Edit tour

Windows Analysis Report
hKgrI6tqYx.exe

Overview

General Information

Sample name:	hKgrI6tqYx.exe renamed because original name is a hash value
Original sample name:	ef17e4c80f1630b77985efca374565ae94ba9a0a30a31b2e88ffe2d51bfe599f.exe
Analysis ID:	1571324
MD5:	5ebc550846b0593c0b5c962194f87c92
SHA1:	7ba72751aa4e924fdefbde7c31305594146429b4
SHA256:	ef17e4c80f1630b77985efca374565ae94ba9a0a30a31b2e88ffe2d51bfe599f
Tags:	busquedasxurl-comexeuser-JAMESWT_MHT
Infos:

Detection

Python Stealer, Babadeda

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Babadeda

AI detected suspicious sample

Contains functionality to infect the boot sector

Contains functionality to register a low level keyboard hook

Creates files with lurking names (e.g. Crack.exe)

Found pyInstaller with non standard icon

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected Generic Python Stealer

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hKgrI6tqYx.exe (PID: 1492 cmdline: "C:\Users\user\Desktop\hKgrI6tqYx.exe" MD5: 5EBC550846B0593C0B5C962194F87C92)

Heart-Senders-Crackeado.exe (PID: 5960 cmdline: "C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe" MD5: D134FFD0F669B1940AE13A37980B3881)

cmd.exe (PID: 5776 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Heart-Sender-V1.2.exe (PID: 6960 cmdline: Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -dC:\Users\user\AppData\Local\Temp MD5: 94B6D18D2E0E752E6B9E914D4B6BC33F)

HeartSender.exe (PID: 3748 cmdline: "C:\Users\user\AppData\Local\Temp\HeartSender.exe" MD5: 7FA598F8A47A856C0F9667C22BFBE056)

cmd.exe (PID: 3504 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\user\AppData\Local\Temp\HeartSender.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

File00.exe (PID: 6420 cmdline: config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa MD5: D4EA176B0DC54374ABB87A1B9409FE50)

A1.exe (PID: 1812 cmdline: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe" MD5: 9C7691FF597E9EFD7F796B31ACCB78E8)

her.exe (PID: 5912 cmdline: her.exe MD5: A02BD3671B7DAB9F036B13C8B0339714)

her.exe (PID: 3660 cmdline: her.exe MD5: A02BD3671B7DAB9F036B13C8B0339714)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus users.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
C:\Users\user\AppData\Local\Temp\HeartSender.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: her.exe PID: 3660	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.0.Heart-Senders-Crackeado.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
6.2.HeartSender.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
2.2.Heart-Senders-Crackeado.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
6.0.HeartSender.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hKgrI6tqYx.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	ReversingLabs: Detection: 14%
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for submitted file

Source: hKgrI6tqYx.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hKgrI6tqYx.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Unpacked PE file: 2.2.Heart-Senders-Crackeado.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Unpacked PE file: 6.2.HeartSender.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Unpacked PE file: 11.2.A1.exe.850000.0.unpack

Source: hKgrI6tqYx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\license.txt

Jump to behavior

Source: hKgrI6tqYx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.9.dr
Source:	Binary string: ucrtbase.pdb source: her.exe, 0000000D.00000002.4613602499.00007FFD945B5000.00000002.00000001.01000000.00000015.sdmp, ucrtbase.dll.9.dr
Source:	Binary string: C:\Users\Jonathan\Desktop\Z\zzzproject\HtmlAgilityPack\HtmlAgilityPack\obj\Release\HtmlAgilityPack.pdb source: Heart-Sender-V1.2.exe, 00000005.00000003.2151999929.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167282638.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167437104.0000000002901000.00000004.00000020.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167156258.00000000037D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb, source: Heart-Sender-V1.2.exe, 00000005.00000003.2152536207.0000000005392000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: her.exe, 0000000D.00000002.4611940957.00007FFD93CE9000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: her.exe, 00000009.00000003.2164962074.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4617053181.00007FFDA4343000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: her.exe, 0000000D.00000002.4613753074.00007FFD9A270000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: her.exe, 00000009.00000003.2165130663.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4615350083.00007FFD9F7F5000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.9.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: her.exe, 0000000D.00000002.4613753074.00007FFD9A270000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: her.exe, 0000000D.00000002.4616844776.00007FFDA4171000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: her.exe, 0000000D.00000002.4615595641.00007FFDA2E97000.00000002.00000001.01000000.00000027.sdmp, _hashlib.pyd.9.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\win32crypt.pdb source: her.exe, 0000000D.00000002.4614105332.00007FFD9B1C1000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4616101131.00007FFDA3A88000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: her.exe, 0000000D.00000002.4614240277.00007FFD9DA42000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: her.exe, 0000000D.00000002.4615938704.00007FFDA354C000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: her.exe, 0000000D.00000002.4616375560.00007FFDA3BFD000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: ucrtbase.pdbUGP source: her.exe, 0000000D.00000002.4613602499.00007FFD945B5000.00000002.00000001.01000000.00000015.sdmp, ucrtbase.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: her.exe, 0000000D.00000002.4616242235.00007FFDA3AE9000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: X509_SIGPKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: her.exe, 00000009.00000003.2165130663.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4615350083.00007FFD9F7F5000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hKgrI6tqYx.exe, Heart-Sender-V1.2.exe.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: her.exe, 0000000D.00000002.4612515934.00007FFD94244000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: her.exe, 0000000D.00000002.4610913757.00007FFD9385F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: her.exe, 0000000D.00000002.4611940957.00007FFD93D81000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: her.exe, 0000000D.00000002.4611294878.00007FFD938F4000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: her.exe, 0000000D.00000002.4615808497.00007FFDA3526000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: her.exe, 00000009.00000003.2164962074.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4617053181.00007FFDA4343000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: her.exe, 0000000D.00000002.4611940957.00007FFD93D81000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: her.exe, 0000000D.00000002.4616676087.00007FFDA3FD3000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: her.exe, 0000000D.00000002.4615938704.00007FFDA354C000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.9.dr
Source:	Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\win32crypt.pdb!! source: her.exe, 0000000D.00000002.4614105332.00007FFD9B1C1000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: her.exe, 0000000D.00000002.4616520838.00007FFDA3EB3000.00000002.00000001.01000000.00000020.sdmp, _queue.pyd.9.dr
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdbcQ source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdb source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: her.exe, 0000000D.00000002.4617184514.00007FFDA4634000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: her.exe, 0000000D.00000002.4615471394.00007FFDA086F000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: her.exe, 0000000D.00000002.4617184514.00007FFDA4634000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: her.exe, 0000000D.00000002.4600771086.0000021BD4C20000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: her.exe, 0000000D.00000002.4611294878.00007FFD938F4000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: her.exe, 0000000D.00000002.4614601979.00007FFD9DECD000.00000002.00000001.01000000.00000021.sdmp

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E0C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E0C4A8
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E1E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E1E560
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2D998 FindFirstFileExA,	0_2_00E2D998
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E7C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_00E7C4A8
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E8E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_00E8E560
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9D998 FindFirstFileExA,	5_2_00E9D998
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466388D0 FindFirstFileExW,FindClose,	9_2_00007FF7466388D0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746651EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF746651EE4
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	10_2_0040372C
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00403211 wsprintfW,FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	10_2_00403211

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 13_2_00007FFD934F2E70 memset,PyList_New,SetErrorMode,PyArg_ParseTuple,PyObject_IsTrue,PyEval_SaveThread,GetLogicalDriveStringsA,PyEval_RestoreThread,PyErr_SetFromWindowsErr,SetErrorMode,PyEval_SaveThread,GetDriveTypeA,PyEval_RestoreThread,GetVolumeInformationA,strcat_s,SetLastError,strcat_s,strcat_s,strcat_s,FindFirstVolumeMountPointA,strcpy_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,FindNextVolumeMountPointA,FindVolumeMountPointClose,strcat_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,strchr,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,_Py_Dealloc,_Py_Dealloc,

13_2_00007FFD934F2E70

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_05B570A8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then push dword ptr [ebp-24h]	11_2_05B57CBC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_05B57CBC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then push dword ptr [ebp-24h]	11_2_05B57CC8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_05B57CC8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then xor edx, edx	11_2_05B57C00
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then push dword ptr [ebp-20h]	11_2_05B579A8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_05B579A8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then push dword ptr [ebp-20h]	11_2_05B5799C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_05B5799C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_05B5782C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then xor edx, edx	11_2_05B57BF4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], 00000000h	11_2_05E5349C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h	11_2_05E5349C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], 00000000h	11_2_05E56674
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h	11_2_05E56674
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch]	11_2_05EA7EB8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch]	11_2_05EA7EB1

Source: Joe Sandbox View

IP Address: 44.196.3.45 44.196.3.45

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: httpbin.org

Source: her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2208838631.0000021BD7B9F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: her.exe, 0000000D.00000002.4604434415.0000021BD7650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: A1.exe, 0000000B.00000002.4602994787.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, A1.exe, 0000000B.00000000.2169317843.0000000000852000.00000002.00000001.01000000.0000000E.sdmp, A1.exe.10.dr	String found in binary or memory: http://ariesta.club/randomusage.txt
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: her.exe, 0000000D.00000003.2199899768.0000021BD6D25000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206412272.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210809247.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204602265.0000021BD711F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2200158997.0000021BD7152000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204997793.0000021BD6D25000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210963786.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _queue.pyd.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: her.exe, 0000000D.00000003.2209445705.0000021BD7BD3000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7BD3000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606778955.0000021BD8630000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606594636.0000021BD8530000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7B92000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606594636.0000021BD85CC000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: her.exe, 0000000D.00000002.4604569460.0000021BD7750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: her.exe, 0000000D.00000002.4604569460.0000021BD7750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: her.exe, 0000000D.00000002.4604771227.0000021BD7930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: her.exe, 0000000D.00000003.2209829442.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2202329371.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: her.exe, 0000000D.00000003.2204602265.0000021BD711F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: her.exe, 0000000D.00000003.2204602265.0000021BD711F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606778955.0000021BD86FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: her.exe, 0000000D.00000002.4604771227.0000021BD7930000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: her.exe, 0000000D.00000002.4603212436.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/yyusing
Source: Heart-Sender-V1.2.exe, 00000005.00000003.2151999929.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, Heart-Sender-V1.2.exe, 00000005.00000003.2151999929.0000000005121000.00000004.00000020.00020000.00000000.sdmp, File00.exe, 0000000A.00000002.4601425972.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, File00.exe.5.dr	String found in binary or memory: http://sourceforge.net/projects/s-zipsfxbuilder/)
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: her.exe, 0000000D.00000002.4606778955.0000021BD8630000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: her.exe, 0000000D.00000002.4604569460.0000021BD7750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/SD7W3
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.9.dr, _queue.pyd.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: her.exe, 0000000D.00000003.2202329371.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204815585.0000021BD72E3000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206270617.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsrc
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: her.exe, 0000000D.00000002.4605064569.0000021BD7B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botz
Source: A1.exe, 0000000B.00000002.4602994787.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ariesta.club/hslsx/license.php
Source: her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602961022.0000021BD6E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604771227.0000021BD7930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://busquedasxurl.com/login/conexion/bloqueadoreslogs.php?ip=
Source: her.exe, 0000000D.00000002.4604771227.0000021BD7930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://busquedasxurl.com/login/conexion/bloqueadoreslogs.php?ip=yy
Source: her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://busquedasxurl.com/login/conexion/recibidor.php
Source: her.exe, her.exe, 0000000D.00000002.4610562150.00007FFD935BD000.00000002.00000001.01000000.00000031.sdmp, _cffi_backend.cp312-win_amd64.pyd.9.dr	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: her.exe, 0000000D.00000003.2206412272.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210809247.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204997793.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2199899768.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: her.exe, 0000000D.00000003.2206121721.0000021BD7347000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: her.exe, 0000000D.00000002.4606377445.0000021BD8330000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: her.exe, 0000000D.00000002.4607043664.0000021BD87B4000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CC2000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: her.exe, 00000009.00000002.4600693567.000002A3F30F4000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4613805866.00007FFD9A281000.00000002.00000001.01000000.0000002F.sdmp, her.exe, 0000000D.00000002.4614157111.00007FFD9B1CE000.00000002.00000001.01000000.0000002D.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp, _rust.pyd.9.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: her.exe, 0000000D.00000002.4602189035.0000021BD6A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: her.exe, 0000000D.00000002.4601130409.0000021BD65AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: her.exe, 0000000D.00000003.2197732068.0000021BD6C5F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2197911029.0000021BD6C6E000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206412272.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2199899768.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues/396
Source: her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: her.exe, 0000000D.00000002.4606377445.0000021BD8330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD67CB000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: her.exe, 0000000D.00000002.4601483744.0000021BD67CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: her.exe, 0000000D.00000002.4607043664.0000021BD884C000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: her.exe, 0000000D.00000002.4602961022.0000021BD6E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD722F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2202329371.0000021BD7242000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210963786.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: her.exe, 0000000D.00000002.4604434415.0000021BD7650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: her.exe, 0000000D.00000003.2200208620.0000021BD713F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204602265.0000021BD711F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210963786.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD711E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602961022.0000021BD6E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: her.exe, 0000000D.00000002.4602799395.0000021BD6D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: her.exe, 0000000D.00000002.4612515934.00007FFD94244000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: her.exe, 0000000D.00000002.4604434415.0000021BD7650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: her.exe, 0000000D.00000002.4606377445.0000021BD8330000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206329143.0000021BD7380000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206412272.0000021BD6B94000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206121721.0000021BD7347000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#
Source: her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$Nrjr
Source: her.exe, 0000000D.00000002.4607043664.0000021BD87B4000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CC2000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD67CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyP
Source: her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: her.exe, 0000000D.00000003.2209829442.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: her.exe, 0000000D.00000002.4611353647.00007FFD9392F000.00000002.00000001.01000000.00000023.sdmp, her.exe, 0000000D.00000002.4612227033.00007FFD93E2A000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: her.exe, 0000000D.00000002.4601130409.0000021BD6530000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: her.exe, 0000000D.00000002.4613079015.00007FFD943BC000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: her.exe, 0000000D.00000002.4612515934.00007FFD94244000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/?~.
Source: her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe

Code function: 10_2_00408DA3 SetWindowsHookExW 00000002,Function_00008D75,00000000,00000000

10_2_00408DA3

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Code function: 11_2_05EAC2B8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

11_2_05EAC2B8

System Summary

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

File created: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F1E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,	13_2_00007FFD934F1E90
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F6AA0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,	13_2_00007FFD934F6AA0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F4A70 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,	13_2_00007FFD934F4A70
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F2480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,	13_2_00007FFD934F2480
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F4680 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,	13_2_00007FFD934F4680
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F5720 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,	13_2_00007FFD934F5720
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F6250 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,	13_2_00007FFD934F6250
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F6E40 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,	13_2_00007FFD934F6E40
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F73F0 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,	13_2_00007FFD934F73F0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F5810 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	13_2_00007FFD934F5810
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F4D00 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	13_2_00007FFD934F4D00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F6600 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,	13_2_00007FFD934F6600

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E07FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00E07FD3

