FC91
memcmp.MSVCRT(?,004292A8,00000010), ref: 0040FCA5

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: a693b106da1646162e2325d0c3da7007423092edf42d73c4806106454a0f5857
Instruction ID: b4b8cbf5b466e02db0d24476debb83d958eff9c092edf636f16ca7dc42c6bbb7
Opcode Fuzzy Hash: a693b106da1646162e2325d0c3da7007423092edf42d73c4806106454a0f5857
Instruction Fuzzy Hash: 75112932740209A7E7204A15EC43FBA33A45F54710F54453BFD46EB3C1F679E804569E

Function 00404001 Relevance: 6.3, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040402D
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00404036
_CxxThrowException.MSVCRT(?,0042C050), ref: 00404050
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00404075
_CxxThrowException.MSVCRT(?,0042C050), ref: 0040408B

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: bdd5df10d88c5e80083a4577c3421ebdd7ddd51eeeca16ae066f61805f11393e
Instruction ID: 4ac132360325015ebd2c62f9aad36c2b8b5ce9f4421ab3691f6160e0cd77abd7
Opcode Fuzzy Hash: bdd5df10d88c5e80083a4577c3421ebdd7ddd51eeeca16ae066f61805f11393e
Instruction Fuzzy Hash: 49110DB5200505BFD720DF65DC81E6BB7EDFF88384B50812AEA19E7240D775AD418BA8

Function 00405B7B Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00405A6D: FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

SetLastError.KERNEL32(00000078), ref: 00405B9B
SetLastError.KERNEL32(00000000), ref: 00405BA5
FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00405BB9
GetLastError.KERNEL32 ref: 00405BC6

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: 2749851167958df2b69f257e2b4f0fabe59ec9884642ac4421954b3e0dc01f9e
Instruction ID: 8b1c33bf5c767727a663e7b38ed12da21a1870170c7a8d394256995f507f3ca5
Opcode Fuzzy Hash: 2749851167958df2b69f257e2b4f0fabe59ec9884642ac4421954b3e0dc01f9e
Instruction Fuzzy Hash: B8F08C30104A099BCB306F24DC09BAB3375EB10325F204276E552BA1E0EA78BD86CF69

Function 00408F7C Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00409399,?,00413510,?,?), ref: 00424723
GetLastError.KERNEL32(?,00413510,?,?), ref: 00424730
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00409399,?,00413510,?,?), ref: 0042474B

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: ad2609b926203c852762c17253ddc8a92b970ffd877e63c396e861917d5cc8ee
Instruction ID: 69587264c1ca5cd8272a9dfa6d0881f87e04865dcef00d1d77fbe5789d4fff4d
Opcode Fuzzy Hash: ad2609b926203c852762c17253ddc8a92b970ffd877e63c396e861917d5cc8ee
Instruction Fuzzy Hash: 0BF030743003159BE7305F34AD08B633994EBC2B42FD0047AB915DA2D0EB6DC842DA5C

Function 0040E400 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E405

Part of subcall function 00406F66: VariantClear.OLEAUT32(?), ref: 00406F88

Strings

Unknown warning, xrefs: 0040E582, 0040E587
Unknown error, xrefs: 0040E521, 0040E526

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: Unknown error$Unknown warning
API String ID: 1166855276-4291957651
Opcode ID: b83380f3ee18b6f9f934a345221d735d3a38ddd69aefc5361ffd61519bd1e1f7
Instruction ID: e2c51ea3c9d5ff53c368fc9fea119ca8137ad16915fe70a45aa60a70686436fe
Opcode Fuzzy Hash: b83380f3ee18b6f9f934a345221d735d3a38ddd69aefc5361ffd61519bd1e1f7
Instruction Fuzzy Hash: C58147B1A00709DBCB10DFA6C5809EEB7F0FF58308F50896EE456A7290D779AE14CB58

Function 00404F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00404FE8
wcscmp.MSVCRT ref: 00404FFD

Strings

UNC, xrefs: 00405021

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: wcscmp
String ID: UNC
API String ID: 3392835482-337201128
Opcode ID: 0f50e1a4b89f9bb1c8fdf0474285ed29ed5cb079e505af0e673f1010bac49f26
Instruction ID: d4f1103d63d9ba93538f6336bbde5048e2c91832e0775446ecdb83d365754428
Opcode Fuzzy Hash: 0f50e1a4b89f9bb1c8fdf0474285ed29ed5cb079e505af0e673f1010bac49f26
Instruction Fuzzy Hash: E9215CB53006019FD724CE48D984A2AB3E5EB85350B64847BE645AF3D1C63AEC42CF88

Function 00412442 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00412489
strlen.MSVCRT ref: 004124AF

Strings

M, xrefs: 0041249D

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: __aulldivstrlen
String ID: M
API String ID: 1892184250-3664761504
Opcode ID: 5cb360c24d34eea26afc0b9a41df7248fd98ee7fc509eed417d6c7d163f83f1e
Instruction ID: 4c523177f86cd1d8441d7e59bba430fadbe405382aa8792db896841e4d0aaa05
Opcode Fuzzy Hash: 5cb360c24d34eea26afc0b9a41df7248fd98ee7fc509eed417d6c7d163f83f1e
Instruction Fuzzy Hash: 41113D323006546BDF25DAA5C945FBF77E99B88314F14482FE287D71C1D9B8AC458328

Function 00410EE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410EE7

Strings

x, xrefs: 00410F58
0, xrefs: 00410F54

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: H_prolog
String ID: 0$x
API String ID: 3519838083-1948001322
Opcode ID: 22b041c608f5a5e13fb34e29759c105454cba705c22a6f84aeb62827a4a014bc
Instruction ID: e1ee27c14022c3c4861809de81e0fb68f5ccf3bdc354b16ac99790b939c913b1
Opcode Fuzzy Hash: 22b041c608f5a5e13fb34e29759c105454cba705c22a6f84aeb62827a4a014bc
Instruction Fuzzy Hash: 99218E32D0011A9BCF04EB99D6866EEB7B5EF48308F50006FE401772C1DBB95E45CBA9

Function 00411E0B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411E5B

Strings

Cannot open encrypted archive. Wrong password?, xrefs: 00411E1E
Cannot open the file as archive, xrefs: 00411E56

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs
String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
API String ID: 1795875747-1623556331
Opcode ID: 903e6ea9d750758cf79017287e50944535a56994a1adf74cb8bda59e51e8e830
Instruction ID: 0cf7914edf2aa8e7341596000c12c1df42a57dbecb04f7ec900b94d22c574bf8
Opcode Fuzzy Hash: 903e6ea9d750758cf79017287e50944535a56994a1adf74cb8bda59e51e8e830
Instruction Fuzzy Hash: C9012B313043004BDA14ABA6D494BBEB3ABEFC8305F54442FE90297691DB79A841CB49

Function 00401E91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00401E9F

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

_CxxThrowException.MSVCRT(?,0042BEC8), ref: 00401EBD

Strings

F{v, xrefs: 00401EA7

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: ExceptionThrowfputcfputs
String ID: F{v
API String ID: 216139821-2160915812
Opcode ID: 371c0219cddd745f2fd22c0babe40867749c4025da24472a6f695e9493d75851
Instruction ID: d2b0a6de4596742a9aade8aba5fa8a7106dfecfa37289e7a858a3f4501c6d105
Opcode Fuzzy Hash: 371c0219cddd745f2fd22c0babe40867749c4025da24472a6f695e9493d75851
Instruction Fuzzy Hash: D6E0E532204210BADB24ABA2EC468AF7FA8FF48364F90406FF544621A1CF3A5C00C79C

Function 004119E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411A13
fputs.MSVCRT ref: 00411A1C

Strings

= , xrefs: 00411A17

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs
String ID: =
API String ID: 1795875747-2525689732
Opcode ID: 0147c7e87789d73289e91d10756a9f56ae187d6ee00c8b5ffa58ce0ff1850403
Instruction ID: fd7b5fc4074da5f726c61a76c532ff66209f63a2db578f74099ff53049078f53
Opcode Fuzzy Hash: 0147c7e87789d73289e91d10756a9f56ae187d6ee00c8b5ffa58ce0ff1850403
Instruction Fuzzy Hash: F9E06832B001165BDF00A7A9DC048BE3F29EB803407800833E92083240E734D821CBD9

Function 00412199 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 004121BA
fputs.MSVCRT ref: 004121BF

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

Strings

@F{v, xrefs: 004121B3, 004121BC

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: fputs$fputc
String ID: @F{v
API String ID: 1185151155-3152675431
Opcode ID: 9e1f21a1a5fb39f034f5dc85d9ede8fe86954530ca0cfcaa877b02d750cc075d
Instruction ID: 5bb4c2b846e8c0631b0c11144f3aba1d019c83e257a75f4335b22dd781eada4b
Opcode Fuzzy Hash: 9e1f21a1a5fb39f034f5dc85d9ede8fe86954530ca0cfcaa877b02d750cc075d
Instruction Fuzzy Hash: 68D0C23270012077D6207BAA6D4089B771DDFC4715312042BE940E7211C6AA4CA14FE8

Function 00409589 Relevance: 5.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040959F
memcmp.MSVCRT(?,00429298,00000010), ref: 004095B3
memcmp.MSVCRT(?,004293A8,00000010), ref: 004095D1
memcmp.MSVCRT(?,004293C8,00000010), ref: 004095EF