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E0F963	0_2_00E0F963
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E09906	0_2_00E09906
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E1EA07	0_2_00E1EA07
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E18C7E	0_2_00E18C7E
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E160F7	0_2_00E160F7
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E34044	0_2_00E34044
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E12125	0_2_00E12125
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E19111	0_2_00E19111
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E182D0	0_2_00E182D0
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E0E394	0_2_00E0E394
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E11476	0_2_00E11476
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E16445	0_2_00E16445
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E1976F	0_2_00E1976F
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E27738	0_2_00E27738
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E27967	0_2_00E27967
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E10949	0_2_00E10949
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E03AB7	0_2_00E03AB7
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2FA90	0_2_00E2FA90
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E04C6E	0_2_00E04C6E
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E15E86	0_2_00E15E86
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E02FCB	0_2_00E02FCB
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E10FAC	0_2_00E10FAC
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2FF3E	0_2_00E2FF3E
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_0040C898	2_2_0040C898
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_0040E950	2_2_0040E950
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00410910	2_2_00410910
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_004109D9	2_2_004109D9
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_004105E0	2_2_004105E0
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00411580	2_2_00411580
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00410993	2_2_00410993
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00410600	2_2_00410600
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_0040B347	2_2_0040B347
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_0040F3C8	2_2_0040F3C8
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E7F963	5_2_00E7F963
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E79906	5_2_00E79906
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E88C7E	5_2_00E88C7E
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E860F7	5_2_00E860F7
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00EA4044	5_2_00EA4044
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E82125	5_2_00E82125
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E89111	5_2_00E89111
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E882D0	5_2_00E882D0
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E7E394	5_2_00E7E394
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E81476	5_2_00E81476
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E86445	5_2_00E86445
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E8976F	5_2_00E8976F
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E97738	5_2_00E97738
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E97967	5_2_00E97967
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E80949	5_2_00E80949
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E73AB7	5_2_00E73AB7
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9FA90	5_2_00E9FA90
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E8EA07	5_2_00E8EA07
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E74C6E	5_2_00E74C6E
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E85E86	5_2_00E85E86
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E72FCB	5_2_00E72FCB
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E80FAC	5_2_00E80FAC
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9FF3E	5_2_00E9FF3E
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_0040E800	6_2_0040E800
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_0040C838	6_2_0040C838
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_0040F1CA	6_2_0040F1CA
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004105F0	6_2_004105F0
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_00411250	6_2_00411250
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_00410673	6_2_00410673
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004102D0	6_2_004102D0
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_0040B2E7	6_2_0040B2E7
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004102F0	6_2_004102F0
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004106B9	6_2_004106B9
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746656370	9_2_00007FF746656370
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746637950	9_2_00007FF746637950
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466572BC	9_2_00007FF7466572BC
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746631F50	9_2_00007FF746631F50
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746650F38	9_2_00007FF746650F38
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746645F30	9_2_00007FF746645F30
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74665471C	9_2_00007FF74665471C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746659FF8	9_2_00007FF746659FF8
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746638FD0	9_2_00007FF746638FD0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746641880	9_2_00007FF746641880
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74664E01C	9_2_00007FF74664E01C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466420A0	9_2_00007FF7466420A0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746656D70	9_2_00007FF746656D70
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746642D50	9_2_00007FF746642D50
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466565EC	9_2_00007FF7466565EC
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746641E94	9_2_00007FF746641E94
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746651EE4	9_2_00007FF746651EE4
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466436E0	9_2_00007FF7466436E0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466486D0	9_2_00007FF7466486D0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74664EB30	9_2_00007FF74664EB30
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746641C90	9_2_00007FF746641C90
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74664A430	9_2_00007FF74664A430
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74664E4B0	9_2_00007FF74664E4B0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647C98	9_2_00007FF746647C98
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746650F38	9_2_00007FF746650F38
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746654280	9_2_00007FF746654280
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746641A84	9_2_00007FF746641A84
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746643AE4	9_2_00007FF746643AE4
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466422A4	9_2_00007FF7466422A4
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00436920	10_2_00436920
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00405C18	10_2_00405C18
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040B0D0	10_2_0040B0D0
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040B0D4	10_2_0040B0D4
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040A8F0	10_2_0040A8F0
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00419943	10_2_00419943
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040A260	10_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040D470	10_2_0040D470
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040AC10	10_2_0040AC10
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00409C10	10_2_00409C10
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040ED00	10_2_0040ED00
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00409DC0	10_2_00409DC0
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_004195D1	10_2_004195D1
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_004196AB	10_2_004196AB
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00418F10	10_2_00418F10
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_00FE0881	11_2_00FE0881
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_00FE4DA0	11_2_00FE4DA0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_00FE37A0	11_2_00FE37A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_00FE1C21	11_2_00FE1C21
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_00FE3ED8	11_2_00FE3ED8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_053AD198	11_2_053AD198
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_053AD193	11_2_053AD193
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B50FEC	11_2_05B50FEC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B58327	11_2_05B58327
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B58328	11_2_05B58328
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B8950C	11_2_05B8950C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B82EC0	11_2_05B82EC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B86670	11_2_05B86670
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B8B201	11_2_05B8B201
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B82F48	11_2_05B82F48
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B82968	11_2_05B82968
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C05A38	11_2_05C05A38
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C0644B	11_2_05C0644B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C020CC	11_2_05C020CC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C61A48	11_2_05C61A48
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C62A50	11_2_05C62A50
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C6E23C	11_2_05C6E23C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E5D538	11_2_05E5D538
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E557E0	11_2_05E557E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E5AB50	11_2_05E5AB50
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E58E68	11_2_05E58E68
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E57578	11_2_05E57578
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E5C4D0	11_2_05E5C4D0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05EA0408	11_2_05EA0408
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05EAA3E0	11_2_05EAA3E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C62F88	11_2_05C62F88
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F1E90	13_2_00007FFD934F1E90
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F99D0	13_2_00007FFD934F99D0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F2E70	13_2_00007FFD934F2E70
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F3990	13_2_00007FFD934F3990
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F8F30	13_2_00007FFD934F8F30
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F4DF0	13_2_00007FFD934F4DF0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F2B00	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934F6600	13_2_00007FFD934F6600
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93511FD0	13_2_00007FFD93511FD0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93512430	13_2_00007FFD93512430
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD935245D0	13_2_00007FFD935245D0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93524820	13_2_00007FFD93524820
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD935329C0	13_2_00007FFD935329C0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93532EC0	13_2_00007FFD93532EC0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93533550	13_2_00007FFD93533550
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD935324A0	13_2_00007FFD935324A0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93531D80	13_2_00007FFD93531D80
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93531FF0	13_2_00007FFD93531FF0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe 1624AF752C9F85FD117FAFB28FEB42A079F283DC133CDCC5799810072A95A6CB

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: String function: 004029DB appears 44 times
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: String function: 00007FFD934F1070 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: String function: 00007FFD934F1D70 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: String function: 00007FF746632B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: String function: 00E91590 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: String function: 00E91D60 appears 31 times
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: String function: 00E21590 appears 57 times
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: String function: 00E21D60 appears 31 times

Source: unicodedata.pyd.9.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.9.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-synch-l1-2-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: python3.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.9.dr	Static PE information: No import functions for PE file found

Source: hKgrI6tqYx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/135@1/1

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E07BFF GetLastError,FormatMessageW,

0_2_00E07BFF

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 13_2_00007FFD934F7DB0 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,

13_2_00007FFD934F7DB0

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe

Code function: 10_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

10_2_0040122A

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 13_2_00007FFD934F601F PyDict_New,memset,CreateToolhelp32Snapshot,PyErr_SetFromWindowsErr,_Py_Dealloc,Process32First,PyLong_FromLong,PyLong_FromLong,PyDict_SetItem,_Py_Dealloc,_Py_Dealloc,Process32Next,CloseHandle,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseHandle,

13_2_00007FFD934F601F

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe

Code function: 10_2_004092A9 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetDlgItem,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

10_2_004092A9

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E1C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00E1C652

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 13_2_00007FFD934F8AA0 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

13_2_00007FFD934F8AA0

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5236343

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Command line argument: sfxname	0_2_00E2037C
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Command line argument: sfxstime	0_2_00E2037C
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Command line argument: pP	0_2_00E2037C
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Command line argument: STARTDLG	0_2_00E2037C
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Command line argument: >G	0_2_00E34690
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Command line argument: sfxname	5_2_00E9037C
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Command line argument: sfxstime	5_2_00E9037C
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Command line argument: pP	5_2_00E9037C
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Command line argument: STARTDLG	5_2_00E9037C
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Command line argument: >G	5_2_00EA4690

Source: hKgrI6tqYx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\her.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: her.exe, her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: hKgrI6tqYx.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

File read: C:\Users\user\Desktop\hKgrI6tqYx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hKgrI6tqYx.exe "C:\Users\user\Desktop\hKgrI6tqYx.exe"
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe "C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -dC:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Process created: C:\Users\user\AppData\Local\Temp\HeartSender.exe "C:\Users\user\AppData\Local\Temp\HeartSender.exe"
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\user\AppData\Local\Temp\HeartSender.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Config\File00.exe config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe"
Source: C:\Users\user\AppData\Local\Temp\her.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe "C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -dC:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Process created: C:\Users\user\AppData\Local\Temp\HeartSender.exe "C:\Users\user\AppData\Local\Temp\HeartSender.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\user\AppData\Local\Temp\HeartSender.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Config\File00.exe config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: pywintypes312.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\her.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

File written: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Settings.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hKgrI6tqYx.exe

Static file information: File size 18321667 > 1048576

Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hKgrI6tqYx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hKgrI6tqYx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: hKgrI6tqYx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.9.dr
Source:	Binary string: ucrtbase.pdb source: her.exe, 0000000D.00000002.4613602499.00007FFD945B5000.00000002.00000001.01000000.00000015.sdmp, ucrtbase.dll.9.dr
Source:	Binary string: C:\Users\Jonathan\Desktop\Z\zzzproject\HtmlAgilityPack\HtmlAgilityPack\obj\Release\HtmlAgilityPack.pdb source: Heart-Sender-V1.2.exe, 00000005.00000003.2151999929.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167282638.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167437104.0000000002901000.00000004.00000020.00020000.00000000.sdmp, File00.exe, 0000000A.00000003.2167156258.00000000037D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb, source: Heart-Sender-V1.2.exe, 00000005.00000003.2152536207.0000000005392000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: her.exe, 0000000D.00000002.4611940957.00007FFD93CE9000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: her.exe, 00000009.00000003.2164962074.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4617053181.00007FFDA4343000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: her.exe, 0000000D.00000002.4613753074.00007FFD9A270000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: her.exe, 00000009.00000003.2165130663.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4615350083.00007FFD9F7F5000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.9.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: her.exe, 0000000D.00000002.4613753074.00007FFD9A270000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: her.exe, 0000000D.00000002.4616844776.00007FFDA4171000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: her.exe, 0000000D.00000002.4615595641.00007FFDA2E97000.00000002.00000001.01000000.00000027.sdmp, _hashlib.pyd.9.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\win32crypt.pdb source: her.exe, 0000000D.00000002.4614105332.00007FFD9B1C1000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: her.exe, 00000009.00000003.2165312042.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4616101131.00007FFDA3A88000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: her.exe, 0000000D.00000002.4614240277.00007FFD9DA42000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: her.exe, 0000000D.00000002.4615938704.00007FFDA354C000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: her.exe, 0000000D.00000002.4616375560.00007FFDA3BFD000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: ucrtbase.pdbUGP source: her.exe, 0000000D.00000002.4613602499.00007FFD945B5000.00000002.00000001.01000000.00000015.sdmp, ucrtbase.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: her.exe, 0000000D.00000002.4616242235.00007FFDA3AE9000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: X509_SIGPKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: her.exe, 00000009.00000003.2165130663.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4615350083.00007FFD9F7F5000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hKgrI6tqYx.exe, Heart-Sender-V1.2.exe.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: her.exe, 0000000D.00000002.4612515934.00007FFD94244000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: her.exe, 0000000D.00000002.4610913757.00007FFD9385F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: her.exe, 0000000D.00000002.4611940957.00007FFD93D81000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: her.exe, 0000000D.00000002.4611294878.00007FFD938F4000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: her.exe, 0000000D.00000002.4615808497.00007FFDA3526000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: her.exe, 00000009.00000003.2164962074.000002A3F30E7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4617053181.00007FFDA4343000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: her.exe, 0000000D.00000002.4610774378.00007FFD9370C000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: her.exe, 0000000D.00000002.4611940957.00007FFD93D81000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: her.exe, 0000000D.00000002.4616676087.00007FFDA3FD3000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: her.exe, 0000000D.00000002.4615938704.00007FFDA354C000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.9.dr
Source:	Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-312\Release\win32crypt.pdb!! source: her.exe, 0000000D.00000002.4614105332.00007FFD9B1C1000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: her.exe, 0000000D.00000002.4616520838.00007FFDA3EB3000.00000002.00000001.01000000.00000020.sdmp, _queue.pyd.9.dr
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdbcQ source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdb source: her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: her.exe, 0000000D.00000002.4617184514.00007FFDA4634000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: her.exe, 0000000D.00000002.4615471394.00007FFDA086F000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: her.exe, 0000000D.00000002.4617184514.00007FFDA4634000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: her.exe, 0000000D.00000002.4600771086.0000021BD4C20000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: her.exe, 0000000D.00000002.4611294878.00007FFD938F4000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: her.exe, 0000000D.00000002.4614601979.00007FFD9DECD000.00000002.00000001.01000000.00000021.sdmp

Source: hKgrI6tqYx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hKgrI6tqYx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hKgrI6tqYx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hKgrI6tqYx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hKgrI6tqYx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Unpacked PE file: 11.2.A1.exe.850000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Unpacked PE file: 2.2.Heart-Senders-Crackeado.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Unpacked PE file: 6.2.HeartSender.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Unpacked PE file: 11.2.A1.exe.850000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 2.0.Heart-Senders-Crackeado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HeartSender.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Heart-Senders-Crackeado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HeartSender.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\HeartSender.exe, type: DROPPED

Source: api-ms-win-core-synch-l1-1-0.dll.9.dr

Static PE information: 0xCB2C6B8E [Thu Jan 6 09:12:46 2078 UTC]

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

Code function: 2_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

2_2_0040A756

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5236343

Jump to behavior

Source: hKgrI6tqYx.exe	Static PE information: section name: .didat
Source: Heart-Sender-V1.2.exe.0.dr	Static PE information: section name: .didat
Source: Heart-Senders-Crackeado.exe.0.dr	Static PE information: section name: .code
Source: her.exe.0.dr	Static PE information: section name: _RDATA
Source: HeartSender.exe.5.dr	Static PE information: section name: .code
Source: libcrypto-3.dll.9.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.9.dr	Static PE information: section name: .00cfg
Source: python312.dll.9.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2125A push ecx; ret	0_2_00E2126D
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E21DB0 push ecx; ret	0_2_00E21DC3
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9125A push ecx; ret	5_2_00E9126D
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E91DB0 push ecx; ret	5_2_00E91DC3
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746675004 push rsp; retf	9_2_00007FF746675005
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00419290 push eax; ret	10_2_004192BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_053A7138 push eax; mov dword ptr [esp], ecx	11_2_053A713C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_053AA160 pushad ; ret	11_2_053AA161
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B54F60 pushfd ; ret	11_2_05B54F69
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05B55229 push esp; iretd	11_2_05B55235
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C02780 pushfd ; iretd	11_2_05C02781
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C02728 pushad ; iretd	11_2_05C02729
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05C0272A push esp; iretd	11_2_05C02731
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Code function: 11_2_05E51F20 push eax; retf	11_2_05E51F21

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	13_2_00007FFD934F2B00

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\her.exe

Process created: her.exe

Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	File created: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	File created: C:\Users\user\AppData\Local\Temp\her.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	File created: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	File created: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	File created: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	File created: C:\Users\user\AppData\Local\Temp\Config\File0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	File created: C:\Users\user\AppData\Local\Temp\HtmlAgilityPack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\HtmlAgilityPack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\license.txt

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	13_2_00007FFD934F2B00
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	13_2_00007FFD934F2B00

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 13_2_00007FFD934F8AA0 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

13_2_00007FFD934F8AA0

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 9_2_00007FF746636EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00007FF746636EF0

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 6310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 7440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 7890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Memory allocated: 8890000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,

13_2_00007FFD934F8170

Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Window / User API: threadDelayed 9993	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Window / User API: threadDelayed 701	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Window / User API: threadDelayed 9237	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Config\File0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HtmlAgilityPack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\HtmlAgilityPack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\her.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\her.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\her.exe

API coverage: 3.5 %

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe TID: 2264	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe TID: 3608	Thread sleep count: 9993 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe TID: 3608	Thread sleep time: -249825s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe TID: 6740	Thread sleep time: -701000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe TID: 6740	Thread sleep time: -9237000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\her.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe

Thread sleep count: Count: 9993 delay: -25

Jump to behavior

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E0C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E0C4A8
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E1E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E1E560
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2D998 FindFirstFileExA,	0_2_00E2D998
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E7C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_00E7C4A8
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E8E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_00E8E560
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9D998 FindFirstFileExA,	5_2_00E9D998
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF7466388D0 FindFirstFileExW,FindClose,	9_2_00007FF7466388D0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746647E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF746647E4C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF746651EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF746651EE4
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	10_2_0040372C
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: 10_2_00403211 wsprintfW,FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	10_2_00403211

Source: C:\Users\user\AppData\Local\Temp\her.exe

13_2_00007FFD934F2E70

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E20B80 VirtualQuery,GetSystemInfo,

0_2_00E20B80

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\Local\Temp\EDAB.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: hKgrI6tqYx.exe, 00000000.00000002.2145713987.00000000034FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4
Source: Heart-Sender-V1.2.exe, 00000005.00000003.2155205130.0000000003105000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Heart-Senders-Crackeado.exe, 00000002.00000002.2160045744.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22
Source: Heart-Sender-V1.2.exe, 00000005.00000003.2155205130.0000000003105000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ov
Source: her.exe, 0000000D.00000002.4601483744.0000021BD67CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hKgrI6tqYx.exe, 00000000.00000002.2145713987.00000000034FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: hKgrI6tqYx.exe	Binary or memory string: hGfS+}-

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	API call chain: ExitProcess graph end node			graph_0-26027
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	API call chain: ExitProcess graph end node			graph_5-26112

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E2647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E2647F

Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

Code function: 2_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

2_2_0040A756

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2A640 mov eax, dword ptr fs:[00000030h]		0_2_00E2A640
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9A640 mov eax, dword ptr fs:[00000030h]		5_2_00E9A640

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E2E680 GetProcessHeap,

0_2_00E2E680

Source: C:\Users\user\AppData\Local\Temp\her.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\her.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2215D SetUnhandledExceptionFilter,	0_2_00E2215D
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E212D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E212D7
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E2647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E2647F
Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: 0_2_00E21FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E21FCA
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00409950 SetUnhandledExceptionFilter,	2_2_00409950
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Code function: 2_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	2_2_00409930
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9215D SetUnhandledExceptionFilter,	5_2_00E9215D
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E912D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00E912D7
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E9647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00E9647F
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: 5_2_00E91FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00E91FCA
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	6_2_004098D0
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Code function: 6_2_004098F0 SetUnhandledExceptionFilter,	6_2_004098F0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74663C760 SetUnhandledExceptionFilter,	9_2_00007FF74663C760
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74663C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF74663C57C
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74664ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF74664ABD8
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 9_2_00007FF74663BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF74663BCE0
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934FA978 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FFD934FA978
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD934FA050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FFD934FA050
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93511390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FFD93511390
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93511960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FFD93511960
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93521390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FFD93521390
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93521960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FFD93521960
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93531390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FFD93531390
Source: C:\Users\user\AppData\Local\Temp\her.exe	Code function: 13_2_00007FFD93531960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FFD93531960

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe

Code function: 10_2_004053BB memset,??3@YAXPAX@Z,??3@YAXPAX@Z,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,

10_2_004053BB

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe "C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -dC:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Process created: C:\Users\user\AppData\Local\Temp\HeartSender.exe "C:\Users\user\AppData\Local\Temp\HeartSender.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\user\AppData\Local\Temp\HeartSender.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Config\File00.exe config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Process created: C:\Users\user\AppData\Local\Temp\her.exe her.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe

Code function: 10_2_00402757 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00402757

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E127A9 cpuid

0_2_00E127A9

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00E1D0AB
Source: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	5_2_00E8D0AB
Source: C:\Users\user\AppData\Local\Temp\Config\File00.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlen,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	10_2_00402490

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\ucrtbase.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_wmi.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\her.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\her.exe VolumeInformation

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E2037C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00E2037C

Source: C:\Users\user\AppData\Local\Temp\her.exe

Code function: 9_2_00007FF746656370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

9_2_00007FF746656370

Source: C:\Users\user\Desktop\hKgrI6tqYx.exe

Code function: 0_2_00E0D076 GetVersionExW,

0_2_00E0D076

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: her.exe PID: 3660, type: MEMORYSTR

Remote Access Functionality

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: her.exe PID: 3660, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	111 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	111 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Bootkit	1 Windows Service	211 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 Timestomp	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	4 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hKgrI6tqYx.exe	39%	ReversingLabs	Win32.Trojan.Giant
hKgrI6tqYx.exe	100%	Avira	TR/AD.Nekark.xuanb
hKgrI6tqYx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\HeartSender.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	43%	ReversingLabs	ByteCode-MSIL.PUA.Generic
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\HtmlAgilityPack.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Config\File0.exe	13%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Config\File00.exe	15%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe	18%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\HeartSender.exe	49%	ReversingLabs	Win32.Trojan.Zpevdo
C:\Users\user\AppData\Local\Temp\HtmlAgilityPack.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$Nrjr	0%	Avira URL Cloud	safe
https://ariesta.club/hslsx/license.php	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#	0%	Avira URL Cloud	safe
http://ariesta.club/randomusage.txt	0%	Avira URL Cloud	safe
https://busquedasxurl.com/login/conexion/bloqueadoreslogs.php?ip=	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyP	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/?~.	0%	Avira URL Cloud	safe
https://cffi.readthedocs.io/en/latest/using.html#callbacks	0%	Avira URL Cloud	safe
http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html	0%	Avira URL Cloud	safe
http://repository.swisssign.com/yyusing	0%	Avira URL Cloud	safe
https://busquedasxurl.com/login/conexion/recibidor.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
httpbin.org	44.196.3.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/8996	her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp, _rust.pyd.9.dr	false		high
https://api.telegram.org/bot	her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	her.exe, 0000000D.00000002.4607043664.0000021BD87B4000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CC2000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7CB6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/botz	her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://aka.ms/vcpython27	her.exe, 0000000D.00000002.4604434415.0000021BD7650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	her.exe, 00000009.00000002.4600693567.000002A3F30F4000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4613805866.00007FFD9A281000.00000002.00000001.01000000.0000002F.sdmp, her.exe, 0000000D.00000002.4614157111.00007FFD9B1CE000.00000002.00000001.01000000.0000002D.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	her.exe, 0000000D.00000003.2209829442.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2202329371.0000021BD720C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/	her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7BBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/	her.exe, 0000000D.00000002.4604434415.0000021BD7650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	her.exe, 0000000D.00000003.2206412272.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2210809247.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204997793.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2199899768.0000021BD6CBD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	her.exe, 0000000D.00000002.4606377445.0000021BD8330000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$Nrjr	her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ariesta.club/hslsx/license.php	A1.exe, 0000000B.00000002.4602994787.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	her.exe, 0000000D.00000002.4604569460.0000021BD7750000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/platformdirs/platformdirs	her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	her.exe, 0000000D.00000002.4602799395.0000021BD6D50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ariesta.club/randomusage.txt	A1.exe, 0000000B.00000002.4602994787.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, A1.exe, 0000000B.00000000.2169317843.0000000000852000.00000002.00000001.01000000.0000000E.sdmp, A1.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	her.exe, 0000000D.00000002.4604569460.0000021BD7750000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cpsrc	her.exe, 0000000D.00000002.4605543528.0000021BD7D1E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	her.exe, 0000000D.00000002.4601130409.0000021BD65AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#	her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/specifications/entry-points/	her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206329143.0000021BD7380000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206412272.0000021BD6B94000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206121721.0000021BD7347000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/build/).	her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://foo/bar.tgz	her.exe, 0000000D.00000003.2204602265.0000021BD711F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	her.exe, 0000000D.00000003.2197732068.0000021BD6C5F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2197911029.0000021BD6C6E000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206412272.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2199899768.0000021BD6C24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606778955.0000021BD86FC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	her.exe, 0000000D.00000002.4601483744.0000021BD67CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp	false		high
https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz	her.exe, 0000000D.00000003.2209829442.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://busquedasxurl.com/login/conexion/bloqueadoreslogs.php?ip=	her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604771227.0000021BD7930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.	her.exe, 0000000D.00000002.4604287723.0000021BD7550000.00000004.00001000.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	her.exe, 0000000D.00000002.4603212436.0000021BD7050000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	her.exe, 0000000D.00000003.2194424143.0000021BD673D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	her.exe, 0000000D.00000002.4613079015.00007FFD943BC000.00000008.00000001.01000000.00000016.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	her.exe, 0000000D.00000003.2206121721.0000021BD7347000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	her.exe, 0000000D.00000002.4602189035.0000021BD6A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyP	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wwwsearch.sf.net/):	her.exe, 0000000D.00000002.4605064569.0000021BD7B50000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/SD7W3	her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cffi.readthedocs.io/en/latest/using.html#callbacks	her.exe, her.exe, 0000000D.00000002.4610562150.00007FFD935BD000.00000002.00000001.01000000.00000031.sdmp, _cffi_backend.cp312-win_amd64.pyd.9.dr	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugs.python.org/issue44497.	her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602961022.0000021BD6E50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/?~.	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html	her.exe, 0000000D.00000003.2206088423.0000021BD73F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	her.exe, 0000000D.00000002.4603102512.0000021BD6F50000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602961022.0000021BD6E50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	her.exe, 0000000D.00000003.2200208620.0000021BD714D000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604150244.0000021BD7450000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4604920197.0000021BD7A30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	her.exe, 0000000D.00000002.4612515934.00007FFD94244000.00000002.00000001.01000000.00000016.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	her.exe, 0000000D.00000002.4601483744.0000021BD671B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	her.exe, 0000000D.00000002.4608522303.00007FFD92CB3000.00000002.00000001.01000000.00000030.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	her.exe, 0000000D.00000002.4603212436.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2208838631.0000021BD7B9F000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD7284000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5869	her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	her.exe, 0000000D.00000002.4601130409.0000021BD6530000.00000004.00001000.00020000.00000000.sdmp	false		high
http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html	her.exe, 0000000D.00000002.4605543528.0000021BD7C85000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD71CF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209445705.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7B92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/post	her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	her.exe, 0000000D.00000002.4604046156.0000021BD7400000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/yyusing	her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	her.exe, 0000000D.00000002.4606377445.0000021BD8330000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	her.exe, 0000000D.00000002.4604046156.0000021BD73E0000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4602424064.0000021BD6B50000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	her.exe, 0000000D.00000002.4603212436.0000021BD71BF000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4605168929.0000021BD7C00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://busquedasxurl.com/login/conexion/recibidor.php	her.exe, 0000000D.00000002.4606594636.0000021BD8560000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	her.exe, 0000000D.00000003.2202329371.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2204815585.0000021BD72E3000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2206270617.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000003.2209829442.0000021BD72DA000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD72B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	her.exe, 0000000D.00000003.2209829442.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp, her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	her.exe, 0000000D.00000002.4603212436.0000021BD7337000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	her.exe, 0000000D.00000002.4605543528.0000021BD7D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	her.exe, 0000000D.00000002.4606470110.0000021BD8430000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.196.3.45	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571324
Start date and time:	2024-12-09 09:44:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hKgrI6tqYx.exe renamed because original name is a hash value
Original Sample Name:	ef17e4c80f1630b77985efca374565ae94ba9a0a30a31b2e88ffe2d51bfe599f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/135@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 74% Number of executed functions: 285 Number of non-executed functions: 236
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: hKgrI6tqYx.exe

Simulations

Behavior and APIs

Time	Type	Description
03:45:38	API Interceptor	7777201x Sleep call for process: A1.exe modified
03:45:46	API Interceptor	3617446x Sleep call for process: HeartSender.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
44.196.3.45	L5cZ63IH4a.exe	Get hash	malicious	Python Stealer	Browse
	478y7Ve1JG.exe	Get hash	malicious	Python Stealer	Browse
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse
	maniatelo.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	L5cZ63IH4a.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	478y7Ve1JG.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	11lbKZLNnQ.exe	Get hash	malicious	Python Stealer	Browse	34.224.200.202
	r2PcRF79Mo.exe	Get hash	malicious	Python Stealer	Browse	34.224.200.202
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	34.224.200.202
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	44.196.3.45
	maniatelo.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	nsh99t9Dox.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.224.200.202
	file.exe	Get hash	malicious	Unknown	Browse	34.224.200.202
	file.exe	Get hash	malicious	Unknown	Browse	44.196.3.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	L5cZ63IH4a.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	478y7Ve1JG.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	11lbKZLNnQ.exe	Get hash	malicious	Python Stealer	Browse	34.224.200.202
	r2PcRF79Mo.exe	Get hash	malicious	Python Stealer	Browse	34.224.200.202
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	44.196.3.45
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	44.196.3.45
	maniatelo.exe	Get hash	malicious	Python Stealer	Browse	44.196.3.45
	Msig Insurance Europe.pdf	Get hash	malicious	Unknown	Browse	52.22.41.97
	qhjKN40R2Q.lnk	Get hash	malicious	Unknown	Browse	52.22.41.97
	jew.arm6.elf	Get hash	malicious	Unknown	Browse	52.91.97.115