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 80e00aac9ef1727003516d7c20b7c01282fa0a3255e32e4d8766d31eaa877d50
Instruction ID: c938bc79dae6d3baf006416a7562a1e2610761fca94207467e88f97749ed857f
Opcode Fuzzy Hash: 80e00aac9ef1727003516d7c20b7c01282fa0a3255e32e4d8766d31eaa877d50
Instruction Fuzzy Hash: 7111E132740305ABD7048A15EC42FAA33A45B94711F15493AFD45EB3C2E6B9ED10969D

Function 00401C3F Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00401C55
memcmp.MSVCRT(?,00429598,00000010), ref: 00401C70
memcmp.MSVCRT(?,004295A8,00000010), ref: 00401C84

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 6d1a407f022db9f2e5c143e4d34420cd98d487bfa406f32ca3a087a793df4ed1
Instruction ID: 1bb52f204ec3132851ce200ba376ef9f6e02923974aa5b90121e92a54bb61859
Opcode Fuzzy Hash: 6d1a407f022db9f2e5c143e4d34420cd98d487bfa406f32ca3a087a793df4ed1
Instruction Fuzzy Hash: 0C01E1327803156BE7104A15DC82FBA33A48B54761F54453EFE45FB392E2B8E840969D

Function 0040BDB1 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040BDC7
memcmp.MSVCRT(?,004291F8,00000010), ref: 0040BDE2
memcmp.MSVCRT(?,004291D8,00000010), ref: 0040BDF6
memcmp.MSVCRT(?,00429218,00000010), ref: 0040BE0A

Memory Dump Source

Source File: 00000004.00000002.1363398767.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1363381926.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363423692.0000000000429000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363443363.0000000000430000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.1363474002.0000000000437000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_20decf5c428.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 2f98c186718bde587d544e52970a976abc0dd2256160a2195ffc1d90ca2aabb8
Instruction ID: e040212cbf1a7ccb1c558fc37de72ae02c15694fc619d7ee7d70c4cf786e1ef4
Opcode Fuzzy Hash: 2f98c186718bde587d544e52970a976abc0dd2256160a2195ffc1d90ca2aabb8
Instruction Fuzzy Hash: 8F01D63274030666D7100A15EC43FBA73A48B54750F54443EFE84EB382E7B8D410469E

Analysis Process: soiucosxz.exePID: 7824, Parent PID: 7468COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	191
Total number of Limit Nodes:	1

Executed Functions

Function 0000022F198400AA Relevance: 71.6, APIs: 5, Strings: 42, Instructions: 1118memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000022F1984054D
VirtualAlloc.KERNEL32 ref: 0000022F198405FD
VirtualAlloc.KERNEL32 ref: 0000022F198406F3

Strings

r, xrefs: 0000022F19840287
R, xrefs: 0000022F198403B6
r, xrefs: 0000022F198402EB
e, xrefs: 0000022F198403E8
u, xrefs: 0000022F198402F5
V, xrefs: 0000022F198402E1
e, xrefs: 0000022F1984030E
o, xrefs: 0000022F198402AF
i, xrefs: 0000022F198402E6
o, xrefs: 0000022F198403D4
l, xrefs: 0000022F198402A5
l, xrefs: 0000022F198403C0
t, xrefs: 0000022F1984028C
F, xrefs: 0000022F19840304
p, xrefs: 0000022F198403DE
i, xrefs: 0000022F19840282
e, xrefs: 0000022F198403CA
r, xrefs: 0000022F198403E3
a, xrefs: 0000022F19840296
m, xrefs: 0000022F198403D9
e, xrefs: 0000022F19840313
e, xrefs: 0000022F1984040B
D, xrefs: 0000022F198403C5
A, xrefs: 0000022F198402A0
f, xrefs: 0000022F19840401
r, xrefs: 0000022F19840309
V, xrefs: 0000022F1984027D
t, xrefs: 0000022F198402F0
u, xrefs: 0000022F198403FC
a, xrefs: 0000022F198402FA
s, xrefs: 0000022F198403ED
r, xrefs: 0000022F19840410
t, xrefs: 0000022F198403BB
u, xrefs: 0000022F19840291
f, xrefs: 0000022F19840406
s, xrefs: 0000022F198403F2
B, xrefs: 0000022F198403F7
c, xrefs: 0000022F198403CF
l, xrefs: 0000022F198402FF
c, xrefs: 0000022F198402B4
l, xrefs: 0000022F1984029B
l, xrefs: 0000022F198402AA

Memory Dump Source

Source File: 00000008.00000003.1965554499.0000022F19840000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022F19840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_22f19840000_soiucosxz.jbxd