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	bvd97HUKS3.exe	Get hash	malicious	RedLine	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe	78CB0C7EA82E64DEC145B41CD56D77693E75E312F27A8.exe	Get hash	malicious	Njrat	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Config\File00.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231424
Entropy (8bit):	6.309731009211056
Encrypted:	false
SSDEEP:	3072:bo98cfXJyH8Rpf1RAshsapucG/6I2VI6whmHAsEye7Zm8TPRQfSFEq8o:b2ZycrfbARZ0AsEye7Zm8TPXFb8
MD5:	9C7691FF597E9EFD7F796B31ACCB78E8
SHA1:	81BB289AA37D182B60E86990376A375DE7A8DECC
SHA-256:	1624AF752C9F85FD117FAFB28FEB42A079F283DC133CDCC5799810072A95A6CB
SHA-512:	739F187AAEDA13B7EBEF3918A965B8DA4EE939CD3E60D36802768F52BE7B08F5964B121D1E977F4C408FF8AE6ABA02DF4A4D37785735C2F70D8610551CBAB135
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Joe Sandbox View:	Filename: bvd97HUKS3.exe, Detection: malicious, Browse Filename: 78CB0C7EA82E64DEC145B41CD56D77693E75E312F27A8.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..Z.........."...0..0...V.......O... ...`....@.. ....................................`.................................DO..W....`../R........................................................................... ............... ..H............text..../... ...0.................. ..`.rsrc.../R...`...T...2..............@..@.reloc..............................@..B.................O......H...........X]...........................................................S.......s.......3.-2[2o....Vu.....#.(`...g....+!!._5...U...!...7.......L]&..;.K...Km....z....jY&KK..6.4..+..D...PP.+..!2..~.g.1B...o.E.tp....%}I.`...#O..&3`...l..R..@....p.N.n.8.4.ft..F."l.O;Y..I-.g...3..d....F.*.e..V..4..W'.9/wMEAs.:3..f...6V"mQg.......gK...W.$y0...\.........4...f;......V...p....].....U......H.....t.3/xg.Vq.b4...T.0.M.H.Pi..#8....`..3J.7.d.m...F..3JZ<W.S@&k.^1V.J.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\HtmlAgilityPack.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Config\File00.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126464
Entropy (8bit):	5.761526804882093
Encrypted:	false
SSDEEP:	3072:BXpTk1Pla+8e/vc/XM+MWWftfT5757XFl/gySY0SVqF:bk1tOoYD0
MD5:	97458FB37FCBEA19B16704474E0BB747
SHA1:	D846A58C2DFA287DC070A3B3EAA12DE54AEFC5F4
SHA-256:	EB6841497CAFAB1AAC432B09F4979997FA3314D4828BE15CDBD37F621BA38EAC
SHA-512:	7EDEAADAE25C60ACF5FA969655AD667826DBEC8025A09BD14933D81C3FDDF2E6409C2F60345DA2420D63C70B3B4985F8E33913FE09AF5CB4695B28B2BA561F3D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sC.Z.........." ..0.................. ... ....... .......................`............`.................................x...O.... .......................@......@................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......T...l.............................................................{...."..}........0..#...........i...+...Y.....(.......X...0..f..0..>..........o0......+..Y...o1...% ...._...c..(.......(.......X...0..f&...(.....0..:........ ...._....c.....{....(....}.......{....(....}.....{....fR~......a ...._...da..(2...n .....{...%.....(3........:.(4.....}......{....V..}.....(2.....}......{...."..}......{......{......{......{....-"..{....{2....{.....{....o5...}....

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Settings.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	148
Entropy (8bit):	4.986852033293428
Encrypted:	false
SSDEEP:	3:eKVzU1PCptZOo/yLWbGaZOo5tMXTRlUyARpqTLoIUo2Up2lC5MFKy:eEzUwTZqL0GaZAXdlU5RMVLtMsy
MD5:	C264554E8E058A904B349426E9D55106
SHA1:	07767C8AC19271942719E6A46E3AA7B35D72DD74
SHA-256:	6F19282087AE76E463085C178CEB3866908AD76D775CDAE52DCDFA54208FCD6F
SHA-512:	27C86786986337AAF2AEAC6F70486BC979A072CD0EEB9246346FE62F1E725E4280A6ED2CE63383A4AC71A8AD442D4F5029DA5683C506357828AE75096D1BE13D
Malicious:	false
Preview:	[Heart Sender V1]..TimeOut=20000..TextEncoding=-1..BodyTransferEncoding=-1..DeliveryFormat=-1..AlternativeView=-1..OwnerEmail=kadekaris8@gmail.com..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\license.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:WfE:WE
MD5:	B28BA1C42E3F7AC4A232F995DB96F8E6
SHA1:	0BA15F4F1C20646F8795641BABA59E2F52033630
SHA-256:	F9598EBA595AAB0895F5804807EAD4546E9C1770F10028D0FA843707A11F2897
SHA-512:	BEAEE548737AB29359D122FE79C8403D55C66F574AAFCE82F4DBB24E11E1FA0EA394370B52F7D1D9E2D0FFA8CE99C7E23A549170B4429CBFA9668BF865B235DB
Malicious:	false
Preview:	suxa88a

C:\Users\user\AppData\Local\Temp\Config\File0.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	538363
Entropy (8bit):	7.2253270708475235
Encrypted:	false
SSDEEP:	12288:0cl3fnoSKbSq5v8gYJQlnobo/CA91vxeGZ15UNSW:0VbSgv8gYJQxobo591vxeGz5il
MD5:	9ABFFE92535614D6EB16B9D0EFA1A604
SHA1:	FAF5236045BEC02A8A632576025D437FB88758F5
SHA-256:	9171F453D2398A43E3FAD17EA9E0A4366FAEF9F88AE43D83CB57C0BE3CC8EAED
SHA-512:	844DF724D9D762456F00466B1D8D657C6A01D638DBADD1C844B2811D3D44585E575287127EE7AFC05B127660E8DF3F7A7F5D4D431F20496BA03FAC10DD826C21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P............................0.............@.........................................................................4...$.......4...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@..............3.07.UPX!....PA~..~.....0.......I........W,&........[.;r.....od:8g.,f../@T...@.4.,...(.z.....[..C$.V7..m....o........S..e..:1}...-.z....C...c..U\|(..T..1.hl...l.{.Cb..x..+...&./..j..K.......t.....B......_2......Ho./cL[ ..........o....~...].u.)..9d..}.l..Mr.Vn..S.....M.+.k...5p...<.0....IrK...>.e2..5...$&."!.+..<...Y].^.2.4.....t..Jf..g.H....1.,=L..-.[h.,...m4.Q...i...X.....B....*..W..}I.P. Q.W......=N.....>.}.#$h.Z%b.`.....a:`-'...q5.2}..^.w./.p4k..<.....qB4...=X..{._..x......H.k.._nS..j..9.

C:\Users\user\AppData\Local\Temp\Config\File00.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	273831
Entropy (8bit):	6.884496082958412
Encrypted:	false
SSDEEP:	6144:y7VqcNSB30oSjA8WUq2a1ttFG0GIvOakwYT/IDnL0c:4cl30oSj/qptHSHWDL0c
MD5:	D4EA176B0DC54374ABB87A1B9409FE50
SHA1:	41478E268F2A6326457C1D9C88B3BE2EDBC2298E
SHA-256:	C205A0FB5DC44CD1FC6D7B415B42A1B20589D05610D574CF9580873ABBA6A0DB
SHA-512:	CEC50C064CC05D59DADACDE3DB15B2AAE4099F2B77799C9417BDF0F6A0C5C4215ADB7488E2413CCE33BB3439F6B6F98D5F058EB829DC0338B8C7FC8DC00D360B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P..................... ...p.. i............@............................................................................$...................................................................................................................UPX0.....p..............................UPX1................................@....rsrc.... ..........................@..............3.07.UPX!.....<.;.....N..........I........W,&........[.;r.....od:8g.,f../@T...@.4.,...(.z.....[..C$.V7..m....o........S..e..:1}...-.z....C...c..U\|(..T..1.hl...l.{.Cb..x..+...&./..j..K.......t.....B......_2......Ho./cL[ ..........o....~...].u.)..9d..}.l..Mr.Vn..S.....M.+.k...5p...<.0....IrK...>.e2..5...$&."!.+..<...Y].^.2.4.....t..Jf..g.H....1.,=L..-.[h.,...m4.Q...i...X.....B....*..W..}I.P. Q.W......=N.....>.}.#$h.Z%b.`.....a:`-'...q5.2}..^.w./.p4k..<.....qB4...=X..{._..x......H.k.._nS..j..9.

C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.715279214084234
Encrypted:	false
SSDEEP:	3:NNgnzKDD+AH1bzrVB7WgWFdAy5WWSNTjIv:NS0q01bVsgWFCyNSNT8v
MD5:	3C69D121601932C704A2D6D3033CBBDC
SHA1:	316C645B8B28ABB1BA960BA2073AEE755DFFCD4A
SHA-256:	DDA17AD1DD5065E22B3034CF313672460A41E9540EC9F47BB144DDEBA1F70608
SHA-512:	B3C47D04C7C1B0E2A419434EE94F4BCAAAF8F66136D4CC3E8DEBFF1B67E004066F2458D29E0C7C35423B49ABDDE91DDB783091EFF00786900ED1136A04DB6EBD
Malicious:	false
Preview:	@shift /0..@echo off..Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -d%temp%..start /B her.exe..

C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\HeartSender.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	5.286025169492155
Encrypted:	false
SSDEEP:	6:NS0iVlCF1VACyVgAUoNICTfVgAUoNICTfQ:NSJW1zGhUKT9hUKTY
MD5:	61F97FC413C4529B5A31C6A3960CEC5D
SHA1:	B07171A8F98EB70267AE482E22DCAE3487EE8452
SHA-256:	3F5051C1F2039B4E60ABE25BF6FCEA528F6FA5648740F74436886B193EB49D0D
SHA-512:	59A5F6C589338723CA1B6E2ADD6787BF380663513CE4AE89EE86ED0D47C609D7EFE1B8A88F058C095DDEF69833DAE3BB108964775E78FD844E2E9034118FC205
Malicious:	false
Preview:	@shift /0..@echo off..@setlocal enableextensions..@cd /d "%~dp0"..config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa..config\File0.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa..exit

C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe

Download File

Process:	C:\Users\user\Desktop\hKgrI6tqYx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	976506
Entropy (8bit):	7.717781872723254
Encrypted:	false
SSDEEP:	24576:SBkVdlYAW08zDbFWjbp0UwHqcT690+I8+2v:2sv63FWjbp01rTY0s
MD5:	94B6D18D2E0E752E6B9E914D4B6BC33F
SHA1:	72255C5C06303D849B46DE974E23F476B6797EF6
SHA-256:	3950EF3D8693C3247E4ECA34FC1320A70CF3F273FCD8D30F819875BAA4709484
SHA-512:	7D258B8BEA8CE9FA7BA536B25B278CD8EE0F6F11DF637B9639CB84D170E9867D55C829C545C37BA48A17DCBA68FA0815CCCA7D9ED66F5A11C0859A9EEBB53345
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P............................`..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...............................@..@.reloc..\%...`...&..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

Download File

Process:	C:\Users\user\Desktop\hKgrI6tqYx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.256184926989813
Encrypted:	false
SSDEEP:	1536:77fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfXxUOp4jxOZ:Xq6+ouCpk2mpcWJ0r+QNTBfXF/
MD5:	D134FFD0F669B1940AE13A37980B3881
SHA1:	772B9F2D741ADBBFB1749C24FA2CCCF2B5E0333A
SHA-256:	7FFE2852C16822F9D1BD252FC306F2BE76B22D0A1FD016B79FAB3EB4E2E9F870
SHA-512:	E2F9F358EA2C8D9D0C4CE1EC517D425933E3EC44BBA1667685941E42223460576D9FC277158CA7FD43598CF4405DECDB1B39CD3ED3DC763BB65E8081C087A0A8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....................0....@.........................................................................\|q...........E..........................................................................pt..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3...0...4..................@..@.data...,....p.......D..............@....rsrc....E.......F...V..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HeartSender.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113152
Entropy (8bit):	6.079689990457359
Encrypted:	false
SSDEEP:	1536:o7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfJgIxnjZG8T:mliUPXC8k1nJrX+fNTBfhDzT
MD5:	7FA598F8A47A856C0F9667C22BFBE056
SHA1:	6477CDB2C78B45427314BC6AD4700D457BDFE0CC
SHA-256:	644A71220963381A9E93B20611980EDE44163C45D37E914FDEBE24D32414C790
SHA-512:	2B64E4C0C70450FD8402E9897C54DD212F752DD2159DD570CB4A8FF93C90418DB64CF330283D243990205FC529B885747E0C46A7C0C1EC3381E116E40415AFEF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 49%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2..................... ....@.........................................................................ta...........g..........................................................................hd..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3... ...4..................@..@.data...$....`.......@..............@....rsrc....g.......h...R..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HtmlAgilityPack.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126464
Entropy (8bit):	5.761526804882093
Encrypted:	false
SSDEEP:	3072:BXpTk1Pla+8e/vc/XM+MWWftfT5757XFl/gySY0SVqF:bk1tOoYD0
MD5:	97458FB37FCBEA19B16704474E0BB747
SHA1:	D846A58C2DFA287DC070A3B3EAA12DE54AEFC5F4
SHA-256:	EB6841497CAFAB1AAC432B09F4979997FA3314D4828BE15CDBD37F621BA38EAC
SHA-512:	7EDEAADAE25C60ACF5FA969655AD667826DBEC8025A09BD14933D81C3FDDF2E6409C2F60345DA2420D63C70B3B4985F8E33913FE09AF5CB4695B28B2BA561F3D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sC.Z.........." ..0.................. ... ....... .......................`............`.................................x...O.... .......................@......@................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......T...l.............................................................{...."..}........0..#...........i...+...Y.....(.......X...0..f..0..>..........o0......+..Y...o1...% ...._...c..(.......(.......X...0..f&...(.....0..:........ ...._....c.....{....(....}.......{....(....}.....{....fR~......a ...._...da..(2...n .....{...%.....(3........:.(4.....}......{....V..}.....(2.....}......{...."..}......{......{......{......{....-"..{....{2....{.....{....o5...}....

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.703513333396807
Encrypted:	false
SSDEEP:	96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
MD5:	6176101B7C377A32C01AE3EDB7FD4DE6
SHA1:	5F1CB443F9D677F313BEC07C5241AEAB57502F5E
SHA-256:	EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
SHA-512:	3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968452734961967
Encrypted:	false
SSDEEP:	96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
MD5:	371776A7E26BAEB3F75C93A8364C9AE0
SHA1:	BF60B2177171BA1C6B4351E6178529D4B082BDA9
SHA-256:	15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
SHA-512:	C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061461040216793
Encrypted:	false
SSDEEP:	192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
MD5:	CB5238E2D4149636377F9A1E2AF6DC57
SHA1:	038253BABC9E652BA4A20116886209E2BCCF35AC
SHA-256:	A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
SHA-512:	B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236167046748013
Encrypted:	false
SSDEEP:	192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
MD5:	D9E7218460AEE693BEA07DA7C2B40177
SHA1:	9264D749748D8C98D35B27BEFE6247DA23FF103D
SHA-256:	38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
SHA-512:	DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558176937399355
Encrypted:	false
SSDEEP:	384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
MD5:	F751792DF10CDEED391D361E82DAF596
SHA1:	3440738AF3C88A4255506B55A673398838B4CEAC
SHA-256:	9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
SHA-512:	6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285191078037458
Encrypted:	false
SSDEEP:	192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
MD5:	BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA1:	D7C2721795113370377A1C60E5CEF393473F0CC5
SHA-256:	1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
SHA-512:	0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505471888568532
Encrypted:	false
SSDEEP:	192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
MD5:	D2175300E065347D13211F5BF7581602
SHA1:	3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
SHA-256:	94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
SHA-512:	6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.06124024160806
Encrypted:	false
SSDEEP:	384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
MD5:	45616B10ABE82D5BB18B9C3AB446E113
SHA1:	91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
SHA-256:	F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
SHA-512:	ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475467273446457
Encrypted:	false
SSDEEP:	384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
MD5:	CF3C2F35C37AA066FA06113839C8A857
SHA1:	39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
SHA-256:	1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
SHA-512:	1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838534302892255
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
MD5:	20708935FDD89B3EDDEEA27D4D0EA52A
SHA1:	85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
SHA-256:	11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
SHA-512:	F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.9047185025862925
Encrypted:	false
SSDEEP:	192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
MD5:	43BBE5D04460BD5847000804234321A6
SHA1:	3CAE8C4982BBD73AF26EB8C6413671425828DBB7
SHA-256:	FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
SHA-512:	DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300163691206422
Encrypted:	false
SSDEEP:	192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
MD5:	C6B20332B4814799E643BADFFD8DF2CD
SHA1:	E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
SHA-256:	61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
SHA-512:	D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260220483695234
Encrypted:	false
SSDEEP:	384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
MD5:	0B538205388FDD99A043EE3AFAA074E4
SHA1:	E0DD9306F1DBE78F7F45A94834783E7E886EB70F
SHA-256:	C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
SHA-512:	2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276870967324261
Encrypted:	false
SSDEEP:	384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
MD5:	6C3E976AB9F47825A5BD9F73E8DBA74E
SHA1:	4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
SHA-256:	238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
SHA-512:	B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.578113904149635
Encrypted:	false
SSDEEP:	96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
MD5:	FEE13D4FB947835DBB62ACA7EAFF44EF
SHA1:	7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
SHA-256:	3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
SHA-512:	DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143719741413071
Encrypted:	false
SSDEEP:	384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
MD5:	76F88D89643B0E622263AF676A65A8B4
SHA1:	93A365060E98890E06D5C2D61EFBAD12F5D02E06
SHA-256:	605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
SHA-512:	979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353267174592179
Encrypted:	false
SSDEEP:	384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
MD5:	D48BFFA1AF800F6969CFB356D3F75AA6
SHA1:	2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
SHA-256:	4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
SHA-512:	30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741247880746506
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
MD5:	4D9182783EF19411EBD9F1F864A2EF2F
SHA1:	DDC9F878B88E7B51B5F68A3F99A0857E362B0361
SHA-256:	C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
SHA-512:	8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.212941287344097
Encrypted:	false
SSDEEP:	192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
MD5:	F4EDB3207E27D5F1ACBBB45AAFCB6D02
SHA1:	8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
SHA-256:	3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
SHA-512:	7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181291194389683
Encrypted:	false
SSDEEP:	192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
MD5:	9D28433EA8FFBFE0C2870FEDA025F519
SHA1:	4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
SHA-256:	FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
SHA-512:	66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.140195114409974
Encrypted:	false
SSDEEP:	192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
MD5:	8A92EE2B0D15FFDCBEB7F275154E9286
SHA1:	FA9214C8BBF76A00777DFE177398B5F52C3D972D
SHA-256:	8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
SHA-512:	7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.203867759982304
Encrypted:	false
SSDEEP:	192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
MD5:	FE16E1D12CF400448E1BE3FCF2D7BB46
SHA1:	81D9F7A2C6540F17E11EFE3920481919965461BA
SHA-256:	ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
SHA-512:	A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.478301937972917
Encrypted:	false
SSDEEP:	192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
MD5:	34EBB5D4A90B5A39C5E1D87F61AE96CB
SHA1:	25EE80CC1E647209F658AEBA5841F11F86F23C4E
SHA-256:	4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
SHA-512:	82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69608744353984
Encrypted:	false
SSDEEP:	384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
MD5:	42C2F4F520BA48779BD9D4B33CD586B9
SHA1:	9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
SHA-256:	2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
SHA-512:	1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.7981108922569735
Encrypted:	false
SSDEEP:	384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
MD5:	AB0BCB36419EA87D827E770A080364F6
SHA1:	6D398F48338FB017AACD00AE188606EB9E99E830
SHA-256:	A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
SHA-512:	3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.865452719694432
Encrypted:	false
SSDEEP:	384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
MD5:	C8FE3FF9C116DB211361FBB3EA092D33
SHA1:	180253462DD59C5132FBCCC8428DEA1980720D26
SHA-256:	25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
SHA-512:	16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867732744112887
Encrypted:	false
SSDEEP:	384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
MD5:	A442EA85E6F9627501D947BE3C48A9DD
SHA1:	D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
SHA-256:	3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
SHA-512:	850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860044313282322
Encrypted:	false
SSDEEP:	384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
MD5:	59BA0E05BE85F48688316EE4936421EA
SHA1:	1198893F5916E42143C0B0F85872338E4BE2DA06
SHA-256:	C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
SHA-512:	D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.917025846093607
Encrypted:	false
SSDEEP:	384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
MD5:	8194D160FB215498A59F850DC5C9964C
SHA1:	D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
SHA-256:	55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
SHA-512:	969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.999870226643325
Encrypted:	false
SSDEEP:	192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
MD5:	C89BECC2BECD40934FE78FCC0D74D941
SHA1:	D04680DF546E2D8A86F60F022544DB181F409C50
SHA-256:	E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
SHA-512:	715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025153056783597
Encrypted:	false
SSDEEP:	192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
MD5:	C4CC05D3132FDFB05089F42364FC74D2
SHA1:	DA7A1AE5D93839577BBD25952A1672C831BC4F29
SHA-256:	8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
SHA-512:	C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235115741550938
Encrypted:	false
SSDEEP:	192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
MD5:	1E201DF4B4C8A8CD9DA1514C6C21D1C4
SHA1:	3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
SHA-256:	A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
SHA-512:	19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133714807569085
Encrypted:	false
SSDEEP:	192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
MD5:	76C84B62982843367C5F5D41B550825F
SHA1:	B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
SHA-256:	EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
SHA-512:	03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.928082706906375
Encrypted:	false
SSDEEP:	768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
MD5:	B41160CF884B9E846B890E0645730834
SHA1:	A0F35613839A0F8F4A87506CD59200CCC3C09237
SHA-256:	48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
SHA-512:	F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799063285091512
Encrypted:	false
SSDEEP:	192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
MD5:	BA46602B59FCF8B01ABB135F1534D618
SHA1:	EFF5608E05639A17B08DCA5F9317E138BEF347B5
SHA-256:	B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
SHA-512:	A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.624959985050181
Encrypted:	false
SSDEEP:	12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
MD5:	3F20627FDED2CF90E366B48EDF031178
SHA1:	00CED7CD274EFB217975457906625B1B1DA9EBDF
SHA-256:	E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
SHA-512:	05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792654050660321
Encrypted:	false
SSDEEP:	384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
MD5:	290D936C1E0544B6EC98F031C8C2E9A3
SHA1:	CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
SHA-256:	8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
SHA-512:	F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060461288575063
Encrypted:	false
SSDEEP:	1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
MD5:	5782081B2A6F0A3C6B200869B89C7F7D
SHA1:	0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
SHA-256:	E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
SHA-512:	F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488437566846231
Encrypted:	false
SSDEEP:	96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
MD5:	289EBF8B1A4F3A12614CFA1399250D3A
SHA1:	66C05F77D814424B9509DD828111D93BC9FA9811
SHA-256:	79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
SHA-512:	4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.730605326965181
Encrypted:	false
SSDEEP:	96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
MD5:	4D9C33AE53B38A9494B6FBFA3491149E
SHA1:	1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
SHA-256:	0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
SHA-512:	BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.685843290341897
Encrypted:	false
SSDEEP:	96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
MD5:	8F4313755F65509357E281744941BD36
SHA1:	2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
SHA-256:	70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
SHA-512:	FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49528
Entropy (8bit):	6.662491747506177
Encrypted:	false
SSDEEP:	768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
MD5:	F8DFA78045620CF8A732E67D1B1EB53D
SHA1:	FF9A604D8C99405BFDBBF4295825D3FCBC792704
SHA-256:	A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
SHA-512:	BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	71448
Entropy (8bit):	6.247581706260346
Encrypted:	false
SSDEEP:	1536:rRaPPkDN3nkiP6djtX5IkTIL1yUvGJtIAOnT7SyqWx5:9anmN3nkikjV5IkTIL1yUuJtIAOnTgi
MD5:	209CBCB4E1A16AA39466A6119322343C
SHA1:	CDCCE6B64EBF11FECFF739CBC57E7A98D6620801
SHA-256:	F7069734D5174F54E89B88D717133BFF6A41B01E57F79957AB3F02DAA583F9E2
SHA-512:	5BBC4EDE01729E628260CF39DF5809624EAE795FD7D51A1ED770ED54663955674593A97B78F66DBF6AE268186273840806ED06D6F7877444D32FDCA031A9F0DA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.S...S...S...+r..S...,...S...,...S...,...S...,...S..$....S..U+...S...S...S..$....S..$....S..$....S..$....S..Rich.S..........PE..d......e.........." ...%.f................................................... ......')....`.............................................P......d......................../..............T...........................@...@............................................text...=d.......f.................. ..`.rdata..pO.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5874715807724025
Encrypted:	false
SSDEEP:	1536:RS7z7Sj2u5in5IVfC83zYxzbdK87kW1IACVw7SyrxX:I7z+jum3MJdN7kW1IACVwX
MD5:	59D60A559C23202BEB622021AF29E8A9
SHA1:	A405F23916833F1B882F37BDBBA2DD799F93EA32
SHA-256:	706D4A0C26DD454538926CBB2FF6C64257C3D9BD48C956F7CABD6DEF36FFD13E
SHA-512:	2F60E79603CF456B2A14B8254CEC75CE8BE0A28D55A874D4FB23D92D63BBE781ED823AB0F4D13A23DC60C4DF505CBF1DBE1A0A2049B02E4BDEC8D374898002B1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d......e.........." ...%.....^......\|........................................P......-B....`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text...k........................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182784
Entropy (8bit):	6.193615170968096
Encrypted:	false
SSDEEP:	3072:YRAMUp3K6YoDssyudy4VcRG+nR3hnW3mjwwOdkS9S7iSSTLkK/jftw3buz:Y6MyK65ssy+MG+LnSUwjD9zSSTLL/jl8
MD5:	0572B13646141D0B1A5718E35549577C
SHA1:	EEB40363C1F456C1C612D3C7E4923210EAE4CDF7
SHA-256:	D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
SHA-512:	67C28432CA8B389ACC26E47EB8C4977FDDD4AF9214819F89DF07FECBC8ED750D5F35807A1B195508DD1D77E2A7A9D7265049DCFBFE7665A7FD1BA45DA1E4E842
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.C.I.C.I.C.1MC.I.C.<.B.I.C.&#C.I.C.<.B.I.C.<.B.I.C.<.B.I.C.1.B.I.C.4.B.I.C.I.C I.C.<.B.I.C.1KC.I.C.<.B.I.C.<!C.I.C.<.B.I.CRich.I.C................PE..d...g..e.........." .........@......`........................................@............`..........................................w..l....w....... ..........l............0.......]...............................]..8............................................text............................... ..`.rdata..............................@..@.data...h].......0...\|..............@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	125208
Entropy (8bit):	6.128664719423826
Encrypted:	false
SSDEEP:	3072:DGR936Xz4mHFK0K+bRFOoP+Szlf/EZZBKYyucV6rOoZIALPEA:qQHLK+bvvPNhf/Ei6CoX
MD5:	2A834C3738742D45C0A06D40221CC588
SHA1:	606705A593631D6767467FB38F9300D7CD04AB3E
SHA-256:	F20DFA748B878751EA1C4FE77A230D65212720652B99C4E5577BCE461BBD9089
SHA-512:	924235A506CE4D635FA7C2B34E5D8E77EFF73F963E58E29C6EF89DB157BF7BAB587678BB2120D09DA70594926D82D87DBAA5D247E861E331CF591D45EA19A117
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d......e.........." ...%............p_..............................................]R....`.........................................``.......`.........................../......p.......T...............................@............................................text............................... ..`.rdata..Xl.......n..................@..@.data....4.......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	252696
Entropy (8bit):	6.564448148079112
Encrypted:	false
SSDEEP:	6144:Agvd9YyMipyD41q8xDiw9qWM53pLW1AQRRRrBoZtcr3:AQ8yryD47hix4orcr3
MD5:	F930B7550574446A015BC602D59B0948
SHA1:	4EE6FF8019C6C540525BDD2790FC76385CDD6186
SHA-256:	3B9AD1D2BC9EC03D37DA86135853DAC73B3FE851B164FE52265564A81EB8C544