Similarity

API ID: AllocVirtual
String ID: A$B$D$F$R$V$V$a$a$c$c$e$e$e$e$e$f$f$i$i$l$l$l$l$l$m$o$o$p$r$r$r$r$r$s$s$t$t$t$u$u$u
API String ID: 4275171209-608630707
Opcode ID: e8237e86a5c09fd62f0dd3827f542c9c996bfdfdbb6d0101729e4a5e36e03964
Instruction ID: 4253c4939981f5df706487ca058429d9fa1f7b98d3fb64a05161715c64d413ca
Opcode Fuzzy Hash: e8237e86a5c09fd62f0dd3827f542c9c996bfdfdbb6d0101729e4a5e36e03964
Instruction Fuzzy Hash: 3382F730208648DBE7B9CE58C588BAA77E1FF65314F94417DD88EC7282DA78D816C7D2

Function 0000000180057FB0 Relevance: 15.1, APIs: 10, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000180058226), ref: 0000000180057FC2
HeapAlloc.KERNEL32(?,?,?,0000000180058226), ref: 0000000180057FD3
GetVersionExA.KERNEL32(?,?,?,0000000180058226), ref: 0000000180057FEE
GetProcessHeap.KERNEL32(?,?,?,0000000180058226), ref: 0000000180057FF8
HeapFree.KERNEL32(?,?,?,0000000180058226), ref: 0000000180058006
GetProcessHeap.KERNEL32(?,?,?,0000000180058226), ref: 000000018005803D
HeapFree.KERNEL32(?,?,?,0000000180058226), ref: 000000018005804B
GetCommandLineA.KERNEL32(?,?,?,0000000180058226), ref: 0000000180058092

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: Heap$Process$Free$AllocCommandLineVersion
String ID:
API String ID: 826746151-0
Opcode ID: 4e03b135ddcad22f2d45e8378188483c4f77b1624eb5c0fda9e2a1423bfeb14a
Instruction ID: d802286e8662a42d8734d0176b8b59c650c7c2305e87fbb92d2b1ebde5d2bc11
Opcode Fuzzy Hash: 4e03b135ddcad22f2d45e8378188483c4f77b1624eb5c0fda9e2a1423bfeb14a
Instruction Fuzzy Hash: E6518F3060160D87FBD7AB719C163D922D5AF4C7D1F04C424FE64A63D2EE2A878D9B11

Function 000000018005E2E0 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,?,?,?,0000000180058081,?,?,?,0000000180058226), ref: 000000018005E2F2
HeapSetInformation.KERNEL32 ref: 000000018005E321

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 96debf24c30b6f04ec0aab04364e1e7dae60e70022a02d2655cdb9e09c00a084
Instruction ID: 2de8ec70877cf2086e32561d6bc0823e8b067ee0c89a19c7bca2c06bd93188cc
Opcode Fuzzy Hash: 96debf24c30b6f04ec0aab04364e1e7dae60e70022a02d2655cdb9e09c00a084
Instruction Fuzzy Hash: 35E048B5B1678082F7C95B11DC4A7956251F7DC781FE0D019F98D42754EE7CC24D4B00

Function 0000000180056D00 Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000000180056D45

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 01795867eeab3eeb9947b8598439885f631bb91788bf5aa2a3edc9d17944673d
Instruction ID: b8c2db37283491bd31474cbfce8bde44389280bdc1a7e3c0611de882773a0657
Opcode Fuzzy Hash: 01795867eeab3eeb9947b8598439885f631bb91788bf5aa2a3edc9d17944673d
Instruction Fuzzy Hash: 57F09070B0124D41FEEA5621A9127D05294479DBF0F0CDF30B93A973F0EE69868C8304

Function 000000018005C520 Relevance: 1.3, APIs: 1, Instructions: 34
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180056D00: HeapAlloc.KERNEL32 ref: 0000000180056D45

Sleep.KERNEL32(?,?,?,?,00000001800586C7,?,?,?,?,0000000180056EF9), ref: 000000018005C565

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: AllocHeapSleep
String ID:
API String ID: 2660413188-0
Opcode ID: f3be130c106b9429d5cfe72c84b6622280f8b2e763eba91d7db92e7ae4daa92a
Instruction ID: ccf6fc8f78cabf6904fba5d48cf50a51f4a33cc23826735ac756e7fd4fa1f2b9
Opcode Fuzzy Hash: f3be130c106b9429d5cfe72c84b6622280f8b2e763eba91d7db92e7ae4daa92a
Instruction Fuzzy Hash: 29F08132724A8486D6559F02A84034EA3A5F3CEBD0F584114FF9E17B98DF3DD9558B00

Non-executed Functions

Function 0000000180020108 Relevance: 73.9, APIs: 24, Strings: 18, Instructions: 442
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0000000180020234