SHA-512:	10B864975945D6504433554F9FF11B47218CAA00F809C6BCE00F9E4089B862190A4219F659697A4BA5E5C21EDBE1D8D325950921E09371ACC4410469BD9189EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d......e.........." ...%.t...<......................................................6.....`.........................................@T..P....T..................0'......./......P...@...T...............................@............................................text....r.......t.................. ..`.rdata...............x..............@..@.data....*...p...$...P..............@....pdata..0'.......(...t..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65816
Entropy (8bit):	6.242741772115205
Encrypted:	false
SSDEEP:	1536:MElYij3wz91lBafLEmIRhtIAOIW7SybpxC:hYZBaTEmghtIAOIWE
MD5:	B0262BD89A59A3699BFA75C4DCC3EE06
SHA1:	EB658849C646A26572DEA7F6BFC042CB62FB49DC
SHA-256:	4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
SHA-512:	2E4B214DE3B306E3A16124AF434FF8F5AB832AA3EEB1AA0AA9B49B0ADA0928DCBB05C57909292FBE3B01126F4CD3FE0DAC9CC15EAEA5F3844D6E267865B9F7B1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.}&...&..'...&..'...&..'...&..'...&...'...&.x.'...&...&}..&.x.'...&.x.'...&.x.&...&.x.'...&Rich...&........................PE..d.....e.........." ...%.T..........P@....................................................`.............................................P.............................../......X...@}..T............................\|..@............p..(............................text....S.......T.................. ..`.rdata..&O...p...P...X..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.846323229710623
Encrypted:	false
SSDEEP:	3072:Fik7me1FFD+znfF9mNo+Mu6tmxzE41IAZ1Ak:FikSiUNYO+J1E4b
MD5:	B71DBE0F137FFBDA6C3A89D5BCBF1017
SHA1:	A2E2BDC40FDB83CC625C5B5E8A336CA3F0C29C5F
SHA-256:	6216173194B29875E84963CD4DC4752F7CA9493F5B1FD7E4130CA0E411C8AC6A
SHA-512:	9A5C7B1E25D8E1B5738F01AEDFD468C1837F1AC8DD4A5B1D24CE86DCAE0DB1C5B20F2FF4280960BC523AEE70B71DB54FD515047CDAF10D21A8BEC3EBD6663358
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d.....e.........." ...%.d...........6....................................................`......................................... %..L...l%..x....p.......P.......@.../......4.......T...............................@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35096
Entropy (8bit):	6.461229529356597
Encrypted:	false
SSDEEP:	768:OgYvrenSE0PXxxQ0zi+mdIAWtd5YiSyviCAMxkEj:vYTQShxQ0zlmdIAWtD7SyKAxv
MD5:	4CCBD87D76AF221F24221530F5F035D1
SHA1:	D02B989AAAC7657E8B3A70A6EE7758A0B258851B
SHA-256:	C7BBCFE2511FD1B71B916A22AD6537D60948FFA7BDE207FEFABEE84EF53CAFB5
SHA-512:	34D808ADAC96A66CA434D209F2F151A9640B359B8419DC51BA24477E485685AF10C4596A398A85269E8F03F0FC533645907D7D854733750A35BF6C691DE37799
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.J.x..y..y..y...x..y.J.x..y.J.x..y.Jky..y.J.x..yRich..y................PE..d......e.........." ...%.....>......P...............................................^.....`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	6.342203411267264
Encrypted:	false
SSDEEP:	1536:wXRnts3McbN6w/xzWssXZdR1r3RIAXtI7SyNxQ:IRvcsXZdR1rRIAXtI6
MD5:	61193E813A61A545E2D366439C1EE22A
SHA1:	F404447B0D9BFF49A7431C41653633C501986D60
SHA-256:	C21B50A7BF9DBE1A0768F5030CAC378D58705A9FE1F08D953129332BEB0FBEFC
SHA-512:	747E4D5EA1BDF8C1E808579498834E1C24641D434546BFFDFCF326E0DE8D5814504623A3D3729168B0098824C2B8929AFC339674B0D923388B9DAC66F5D9D996
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.{..w(..w(..w(.s.(..w(.tv)..w(.tr)..w(.ts)..w(.tt)..w(.v)..w(..v(..w(.sv)..w(.ss)..w(.z)..w(.w)..w(..(..w(.u)..w(Rich..w(........................PE..d......e.........." ...%.L...`............................................................`.............................................X...X............................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.4674944702653665
Encrypted:	false
SSDEEP:	768:0k+cae6rjp5MoNOfZIAQUM5YiSyvjAMxkEKu:5vSjgoNOfZIAQU27SyLxv
MD5:	F3ECA4F0B2C6C17ACE348E06042981A4
SHA1:	EB694DDA8FF2FE4CCAE876DC0515A8EFEC40E20E
SHA-256:	FB57EE6ADF6E7B11451B6920DDD2FB943DCD9561C9EAE64FDDA27C7ED0BC1B04
SHA-512:	604593460666045CA48F63D4B14FA250F9C4B9E5C7E228CC9202E7692C125AACB0018B89FAA562A4197692A9BC3D2382F9E085B305272EE0A39264A2A0F53B75
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d......e.........." ...%.....8.......................................................I....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text...(........................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83224
Entropy (8bit):	6.338326324626716
Encrypted:	false
SSDEEP:	1536:MUuhDLiJfz76Xl+1ly+uCt9/s+S+pzcHS58/n1IsJHfsZIALwqw7Syraxi:MU6DL4fHdy+uCt9/sT+pzuSQ1IwHfsZS
MD5:	9C6283CC17F9D86106B706EC4EA77356
SHA1:	AF4F2F52CE6122F340E5EA1F021F98B1FFD6D5B6
SHA-256:	5CC62AAC52EDF87916DEB4EBBAD9ABB58A6A3565B32E7544F672ACA305C38027
SHA-512:	11FD6F570DD78F8FF00BE645E47472A96DAFFA3253E8BD29183BCCDE3F0746F7E436A106E9A68C57CC05B80A112365441D06CC719D51C906703B428A32C93124
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|../8z.\|8z.\|8z.\|1.T\|>z.\|-..}:z.\|-..}5z.\|-..}0z.\|-..};z.\|...}:z.\|8z.\|.z.\|s..}1z.\|...}9z.\|...}9z.\|..8\|9z.\|...}9z.\|Rich8z.\|........PE..d......e.........." ...%.v...........-.......................................`............`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.266006891462829
Encrypted:	false
SSDEEP:	3072:9PfqZRAWgyjwzCO4w5y3DUfUK8PtIAOQMo:oAWgKw2C5iSUv1
MD5:	506B13DD3D5892B16857E3E3B8A95AFB
SHA1:	42E654B36F1C79000084599D49B862E4E23D75FF
SHA-256:	04F645A32B0C58760CC6C71D09224FE90E50409EF5C81D69C85D151DFE65AFF9
SHA-512:	A94F0E9F2212E0B89EB0B5C64598B18AF71B59E1297F0F6475FA4674AE56780B1E586B5EB952C8C9FEBAD38C28AFD784273BBF56645DB2C405AFAE6F472FB65C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d.....e.........." ...%.............................................................d....`.........................................`o..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............\|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177432
Entropy (8bit):	5.976892131161338
Encrypted:	false
SSDEEP:	3072:1CRW4ljuyKK8vZktW5No6XfJN54eNWXvM4VRJNI7IM/cbP7RHs3FJZ1IAC7+y:1mfEyKKaZo6XfJ2MSV+JZW
MD5:	DDB21BD1ACDE4264754C49842DE7EBC9
SHA1:	80252D0E35568E68DED68242D76F2A5D7E00001E
SHA-256:	72BB15CD8C14BA008A52D23CDCFC851A9A4BDE13DEEE302A5667C8AD60F94A57
SHA-512:	464520ECD1587F5CEDE6219FAAC2C903EE41D0E920BF3C9C270A544B040169DCD17A4E27F6826F480D4021077AB39A6CBBD35EBB3D71672EBB412023BC9E182A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wfj...9...9...9.n.9...9.i.8...9.i.8...9.i.8...9.i.8...9...8...9...9U..9.n.8...9...8...9...8...9...9...9...8...9Rich...9........PE..d.....e.........." ...%............\,..............................................t.....`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	6.357254511176439
Encrypted:	false
SSDEEP:	768:6cxnHG7MYGQd0hHdzA77yeu1IACis5YiSyvoAMxkE9:6cxnm7M6dAHdzA77yeu1IACiW7Sy+xx
MD5:	C1654EBEBFEEDA425EADE8B77CA96DE5
SHA1:	A4A150F1C810077B6E762F689C657227CC4FD257
SHA-256:	AA1443A715FBF84A84F39BD89707271FC11A77B597D7324CE86FC5CFA56A63A9
SHA-512:	21705B991E75EFD5E59B8431A3B19AE5FCC38A3E7F137A9D52ACD24E7F67D61758E48ABC1C9C0D4314FA02010A1886C15EAD5BCA8DCA1B1D4CCBFC3C589D342E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............l..............................z.......................................z.......z.......z.......z......Rich....................PE..d......e.........." ...%.(...:.......&..............................................!n....`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text....&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.608323768366966
Encrypted:	false
SSDEEP:	192:KFOWWthWzWf9BvVVWQ4mWqyVT/gqnajKsrCS81:uZWthWeN01IlGsrCt
MD5:	07EBE4D5CEF3301CCF07430F4C3E32D8
SHA1:	3B878B2B2720915773F16DBA6D493DAB0680AC5F
SHA-256:	8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F
SHA-512:	6C7E4DF62EBAE9934B698F231CF51F54743CF3303CD758573D00F872B8ECC2AF1F556B094503AAE91100189C0D0A93EAF1B7CAFEC677F384A1D7B4FDA2EEE598
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0............`A........................................p...,............ ...................!..............p............................................................................rdata..d...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11736
Entropy (8bit):	6.6074868843808785
Encrypted:	false
SSDEEP:	192:PUWthW6Wf9BvVVWQ4SWZifvXqnajJ6HNbLet:MWthW3NhXll6HZm
MD5:	557405C47613DE66B111D0E2B01F2FDB
SHA1:	DE116ED5DE1FFAA900732709E5E4EEF921EAD63C
SHA-256:	913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD
SHA-512:	C2B326F555B2B7ACB7849402AC85922880105857C616EF98F7FB4BBBDC2CD7F2AF010F4A747875646FCC272AB8AA4CE290B6E09A9896CE1587E638502BD4BEFB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...p.~..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.622854484071805
Encrypted:	false
SSDEEP:	192:tlWthWFWf9BvVVWQ4mWIzWLiP+CjAWqnajKsNb7:/WthWANnWLiP+CcWlGsNb7
MD5:	624401F31A706B1AE2245EB19264DC7F
SHA1:	8D9DEF3750C18DDFC044D5568E3406D5D0FB9285
SHA-256:	58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9
SHA-512:	3353734B556D6EEBC57734827450CE3B34D010E0C033E95A6E60800C0FDA79A1958EBF9053F12054026525D95D24EEC541633186F00F162475CEC19F07A0D817
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...YJ..........." .........................................................0.......s....`A........................................p................ ...................!..............p............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.670771733256744
Encrypted:	false
SSDEEP:	192:1mxD3+HWthWiWf9BvVVWQ4WWuhD7DiqnajKswz3:19HWthWfN/GlGswz3
MD5:	2DB5666D3600A4ABCE86BE0099C6B881
SHA1:	63D5DDA4CEC0076884BC678C691BDD2A4FA1D906
SHA-256:	46079C0A1B660FC187AAFD760707F369D0B60D424D878C57685545A3FCE95819
SHA-512:	7C6E1E022DB4217A85A4012C8E4DAEE0A0F987E4FBA8A4C952424EF28E250BAC38B088C242D72B4641157B7CC882161AEFA177765A2E23AFCDC627188A084345
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....^[..........." .........................................................0......@^....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15328
Entropy (8bit):	6.561472518225768
Encrypted:	false
SSDEEP:	192:RaNYPvVX8rFTsoWthWgWf9BvVVWQ4SWfMaPOoI80Hy5qnajslBE87QyX:HPvVXqWthWlN2WlslEE87Qw
MD5:	0F7D418C05128246AFA335A1FB400CB9
SHA1:	F6313E371ED5A1DFFE35815CC5D25981184D0368
SHA-256:	5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9
SHA-512:	7555D9D3311C8622DF6782748C2186A3738C4807FC58DF2F75E539729FC4069DB23739F391950303F12E0D25DF9F065B4C52E13B2EBB6D417CA4C12CFDECA631
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...*.;A.........." .........................................................@.......m....`A........................................p................0...................!..............p............................................................................rdata..<...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.638884356866373
Encrypted:	false
SSDEEP:	192:jlWaWthWAWf9BvVVWQ4WWloprVP+CjAWqnajKsNWqL:jIaWthWFNxtVP+CcWlGsNxL
MD5:	5A72A803DF2B425D5AAFF21F0F064011
SHA1:	4B31963D981C07A7AB2A0D1A706067C539C55EC5
SHA-256:	629E52BA4E2DCA91B10EF7729A1722888E01284EED7DDA6030D0A1EC46C94086
SHA-512:	BF44997C405C2BA80100EB0F2FF7304938FC69E4D7AE3EAC52B3C236C3188E80C9F18BDA226B5F4FDE0112320E74C198AD985F9FFD7CEA99ACA22980C39C7F69
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...=+vj.........." .........................................................0.......N....`A........................................p...L............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11744
Entropy (8bit):	6.744400973311854
Encrypted:	false
SSDEEP:	96:imdzvQzEWthWwMVDEs3f0DHDsVBIwgmqvrnDD0ADEs3TDL2L4m2grMWaLN5DEs3r:v3WthWyWf9BvVVWQ4SWVVFJqqnajW2y
MD5:	721B60B85094851C06D572F0BD5D88CD
SHA1:	4D0EE4D717AEB9C35DA8621A545D3E2B9F19B4E7
SHA-256:	DAC867476CAA42FF8DF8F5DFE869FFD56A18DADEE17D47889AFB69ED6519AFBF
SHA-512:	430A91FCECDE4C8CC4AC7EB9B4C6619243AB244EE88C34C9E93CA918E54BD42B08ACA8EA4475D4C0F5FA95241E4AACB3206CBAE863E92D15528C8E7C9F45601B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........................................................0......T`....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11736
Entropy (8bit):	6.638488013343178
Encrypted:	false
SSDEEP:	192:frWthWFWf9BvVVWQ4SWNOfvXqnajJ6H4WJ:frWthWANRXll6H4WJ
MD5:	D1DF480505F2D23C0B5C53DF2E0E2A1A
SHA1:	207DB9568AFD273E864B05C87282987E7E81D0BA
SHA-256:	0B3DFB8554EAD94D5DA7859A12DB353942406F9D1DFE3FAC3D48663C233EA99D
SHA-512:	F14239420F5DD84A15FF5FCA2FAD81D0AA9280C566FA581122A018E10EBDF308AC0BF1D3FCFC08634C1058C395C767130C5ABCA55540295C68DF24FFD931CA0A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....(..........." .........................................................0......;.....`A........................................p...`............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12256
Entropy (8bit):	6.588267640761022
Encrypted:	false
SSDEEP:	192:txlkWthW2Wf9BvVVWQ4SWBBBuUgxfzfqnaj0OTWv:txlkWthW7NkIrloFv
MD5:	73433EBFC9A47ED16EA544DDD308EAF8
SHA1:	AC1DA1378DD79762C6619C9A63FD1EBE4D360C6F
SHA-256:	C43075B1D2386A8A262DE628C93A65350E52EAE82582B27F879708364B978E29
SHA-512:	1C28CC0D3D02D4C308A86E9D0BC2DA88333DFA8C92305EC706F3E389F7BB6D15053040AFD1C4F0AA3383F3549495343A537D09FE882DB6ED12B7507115E5A263
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....pi..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..<...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.678828474114903
Encrypted:	false
SSDEEP:	192:4TWthWckWf9BvVVWQ4mWQAyUD7DiqnajKswzjdg:4TWthWcRNqGlGswzji
MD5:	7C7B61FFA29209B13D2506418746780B
SHA1:	08F3A819B5229734D98D58291BE4BFA0BEC8F761
SHA-256:	C23FE8D5C3CA89189D11EC8DF983CC144D168CB54D9EAB5D9532767BCB2F1FA3
SHA-512:	6E5E3485D980E7E2824665CBFE4F1619B3E61CE3BCBF103979532E2B1C3D22C89F65BCFBDDBB5FE88CDDD096F8FD72D498E8EE35C3C2307BACECC6DEBBC1C97F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....\|............" .........................................................0.......3....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.602852377056617
Encrypted:	false
SSDEEP:	192:Us13vuBL3B5LoWthW7Wf9BvVVWQ4mWgB7OQP+CjAWqnajKsN9arO:Us13vuBL3B2WthWmNVXP+CcWlGsN9P
MD5:	6D0550D3A64BD3FD1D1B739133EFB133
SHA1:	C7596FDE7EA1C676F0CC679CED8BA810D15A4AFE
SHA-256:	F320F9C0463DE641B396CE7561AF995DE32211E144407828B117088CF289DF91
SHA-512:	5DA9D490EF54A1129C94CE51349399B9012FC0D4B575AE6C9F1BAFCFCF7F65266F797C539489F882D4AD924C94428B72F5137009A851ECB541FE7FB9DE12FEB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...]. ,.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14800
Entropy (8bit):	6.528059454770997
Encrypted:	false
SSDEEP:	384:On2OMw3zdp3bwjGfue9/0jCRrndbZWWthWdNHhfVlGsSH:/OMwBprwjGfue9/0jCRrndbLEKv
MD5:	1ED0B196AB58EDB58FCF84E1739C63CE
SHA1:	AC7D6C77629BDEE1DF7E380CC9559E09D51D75B7
SHA-256:	8664222823E122FCA724620FD8B72187FC5336C737D891D3CEF85F4F533B8DE2
SHA-512:	E1FA7F14F39C97AAA3104F3E13098626B5F7CFD665BA52DCB2312A329639AAF5083A9177E4686D11C4213E28ACC40E2C027988074B6CC13C5016D5C5E9EF897B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...w............" .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.659218747104705
Encrypted:	false
SSDEEP:	192:2E+tWthWvWf9BvVVWQ4mWxHD7DiqnajKswzGIAf:T+tWthWiNcGlGswzLAf
MD5:	721BAEA26A27134792C5CCC613F212B2
SHA1:	2A27DCD2436DF656A8264A949D9CE00EAB4E35E8
SHA-256:	5D9767D8CCA0FBFD5801BFF2E0C2ADDDD1BAAAA8175543625609ABCE1A9257BD
SHA-512:	9FD6058407AA95058ED2FDA9D391B7A35FA99395EC719B83C5116E91C9B448A6D853ECC731D0BDF448D1436382EECC1FA9101F73FA242D826CC13C4FD881D9BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...,OT..........." .........................................................0...........`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.739082809754283
Encrypted:	false
SSDEEP:	192:vdWthW8Wf9BvVVWQ4mWG2P+CjAWqnajKsNt:lWthWJNUP+CcWlGsNt
MD5:	B3F887142F40CB176B59E58458F8C46D
SHA1:	A05948ABA6F58EB99BBAC54FA3ED0338D40CBFAD
SHA-256:	8E015CDF2561450ED9A0773BE1159463163C19EAB2B6976155117D16C36519DA
SHA-512:	7B762319EC58E3FCB84B215AE142699B766FA9D5A26E1A727572EE6ED4F5D19C859EFB568C0268846B4AA5506422D6DD9B4854DA2C9B419BFEC754F547203F7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...X.j..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.601112204637961
Encrypted:	false
SSDEEP:	192:GFPWthW5Wf9BvVVWQ4mWc0ZD7DiqnajKswzczr:GFPWthWsNiGlGswzq
MD5:	89F35CB1212A1FD8FBE960795C92D6E8
SHA1:	061AE273A75324885DD098EE1FF4246A97E1E60C
SHA-256:	058EB7CE88C22D2FF7D3E61E6593CA4E3D6DF449F984BF251D9432665E1517D1
SHA-512:	F9E81F1FEAB1535128B16E9FF389BD3DAAAB8D1DABF64270F9E563BE9D370C023DE5D5306DD0DE6D27A5A099E7C073D17499442F058EC1D20B9D37F56BCFE6D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...ig............" .........................................................0......H.....`A........................................p...H............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14288
Entropy (8bit):	6.521808801015781
Encrypted:	false
SSDEEP:	192:/uUk1Jzb9cKcIzWthWzaWf9BvVVWQ4mWmrcLUVT/gqnajKsrCOV:/bk1JzBcKcIzWthWzXNz1IlGsrCOV
MD5:	0C933A4B3C2FCF1F805EDD849428C732
SHA1:	B8B19318DBB1D2B7D262527ABD1468D099DE3FB6
SHA-256:	A5B733E3DCE21AB62BD4010F151B3578C6F1246DA4A96D51AC60817865648DD3
SHA-512:	B25ED54345A5B14E06AA9DADD07B465C14C23225023D7225E04FBD8A439E184A7D43AB40DF80E3F8A3C0F2D5C7A79B402DDC6B9093D0D798E612F4406284E39D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....U..........." .........................................................0......Y.....`A........................................p................ ...................!..............p............................................................................rdata..4...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.671157737548847
Encrypted:	false
SSDEEP:	192:7oDfIeVWthWZWf9BvVVWQ4mWaHvP+CjAWqnajKsNZ:7oDfIeVWthWMNVP+CcWlGsNZ
MD5:	7E8B61D27A9D04E28D4DAE0BFA0902ED
SHA1:	861A7B31022915F26FB49C79AC357C65782C9F4B
SHA-256:	1EF06C600C451E66E744B2CA356B7F4B7B88BA2F52EC7795858D21525848AC8C
SHA-512:	1C5B35026937B45BEB76CB8D79334A306342C57A8E36CC15D633458582FC8F7D9AB70ACE7A92144288C6C017F33ECFC20477A04432619B40A21C9CDA8D249F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........................................................0......N.....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.599056003106114
Encrypted:	false
SSDEEP:	192:gR7WthWTVWf9BvVVWQ4mWg2a5P+CjAWqnajKsNQbWl:gVWthWkN/P+CcWlGsNMg
MD5:	8D12FFD920314B71F2C32614CC124FEC
SHA1:	251A98F2C75C2E25FFD0580F90657A3EA7895F30
SHA-256:	E63550608DD58040304EA85367E9E0722038BA8E7DC7BF9D91C4D84F0EC65887
SHA-512:	5084C739D7DE465A9A78BCDBB8A3BD063B84A68DCFD3C9EF1BFA224C1CC06580E2A2523FD4696CFC48E9FD068A2C44DBC794DD9BDB43DC74B4E854C82ECD3EA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....X4.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.602527553095181
Encrypted:	false
SSDEEP:	192:zGeVfcWthW+Wf9BvVVWQ4mWMiSID7DiqnajKswz5g:zGeVfcWthWjN6SIGlGswza
MD5:	9FA3FC24186D912B0694A572847D6D74
SHA1:	93184E00CBDDACAB7F2AD78447D0EAC1B764114D
SHA-256:	91508AB353B90B30FF2551020E9755D7AB0E860308F16C2F6417DFB2E9A75014
SHA-512:	95AD31C9082F57EA57F5B4C605331FCAD62735A1862AFB01EF8A67FEA4E450154C1AE0C411CF3AC5B9CD35741F8100409CC1910F69C1B2D807D252389812F594
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....P..........." .........................................................0.......`....`A........................................p................ ...................!..............p............................................................................rdata..P...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.6806369134652055
Encrypted:	false
SSDEEP:	192:qyMv0WthWPWf9BvVVWQ4mWIv/r+YVqnajKsSF:qyMv0WthWCNBfVlGsSF
MD5:	C9CBAD5632D4D42A1BC25CCFA8833601
SHA1:	09F37353A89F1BFE49F7508559DA2922B8EFEB05
SHA-256:	F3A7A9C98EBE915B1B57C16E27FFFD4DDF31A82F0F21C06FE292878E48F5883E
SHA-512:	2412E0AFFDC6DB069DE7BD9666B7BAA1CD76AA8D976C9649A4C2F1FFCE27F8269C9B02DA5FD486EC86B54231B1A5EBF6A1C72790815B7C253FEE1F211086892F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....E.=.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13776
Entropy (8bit):	6.573983778839785
Encrypted:	false
SSDEEP:	384:miwidv3V0dfpkXc0vVauzIWthWLN3fVlGsStY:nHdv3VqpkXc0vVaKbiYlY
MD5:	4CCDE2D1681217E282996E27F3D9ED2E
SHA1:	8EDA134B0294ED35E4BBAC4911DA620301A3F34D
SHA-256:	D6708D1254ED88A948871771D6D1296945E1AA3AEB7E33E16CC378F396C61045
SHA-512:	93FE6AE9A947AC88CC5ED78996E555700340E110D12B2651F11956DB7CEE66322C269717D31FCCB31744F4C572A455B156B368F08B70EDA9EFFEC6DE01DBAB23
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....k,..........." .........................................................0......3.....`A........................................p...X............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.7137872023984055
Encrypted:	false
SSDEEP:	192:TtZ3KjWthWzWf9BvVVWQ4mWXU0P+CjAWqnajKsN2v:TtZ3KjWthWeNwP+CcWlGsNa
MD5:	E86CFC5E1147C25972A5EEFED7BE989F
SHA1:	0075091C0B1F2809393C5B8B5921586BDD389B29
SHA-256:	72C639D1AFDA32A65143BCBE016FE5D8B46D17924F5F5190EB04EFE954C1199A
SHA-512:	EA58A8D5AA587B7F5BDE74B4D394921902412617100ED161A7E0BEF6B3C91C5DAE657065EA7805A152DD76992997017E070F5415EF120812B0D61A401AA8C110
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...jN/..........." .........................................................0............`A........................................p...x............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.614330511483598
Encrypted:	false
SSDEEP:	192:vgdKIMFYJWthW2Wf9BvVVWQ4SW2zZ7uUgxfzfqnaj0OGWh:0hJWthW7NBzIrloYh
MD5:	206ADCB409A1C9A026F7AFDFC2933202
SHA1:	BB67E1232A536A4D1AE63370BD1A9B5431335E77
SHA-256:	76D8E4ED946DEEFEEFA0D0012C276F0B61F3D1C84AF00533F4931546CBB2F99E
SHA-512:	727AA0C4CD1A0B7E2AFFDCED5DA3A0E898E9BAE3C731FF804406AD13864CEE2B27E5BAAC653BAB9A0D2D961489915D4FCAD18557D4383ECB0A066902276955A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....~y..........." .........................................................0............`A........................................p...H............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.704366348384627
Encrypted:	false
SSDEEP:	192:Ha2WthWKOWf9BvVVWQ4mWNOrVT/gqnajKsrCkb:Ha2WthWKTNz1IlGsrCo
MD5:	91A2AE3C4EB79CF748E15A58108409AD
SHA1:	D402B9DF99723EA26A141BFC640D78EAF0B0111B
SHA-256:	B0EDA99EABD32FEFECC478FD9FE7439A3F646A864FDAB4EC3C1F18574B5F8B34
SHA-512:	8527AF610C1E2101B6F336A142B1A85AC9C19BB3AF4AD4A245CFB6FD602DC185DA0F7803358067099475102F3A8F10A834DC75B56D3E6DED2ED833C00AD217ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....%j.........." .........................................................0......\|B....`A........................................p...P............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.623077637622405
Encrypted:	false
SSDEEP:	192:jWthWYWf9BvVVWQ4mWd8l1P+CjAWqnajKsNeCw:jWthW9NnP+CcWlGsNex
MD5:	1E4C4C8E643DE249401E954488744997
SHA1:	DB1C4C0FC907100F204B21474E8CD2DB0135BC61
SHA-256:	F28A8FE2CD7E8E00B6D2EC273C16DB6E6EEA9B6B16F7F69887154B6228AF981E
SHA-512:	EF8411FD321C0E363C2E5742312CC566E616D4B0A65EFF4FB6F1B22FDBEA3410E1D75B99E889939FF70AD4629C84CEDC88F6794896428C5F0355143443FDC3A3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....R..........." .........................................................0............`A........................................p...<............ ...................!..............p............................................................................rdata..p...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.643812426159955
Encrypted:	false
SSDEEP:	192:fSWthWvWf9BvVVWQ4mWFl5P+CjAWqnajKsNifl:aWthWiN+5P+CcWlGsNiN
MD5:	FA770BCD70208A479BDE8086D02C22DA
SHA1:	28EE5F3CE3732A55CA60AEE781212F117C6F3B26
SHA-256:	E677497C1BAEFFFB33A17D22A99B76B7FA7AE7A0C84E12FDA27D9BE5C3D104CF
SHA-512:	F8D81E350CEBDBA5AFB579A072BAD7986691E9F3D4C9FEBCA8756B807301782EE6EB5BA16B045CFA29B6E4F4696E0554C718D36D4E64431F46D1E4B1F42DC2B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................" .........................................................0......l.....`A........................................P................ ...................!..............p............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15824
Entropy (8bit):	6.438848882089563
Encrypted:	false
SSDEEP:	192:yjQ/w8u4cyNWthWYWf9BvVVWQ4mWhu1BVT/gqnajKsrC74m:8yNWthW9Np1IlGsrCEm
MD5:	4EC4790281017E616AF632DA1DC624E1
SHA1:	342B15C5D3E34AB4AC0B9904B95D0D5B074447B7
SHA-256:	5CF5BBB861608131B5F560CBF34A3292C80886B7C75357ACC779E0BF98E16639
SHA-512:	80C4E20D37EFF29C7577B2D0ED67539A9C2C228EDB48AB05D72648A6ED38F5FF537715C130342BEB0E3EF16EB11179B9B484303354A026BDA3A86D5414D24E69
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....P............" .........................................................@............`A........................................P................0...................!..............p............................................................................rdata..>...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.6061629057490245
Encrypted:	false
SSDEEP:	192:vWOPWthWAWf9BvVVWQ4mWWbgftmP+CjAWqnajKsNURPblh:BWthWFN+f8P+CcWlGsNURzv
MD5:	7A859E91FDCF78A584AC93AA85371BC9
SHA1:	1FA9D9CAD7CC26808E697373C1F5F32AAF59D6B7
SHA-256:	B7EE468F5B6C650DADA7DB3AD9E115A0E97135B3DF095C3220DFD22BA277B607
SHA-512:	A368F21ECA765AFCA86E03D59CF953500770F4A5BFF8B86B2AC53F1B5174C627E061CE9A1F781DC56506774E0D0B09725E9698D4DC2D3A59E93DA7EF3D900887
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...t............." .........................................................0......H.....`A........................................P..."............ ...................!..............p............................................................................rdata..r...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13776
Entropy (8bit):	6.65347762698107
Encrypted:	false
SSDEEP:	192:WxSnWlC0i5ClWthWTWf9BvVVWQ4mW+hkKVT/gqnajKsrCw/:WxSnWm5ClWthW+NkK1IlGsrCY
MD5:	972544ADE7E32BFDEB28B39BC734CDEE
SHA1:	87816F4AFABBDEC0EC2CFEB417748398505C5AA9
SHA-256:	7102F8D9D0F3F689129D7FE071B234077FBA4DD3687071D1E2AEAA137B123F86
SHA-512:	5E1131B405E0C7A255B1C51073AFF99E2D5C0D28FD3E55CABC04D463758A575A954008EA1BA5B4E2B345B49AF448B93AD21DFC4A01573B3CB6E7256D9ECCEEF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...1............" .........................................................0......':....`A........................................P................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.58394079658593
Encrypted:	false
SSDEEP:	192:YFY17aFBRQWthWIWf9BvVVWQ4mWHhOP+CjAWqnajKsNngJ:YQtWthWNNdP+CcWlGsNI
MD5:	8906279245F7385B189A6B0B67DF2D7C
SHA1:	FCF03D9043A2DAAFE8E28DEE0B130513677227E4
SHA-256:	F5183B8D7462C01031992267FE85680AB9C5B279BEDC0B25AB219F7C2184766F
SHA-512:	67CAC89AE58CC715976107F3BDF279B1E78945AFD07E6F657E076D78E92EE1A98E3E7B8FEAE295AF5CE35E00C804F3F53A890895BADB1EED32377D85C21672B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0.......l....`A........................................P................ ...................!..............p............................................................................rdata..f...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.696904963591775
Encrypted:	false
SSDEEP:	192:m8qWthWLWf9BvVVWQ4WWLXlyBZr+YVqnajKsS1:mlWthWWN0uZfVlGsS1
MD5:	DD8176E132EEDEA3322443046AC35CA2
SHA1:	D13587C7CC52B2C6FBCAA548C8ED2C771A260769
SHA-256:	2EB96422375F1A7B687115B132A4005D2E7D3D5DC091FB0EB22A6471E712848E
SHA-512:	77CB8C44C8CC8DD29997FBA4424407579AC91176482DB3CF7BC37E1F9F6AA4C4F5BA14862D2F3A9C05D1FDD7CA5A043B5F566BD0E9A9E1ED837DA9C11803B253
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...r..[.........." .........................................................0.......P....`A........................................P...e............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20944
Entropy (8bit):	6.216554714002396
Encrypted:	false
SSDEEP:	384:rQM4Oe59Ckb1hgmLRWthW0N0JBJ1IlGsrC5W:sMq59Bb1jYNABHJc
MD5:	A6A3D6D11D623E16866F38185853FACD
SHA1:	FBEADD1E9016908ECCE5753DE1D435D6FCF3D0B5
SHA-256:	A768339F0B03674735404248A039EC8591FCBA6FF61A3C6812414537BADD23B0
SHA-512:	ABBF32CEB35E5EC6C1562F9F3B2652B96B7DBD97BFC08D918F987C0EC0503E8390DD697476B2A2389F0172CD8CF16029FD2EC5F32A9BA3688BF2EBEEFB081B2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........,...............................................P............`A........................................P....%...........@...............0...!..............p............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.604643094751227
Encrypted:	false
SSDEEP:	192:uFdyqjd7NWthWxWf9BvVVWQ4mW+JZD7DiqnajKswzR1:YQsWthWkNfZGlGswzR1
MD5:	074B81A625FB68159431BB556D28FAB5
SHA1:	20F8EAD66D548CFA861BC366BB1250CED165BE24
SHA-256:	3AF38920E767BD9EBC08F88EAF2D08C748A267C7EC60EAB41C49B3F282A4CF65
SHA-512:	36388C3EFFA0D94CF626DECAA1DA427801CC5607A2106ABDADF92252C6F6FD2CE5BF0802F5D0A4245A1FFDB4481464C99D60510CF95E83EBAF17BD3D6ACBC3DC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....u..........." .........................................................0............`A........................................P...x............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.449023660091811
Encrypted:	false
SSDEEP:	192:eUW9MPrpJhhf4AN5/KihWthWBWf9BvVVWQ4mWRXwsD7DiqnajKswzK:eUZr7HWthWUNkGlGswzK
MD5:	F1A23C251FCBB7041496352EC9BCFFBE
SHA1:	BE4A00642EC82465BC7B3D0CC07D4E8DF72094E8
SHA-256:	D899C2F061952B3B97AB9CDBCA2450290B0F005909DDD243ED0F4C511D32C198
SHA-512:	31F8C5CD3B6E153073E2E2EDF0CA8072D0F787784F1611A57219349C1D57D6798A3ADBD6942B0F16CEF781634DD8691A5EC0B506DF21B24CB70AEE5523A03FD9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....h.y.........." .........................................................@............`A........................................P...4............0...................!..............p............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17872
Entropy (8bit):	6.3934828478655685
Encrypted:	false
SSDEEP:	192:hA2uWYFxEpahDWthWDWf9BvVVWQ4mWR3ir+YVqnajKsSO:hIFVhDWthWONlfVlGsSO
MD5:	55B2EB7F17F82B2096E94BCA9D2DB901
SHA1:	44D85F1B1134EE7A609165E9C142188C0F0B17E0
SHA-256:	F9D3F380023A4C45E74170FE69B32BCA506EE1E1FBE670D965D5B50C616DA0CB
SHA-512:	0CF0770F5965A83F546253DECFA967D8F85C340B5F6EA220D3CAA14245F3CDB37C53BF8D3DA6C35297B22A3FA88E7621202634F6B3649D7D9C166A221D3456A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d......w.........." ......... ...............................................@......>>....`A........................................P...a............0...............$...!..............p............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	6.279474608881223
Encrypted:	false
SSDEEP:	384:jvEvevdv8vPozmVx0C5yguNvZ5VQgx3SbwA7yMVIkFGlPWthWXNjqujGlGswz7:2ozmT5yguNvZ5VQgx3SbwA71IkFFaJft
MD5:	9B79965F06FD756A5EFDE11E8D373108
SHA1:	3B9DE8BF6B912F19F7742AD34A875CBE2B5FFA50
SHA-256:	1A916C0DB285DEB02C0B9DF4D08DAD5EA95700A6A812EA067BD637A91101A9F6
SHA-512:	7D4155C00D65C3554E90575178A80D20DC7C80D543C4B5C4C3F508F0811482515638FE513E291B82F958B4D7A63C9876BE4E368557B07FF062961197ED4286FB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...$............" ........."...............................................@............`A........................................P................0...............&...!..............p............................................................................rdata../...........................@..@.rsrc........0......."..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14288
Entropy (8bit):	6.547753630184197
Encrypted:	false
SSDEEP:	192:ENDCWthWHWf9BvVVWQ4mWG5xqcVT/gqnajKsrC/V:TWthW6N/xqc1IlGsrC/V
MD5:	1D48A3189A55B632798F0E859628B0FB
SHA1:	61569A8E4F37ADC353986D83EFC90DC043CDC673
SHA-256:	B56BC94E8539603DD2F0FEA2F25EFD17966315067442507DB4BFFAFCBC2955B0
SHA-512:	47F329102B703BFBB1EBAEB5203D1C8404A0C912019193C93D150A95BB0C5BA8DC101AC56D3283285F9F91239FC64A66A5357AFE428A919B0BE7194BADA1F64F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...E............" .........................................................0......f.....`A........................................P................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.686357863452704
Encrypted:	false
SSDEEP:	192:ZjfHQdufWthWCWf9BvVVWQ4mWMlUteSP+CjAWqnajKsN0c:ZfZWthW/Nd4P+CcWlGsN0c
MD5:	DBC27D384679916BA76316FB5E972EA6
SHA1:	FB9F021F2220C852F6FF4EA94E8577368F0616A4
SHA-256:	DD14133ADF5C534539298422F6C4B52739F80ACA8C5A85CA8C966DEA9964CEB1
SHA-512:	CC0D8C56749CCB9D007B6D3F5C4A8F1D4E368BB81446EBCD7CC7B40399BBD56D0ACABA588CA172ECB7472A8CBDDBD4C366FFA38094A832F6D7E343B813BA565E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....@n#.........." .........................................................0............`A........................................P...^............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332263
Entropy (8bit):	5.5864676354018465
Encrypted:	false
SSDEEP:	12288:uttcY+bStOmgRF1+fYNXPh26UZWAzCu7joqYnhjHgkVHdmmPnHz1dG6sF7aYceM:uttcY+UHCiCAd+cqHdmmPHzvwaYceM
MD5:	630153AC2B37B16B8C5B0DBB69A3B9D6
SHA1:	F901CD701FE081489B45D18157B4A15C83943D9D
SHA-256:	EC4E6B8E9F6F1F4B525AF72D3A6827807C7A81978CB03DB5767028EBEA283BE2
SHA-512:	7E3A434C8DF80D32E66036D831CBD6661641C0898BD0838A07038B460261BF25B72A626DEF06D0FAA692CAF64412CA699B1FA7A848FE9D969756E097CBA39E41
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI59122\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290282
Entropy (8bit):	6.048183244201235
Encrypted:	false
SSDEEP:	6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
MD5:	302B49C5F476C0AE35571430BB2E4AA0
SHA1:	35A7837A3F1B960807BF46B1C95EC22792262846
SHA-256:	CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
SHA-512:	1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.674392865869017
Encrypted:	false
SSDEEP:	96:KGUmje72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFXiHBpv9cX6gTim1qeSC:rjQ2HzzU2bRYoe1HH9cqgTimoe
MD5:	D9E0217A89D9B9D1D778F7E197E0C191
SHA1:	EC692661FCC0B89E0C3BDE1773A6168D285B4F0D
SHA-256:	ECF12E2C0A00C0ED4E2343EA956D78EED55E5A36BA49773633B2DFE7B04335C0
SHA-512:	3B788AC88C1F2D682C1721C61D223A529697C7E43280686B914467B3B39E7D6DEBAFF4C0E2F42E9DDDB28B522F37CB5A3011E91C66D911609C63509F9228133D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d....jAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	5.917175475547778
Encrypted:	false
SSDEEP:	3072:bA3W6Fck6/g5DzNa4cMy/dzpd1dhdMdJGFEr6/vD:MW6NzcMy/d13FErgvD
MD5:	BF9A9DA1CF3C98346002648C3EAE6DCF
SHA1:	DB16C09FDC1722631A7A9C465BFE173D94EB5D8B
SHA-256:	4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
SHA-512:	7371407D12E632FC8FB031393838D36E6A1FE1E978CED36FF750D84E183CDE6DD20F75074F4597742C9F8D6F87AF12794C589D596A81B920C6C62EE2BA2E5654
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d....jAe.........." ...%.:...........<.......................................0............`.........................................@...d.......................(............ ......P...................................@............P...............................text....8.......:.................. ..`.rdata...W...P...X...>..............@..@.data...8=.......0..................@....pdata..(...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\LICENSE.APACHE