Strings

WSACloseEvent failed (%d), xrefs: 000000018002076E
failed to load WS2_32.DLL (%u), xrefs: 00000001800202BE
WSAEnumNetworkEvents, xrefs: 000000018002037A
WSAEventSelect, xrefs: 0000000180020350
failed to find WSACloseEvent function (%u), xrefs: 0000000180020344
insufficient winsock version to support telnet, xrefs: 000000018002027E
FreeLibrary(wsock2) failed (%u), xrefs: 0000000180020795
failed to find WSAEnumNetworkEvents function (%u), xrefs: 000000018002039A
WS2_32.DLL, xrefs: 0000000180020297
, xrefs: 00000001800206A1
WSAStartup failed (%d), xrefs: 000000018002023E
WSAEnumNetworkEvents failed (%d), xrefs: 00000001800205FB
WSACreateEvent, xrefs: 00000001800202D9
WSACreateEvent failed (%d), xrefs: 00000001800203BE
WSACloseEvent, xrefs: 0000000180020324
failed to find WSAEventSelect function (%u), xrefs: 000000018002036E
failed to find WSACreateEvent function (%u), xrefs: 00000001800202FF
Time-out, xrefs: 0000000180020746

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: Startup
String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$WSAStartup failed (%d)$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)$insufficient winsock version to support telnet
API String ID: 724789610-777782649
Opcode ID: 1832e236be077ceacf04411d3b7ffe83dd9163dc7a85c33f170655243162dd67
Instruction ID: 05a520437d861714cd113e62e5c54cae7901c1481447a3f9ac10ec115e2df07a
Opcode Fuzzy Hash: 1832e236be077ceacf04411d3b7ffe83dd9163dc7a85c33f170655243162dd67
Instruction Fuzzy Hash: 0B128F3120578986EBA38B61E8483EA73A5F78DBC4F60C125EE9947795DF78C64CCB40

Function 0000000180051090 Relevance: 10.6, APIs: 7, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00000001800510B0
RtlLookupFunctionEntry.KERNEL32 ref: 00000001800510C8
RtlVirtualUnwind.KERNEL32 ref: 0000000180051102
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180051169
UnhandledExceptionFilter.KERNEL32 ref: 0000000180051176
GetCurrentProcess.KERNEL32 ref: 000000018005117C
TerminateProcess.KERNEL32 ref: 000000018005118A

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID:
API String ID: 3266983031-0
Opcode ID: 81aed5b2da386a6dc7a327670bb08556ac500237055a9ad39526474167d21d06
Instruction ID: 08f2fca5be47106ad7e28b1154ec3b6156f23a3b7692be6a231e832f7a5f47a5
Opcode Fuzzy Hash: 81aed5b2da386a6dc7a327670bb08556ac500237055a9ad39526474167d21d06
Instruction Fuzzy Hash: E3312335205B4986EA828B15FC50389B3A4F78DBC6F54811AEADD43B24DF38C24ACB00

Function 0000000180053140 Relevance: 4.1, Strings: 3, Instructions: 391COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 00000001800535B3
invalid distance too far back, xrefs: 00000001800535A7
invalid literal/length code, xrefs: 0000000180053652

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: a45a2981fea6b77b4696a2932d8c20778568e79bafdc27a9d964857bd4652c7b
Instruction ID: 27baad9ae40256ab115240ccaf3fb4237789e6485d2d0bb6e802b0d0fbeadb2c
Opcode Fuzzy Hash: a45a2981fea6b77b4696a2932d8c20778568e79bafdc27a9d964857bd4652c7b
Instruction Fuzzy Hash: FFE13532618AD887D35A8B2994453AD7BA1F3997C0F14811AFBDA537C5DA3ECB09C700

Function 00000001800610E0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000180061105

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 867e6be5c6a8042c45c51e9f9bfab6e38e38e9a3bd846e491e1d9b5997173a16
Instruction ID: 7932e8d73d04c99ca53ad85b822b81eb765a91fb1f57253f5b906bfd6bc02398
Opcode Fuzzy Hash: 867e6be5c6a8042c45c51e9f9bfab6e38e38e9a3bd846e491e1d9b5997173a16
Instruction Fuzzy Hash: 24F0A032A08A8481FA72A710FC003CA2721BBDC7E9F944201FA9C477B5DE2CC3598B00

Function 0000000180035030 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 0000000180035335
inet_ntoa.WS2_32 ref: 00000001800353C2

Strings

udp, xrefs: 000000018003518C
tcp, xrefs: 00000001800351B7

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: htonlinet_ntoa
String ID: tcp$udp
API String ID: 298042256-3725065008
Opcode ID: 8d2ac02b90edb6ae53f54b58ffcc698617e4a631833b0752589712ec26281b2c
Instruction ID: 484b7560466ad5f9580f1d3508e78324675307007b70ccd28127cbc2517330d7
Opcode Fuzzy Hash: 8d2ac02b90edb6ae53f54b58ffcc698617e4a631833b0752589712ec26281b2c
Instruction Fuzzy Hash: F9B1933660574886EBE78B15D4403AB63E1FB9DBC5F16C525FE8A473A4EF38CA488700