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\LICENSE.BSD

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5292
Entropy (8bit):	5.115440205505611
Encrypted:	false
SSDEEP:	96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
MD5:	137D13F917D94C83137A0FA5AE12B467
SHA1:	01E93402C225BF2A4EE59F9A06F8062CB5E4801E
SHA-256:	36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
SHA-512:	1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15334
Entropy (8bit):	5.552806309785179
Encrypted:	false
SSDEEP:	384:3X62U/ZfaigdSwJN5i6s7B0Ppzx6uvndLE4:3NUxfzgFthE4
MD5:	D88787EC6163B4F45579EA7CF7F56044
SHA1:	B241754AF16F5B2523DE1D07520DADB5ABA559BA
SHA-256:	E5265DE4206BAB1FB0C96212067AA1EB479C85AB0495B915938DDB365B0C948D
SHA-512:	F4F1C213458AC42A3417A870F7C6D2A125950F588C76F8A83D605242ABBDBCC2CBE70CA49A700710AA23AC143F2702963DEA48043C5CA86FBF0D3CE07126C696
Malicious:	false
Preview:	cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.0203365408149025
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
MD5:	4B432A99682DE414B29A683A3546B69F
SHA1:	F59C5016889EE5E9F62D09B22AEFBC2211A56C93
SHA-256:	F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
SHA-512:	CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-41.0.7.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:cOv:Nv
MD5:	E7274BD06FF93210298E7117D11EA631
SHA1:	7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:	28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:	AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:	false
Preview:	cryptography.

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6673920
Entropy (8bit):	6.582002531606852
Encrypted:	false
SSDEEP:	98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
MD5:	486085AAC7BB246A173CEEA0879230AF
SHA1:	EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
SHA-256:	C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
SHA-512:	8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.\|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5191960
Entropy (8bit):	5.962142634441191
Encrypted:	false
SSDEEP:	98304:n3+pefu6fSar+SJ8aqfPomg1CPwDvt3uFlDCE:3G+u6fb+SJ8aqfwmg1CPwDvt3uFlDCE
MD5:	E547CF6D296A88F5B1C352C116DF7C0C
SHA1:	CAFA14E0367F7C13AD140FD556F10F320A039783
SHA-256:	05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
SHA-512:	9F42EDF04C7AF350A00FA4FDF92B8E2E6F47AB9D2D41491985B20CD0ADDE4F694253399F6A88F4BDD765C4F49792F25FB01E84EC03FD5D0BE8BB61773D77D74D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%..7..4......v.........................................O.......P...`.........................................P.H.0....kN.@.....N.\|.....K.d.....O../....N....P.C.8.............................C.@............`N..............................text.....7.......7................. ..`.rdata....... 7.......7.............@..@.data....n....K..<....J.............@....pdata..0.....K......4K.............@..@.idata...%...`N..&....N.............@..@.00cfg..u.....N.......N.............@..@.rsrc...\|.....N......0N.............@..@.reloc........N......8N.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	787224
Entropy (8bit):	5.609561366841894
Encrypted:	false
SSDEEP:	12288:ytPc2nnGoNg4kSHoxX09yO5EavUFe9Xb12:y9jnnpTHoxXUsFe9XbM
MD5:	19A2ABA25456181D5FB572D88AC0E73E
SHA1:	656CA8CDFC9C3A6379536E2027E93408851483DB
SHA-256:	2E9FBCD8F7FDC13A5179533239811456554F2B3AA2FB10E1B17BE0DF81C79006
SHA-512:	DF17DC8A882363A6C5A1B78BA3CF448437D1118CCC4A6275CC7681551B13C1A4E0F94E30FFB94C3530B688B62BFF1C03E57C2C185A7DF2BF3E5737A06E114337
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%...........K........................................ ............`..........................................g...Q..............s.......@M......./......`.......8...........................`...@............p...............................text...D)......................... ..`.rdata..Hy...@...z..................@..@.data....N.......H..................@....pdata...V.......X..................@..@.idata...c...p...d...H..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..4...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.90551713971002
Encrypted:	false
SSDEEP:	1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
MD5:	01F9D30DD889A3519E3CA93FE6EFEE70
SHA1:	EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
SHA-256:	A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
SHA-512:	76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..\|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.385263095268062
Encrypted:	false
SSDEEP:	3072:gP9/HQAYp/8IdzL37lqrEJesY7p7Ndrjt8HWcFwUT6ZIALhNn6:opFYp/vdzL3pqrEJ2xDrJ8DdT6A
MD5:	F179C9BDD86A2A218A5BF9F0F1CF6CD9
SHA1:	4544FB23D56CC76338E7F71F12F58C5FE89D0D76
SHA-256:	C42874E2CF034FB5034F0BE35F7592B8A96E8903218DA42E6650C504A85B37CC
SHA-512:	3464ECE5C6A0E95EF6136897B70A96C69E552D28BFEDD266F13EEC840E36EC2286A1FB8973B212317DE6FE3E93D7D7CC782EB6FC3D6A2A8F006B34F6443498DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d......e.........." ...%.............................................................)....`......................................... ...P...p............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata..D.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68376
Entropy (8bit):	6.14896460878624
Encrypted:	false
SSDEEP:	768:LV1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM/u:LDmF61JFn+/OHZIAL0R7SyHxy
MD5:	6271A2FE61978CA93E60588B6B63DEB2
SHA1:	BE26455750789083865FE91E2B7A1BA1B457EFB8
SHA-256:	A59487EA2C8723277F4579067248836B216A801C2152EFB19AFEE4AC9785D6FB
SHA-512:	8C32BCB500A94FF47F5EF476AE65D3B677938EBEE26E80350F28604AAEE20B044A5D55442E94A11CCD9962F34D22610B932AC9D328197CF4D2FFBC7DF640EFBA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d......e.........." ...%............................................................x.....`.........................................`...H................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\python312.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7009048
Entropy (8bit):	5.7826778751744685
Encrypted:	false
SSDEEP:	49152:mz0oCxOqKWneF3o1VLCClOTNRpaOviXEYWyb3eOYTvuFsx/iac84YNFXiTlv5WF4:mooCcqKLHX+az2Ro8Kv7HDMiEB/
MD5:	550288A078DFFC3430C08DA888E70810
SHA1:	01B1D31F37FB3FD81D893CC5E4A258E976F5884F
SHA-256:	789A42AC160CEF98F8925CB347473EEEB4E70F5513242E7FABA5139BA06EDF2D
SHA-512:	7244432FC3716F7EF27630D4E8FBC8180A2542AA97A01D44DCA260AB43966DD8AC98B6023400B0478A4809AACE1A128F1F4D6E544F2E591A5B436FD4C8A9D723
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..e...e...e...d...e.......e...`...e...a...e...f...e.......e..d...e...d...e..Bh.M.e..Be...e..B....e..Bg...e.Rich..e.........................PE..d......e.........." ...%.$)..ZB......]........................................k.....:.k...`...........................................O.d...toP......Pj.......`.dZ....j../...`j.pZ....3.T.....................I.(...P.3.@............@)..............................text....")......$)................. ..`.rdata...T'..@)..V'..().............@..@.data....?....P......~P.............@....pdata..dZ....`..\....`.............@..@PyRuntim.....@c......\b.............@....rsrc........Pj......^i.............@..@.reloc..pZ...`j..\...hi.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes312.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.9953900911096785
Encrypted:	false
SSDEEP:	3072:