Function 00000001800270E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 0000000180027150
WSAGetLastError.WS2_32 ref: 000000018002715A

Part of subcall function 000000018002F350: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000018000C4DA), ref: 000000018002F36D
Part of subcall function 000000018002F350: GetLastError.KERNEL32 ref: 000000018002F463
Part of subcall function 000000018002F350: SetLastError.KERNEL32 ref: 000000018002F474

getsockname.WS2_32 ref: 00000001800271AD
WSAGetLastError.WS2_32 ref: 00000001800271B7

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00000001800272CF
ssrem inet_ntop() failed with errno %d: %s, xrefs: 000000018002721F
getsockname() failed with errno %d: %s, xrefs: 00000001800271C9
getpeername() failed with errno %d: %s, xrefs: 000000018002716C

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: ErrorLast$getpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1444953621-670633250
Opcode ID: 0a90abb348d2a0b175106d9a59b8eb5dac0b431534eb7b54656c0c25b217c887
Instruction ID: e59ed33437069a26528cffbb91b331c9884d4809dc5da79269675fb9123fdee1
Opcode Fuzzy Hash: 0a90abb348d2a0b175106d9a59b8eb5dac0b431534eb7b54656c0c25b217c887
Instruction Fuzzy Hash: 7F514931705B89C6EAA2DB62E4447DA73A2F78CBC4F548021FA9E47796DF38D249C701

Function 0000000180031040 Relevance: 13.8, APIs: 9, Instructions: 283
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32 ref: 00000001800310A2
Sleep.KERNEL32 ref: 00000001800310B6
WSASetLastError.WS2_32 ref: 0000000180031263
Sleep.KERNEL32 ref: 0000000180031277

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 9b48d7b2766f17df1711f821851146cb759b7e1acc745c42c072a0270a065e71
Instruction ID: e4ddd5fdb3ba8b962d13f28a7f4a8bc4a6c33de8df1811023a19f36311382cdd
Opcode Fuzzy Hash: 9b48d7b2766f17df1711f821851146cb759b7e1acc745c42c072a0270a065e71
Instruction Fuzzy Hash: 4EC115312157888AE7E78F19D4403EBA3A1FB9C7D5F519225FA9983BD4CF38CA598700

Function 0000000180061140 Relevance: 10.7, APIs: 7, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000001C,000000018005F69D), ref: 00000001800611D1
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000001C,000000018005F69D), ref: 00000001800611E7
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000001C,000000018005F69D), ref: 000000018006125F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000001C,000000018005F69D), ref: 000000018006130B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000001C,000000018005F69D), ref: 0000000180061349

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: bb995149a76c1fa20285a2ef19394d513b3263ca551483d224fe19ea30f94fde
Instruction ID: 360856c1555d4b0f807924cc8dfb22b96868353677ffcde1210555d0e1666be0
Opcode Fuzzy Hash: bb995149a76c1fa20285a2ef19394d513b3263ca551483d224fe19ea30f94fde
Instruction Fuzzy Hash: 41814272200B848EE7A18F65EC403D977A6F748BD9F288115FA6A87B98DF34C655C740

Function 00000001800620F0 Relevance: 7.7, APIs: 5, Instructions: 246fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000018006232F
GetFileType.KERNEL32 ref: 0000000180062341
CloseHandle.KERNEL32 ref: 000000018006234E
GetLastError.KERNEL32 ref: 0000000180062354
CloseHandle.KERNEL32 ref: 0000000180062391

Part of subcall function 000000018005C980: CloseHandle.KERNEL32(?,?,?,?,000000018005CAA4,?,?,?,?,00000001800011B6), ref: 000000018005C9CE
Part of subcall function 000000018005C980: GetLastError.KERNEL32(?,?,?,?,000000018005CAA4,?,?,?,?,00000001800011B6), ref: 000000018005C9D8

Memory Dump Source

Source File: 00000008.00000002.2871610527.0000000180001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000008.00000002.2871580196.0000000180000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871655677.0000000180065000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871683578.0000000180081000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000008.00000002.2871706526.0000000180085000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000000_soiucosxz.jbxd

Similarity

API ID: CloseHandle$ErrorFileLast$CreateType
String ID:
API String ID: 3635033729-0
Opcode ID: 897d9297995a4e50a4cece719d2f4fef7ea19b8ee9116e3872b3d261e85a767b
Instruction ID: 760fff09c57d5129644c7317d0ebca99859d1fea18722904d2fc0697a6919545
Opcode Fuzzy Hash: 897d9297995a4e50a4cece719d2f4fef7ea19b8ee9116e3872b3d261e85a767b
Instruction Fuzzy Hash: 41A1D032604B4942FBF64B29AC503ED2692B35A7E4F70C215FAB54B7E1CF388B498701

Analysis Process: soiucosxz.exePID: 6240, Parent PID: 5508COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.4%
Total number of Nodes:	61
Total number of Limit Nodes:	7

Executed Functions

Function 0000026878E9AE20 Relevance: 1.6, APIs: 1, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDelayExecution.NTDLL(-00000001), ref: 0000026878E9AE79

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: f00705b9ae837ec2345864758a29e39967a219465f4efa5b6de3cb3e60cb6094
Instruction ID: ada88d511deb9f30efb3d059b2416be7608b5e68850746b3572133f811958f86
Opcode Fuzzy Hash: f00705b9ae837ec2345864758a29e39967a219465f4efa5b6de3cb3e60cb6094
Instruction Fuzzy Hash: A6110135124A8D0EEB49BB78849D6BAB6C4FF5C318F64077EF08BCB0E2DE1984804302

Function 0000026878E9E5BC Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00120116), ref: 0000026878E9E60C

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58e43e44b54812268928e5122ffec1c26c35a1137341fc786275a977db449c32
Instruction ID: 3b5adbf2a07a3324c620b633303ea65afbd1f5790e754b06cf5f90eace068694
Opcode Fuzzy Hash: 58e43e44b54812268928e5122ffec1c26c35a1137341fc786275a977db449c32
Instruction Fuzzy Hash: 1801AF71524B088BEB54CB58C4DE7A6B6E0FB5C326F60066CE405C62C2EBB99848CB02

Function 0000026878E987C4 Relevance: 6.1, APIs: 4, Instructions: 121
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000001), ref: 0000026878E98806
CreateFileW.KERNELBASE ref: 0000026878E9883F
ReadFile.KERNELBASE(00000000), ref: 0000026878E988B0
SetFileAttributesW.KERNELBASE(00000003), ref: 0000026878E988E4

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: File$Create$AttributesRead
String ID:
API String ID: 122080180-0
Opcode ID: 1a3538701edab37c293b752dd8d047efedda403f2c91c2e287a1414391de9447
Instruction ID: 289c0d54ce0d2fa490a66bc63ed9ed614556097b3a14c52f750d031beb0121c0
Opcode Fuzzy Hash: 1a3538701edab37c293b752dd8d047efedda403f2c91c2e287a1414391de9447
Instruction Fuzzy Hash: 634116B55187484FEB61AB74948DBBAF6D5EB98314F20473EE44AC21D2DF35C4058352

Function 0000026878E98700 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026878E9E5BC: NtCreateFile.NTDLL(00120116), ref: 0000026878E9E60C

CloseHandle.KERNELBASE ref: 0000026878E987A4

Strings

0, xrefs: 0000026878E98774

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: 0
API String ID: 3498533004-4108050209
Opcode ID: f1a001039e29aba7cab1b6b51817c4333627fd70a1d51c0598e22ca8be95841b
Instruction ID: 0d35a70deb99ede35b4052fd71af4974c2fe5c4978364b60da206e8711d413b9
Opcode Fuzzy Hash: f1a001039e29aba7cab1b6b51817c4333627fd70a1d51c0598e22ca8be95841b
Instruction Fuzzy Hash: E6119076418B8C4BE712EB14C4547EBB7E1FBD8304F504B2EA489C6281DF75E6448BC2

Function 0000026878E98948 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(00000003), ref: 0000026878E989D8

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 04ab83f7e0e80a6461120924300d0aa122f92ba49c64c0b2d7f71018cc2f6762
Instruction ID: f1b8cda4e9fc7b4fd811355e731ea80041401475bd7002ea0f96d0318ad4899f
Opcode Fuzzy Hash: 04ab83f7e0e80a6461120924300d0aa122f92ba49c64c0b2d7f71018cc2f6762
Instruction Fuzzy Hash: 4E21F6B5214A184FEB55DBA8944A7BAF6D0EB9C314F20476DE00DC72A2DF75CC418342

Function 0000026878E9E51C Relevance: 1.6, APIs: 1, Instructions: 66
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000), ref: 0000026878E9E562

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c4c36f6c1de176a9173a566a82801515613e72a7e9da56a31f1e52ced4f5237b
Instruction ID: 0fa3958a5a084920d93f2d038b319d20f005f47a18a0ac07789af63f01f5cc24
Opcode Fuzzy Hash: c4c36f6c1de176a9173a566a82801515613e72a7e9da56a31f1e52ced4f5237b
Instruction Fuzzy Hash: 5E11A3B0608B0C4FDB84EF6CA448725BAD4FB5C300F51476EA41DC73A1DB70C8418782

Function 0000026878E98904 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026878E9E51C: CreateFileW.KERNELBASE(00000000), ref: 0000026878E9E562

SetFileAttributesW.KERNELBASE(-00000001), ref: 0000026878E9892C

Memory Dump Source

Source File: 0000000D.00000002.2721640024.0000026878E81000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026878E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26878e81000_soiucosxz.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 618aca3401d4b7fe124b8c2541c3c837fb01dd0d1f8018090a6ddb5f7563badd
Instruction ID: c288fcce32ff97e191bd4fca40cdd0be90a0a256f682b568b6c6c1c25b99d522
Opcode Fuzzy Hash: 618aca3401d4b7fe124b8c2541c3c837fb01dd0d1f8018090a6ddb5f7563badd
Instruction Fuzzy Hash: 8AE08671728A080BEB5CA66CA49573971C6D7DC254F54163EB44DC33CADDA5CC454342

Non-executed Functions

Function 00007FFB0C181DA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000), ref: 00007FFB0C181F1C
GetProcAddress.KERNEL32(00000000), ref: 00007FFB0C181F28

Strings

MZx, xrefs: 00007FFB0C181DBF, 00007FFB0C181EA5, 00007FFB0C181F05
ext-ms-, xrefs: 00007FFB0C181E79
api-ms-, xrefs: 00007FFB0C181E66

Memory Dump Source

Source File: 0000000D.00000002.2723050548.00007FFB0C151000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFB0C150000, based on PE: true

Associated: 0000000D.00000002.2723017654.00007FFB0C150000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723119730.00007FFB0C192000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723172858.00007FFB0C19E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723225317.00007FFB0C1A1000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723225317.00007FFB0C1A4000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723316925.00007FFB0C1A7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723342344.00007FFB0C1A8000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723495178.00007FFB0C3ED000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723589846.00007FFB0C475000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb0c150000_soiucosxz.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 388816bb59639d6ac3d3d34693a8a2e7a154d375a429ca9c30c6a4978183dee0
Instruction ID: ba4be7aa599e28529e7339bbb197bb25f7a7d84b645a6bb7e9231f35d630abd0
Opcode Fuzzy Hash: 388816bb59639d6ac3d3d34693a8a2e7a154d375a429ca9c30c6a4978183dee0
Instruction Fuzzy Hash: 3841D6E2B1D60291EB16DB36E808EB92390BF45BA0F594235DD1D57785EF3CE44A8318

Function 00007FFB0C17FFB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FFB0C17FFEB
FreeLibrary.KERNEL32 ref: 00007FFB0C180012

Strings

CorExitProcess, xrefs: 00007FFB0C17FFE4
mscoree.dll, xrefs: 00007FFB0C17FFCC

Memory Dump Source

Source File: 0000000D.00000002.2723050548.00007FFB0C151000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFB0C150000, based on PE: true

Associated: 0000000D.00000002.2723017654.00007FFB0C150000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723119730.00007FFB0C192000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723172858.00007FFB0C19E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723225317.00007FFB0C1A1000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723225317.00007FFB0C1A4000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723316925.00007FFB0C1A7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723342344.00007FFB0C1A8000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723495178.00007FFB0C3ED000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.2723589846.00007FFB0C475000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb0c150000_soiucosxz.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: CorExitProcess$mscoree.dll
API String ID: 3013587201-1276376045
Opcode ID: b4d4cddbb90d4ecaa7d1da2b12f7ab42b453d945075ba40629666b735ed15792
Instruction ID: a967c66ac795caf38b7ac019f2a71e527c3ac848dc6a1616e3d942d592b28658
Opcode Fuzzy Hash: b4d4cddbb90d4ecaa7d1da2b12f7ab42b453d945075ba40629666b735ed15792
Instruction Fuzzy Hash: 04F062E1B1DA0682FB208B34E458B7A6360EF897A4F940239C66D861E4DF3CD54CD300

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cho_mea64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\2779096476\config.ini

C:\ProgramData\2779096548\config.ini

C:\ProgramData\AB819CA4478D450CF3B95B908C7AD475

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\8FF3EF380313034D8D84BAF59.cat

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\997f54546.exe

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\libcurl.dll

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\soiucosxz.exe

C:\Users\user\AppData\Local\Temp\805444110049334163191123924\zlibwapi.dll

C:\Users\user\AppData\Local\Temp\is-89SCA.tmp\cho_mea64.tmp

C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-KDSFA.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe (copy)

C:\Users\user\AppData\Roaming\611641ae7b4c35da\62b24530.exe (copy)

C:\Users\user\AppData\Roaming\611641ae7b4c35da\b2b01.ico (copy)

C:\Users\user\AppData\Roaming\611641ae7b4c35da\is-9G6TC.tmp

Windows Analysis Report
cho_mea64.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre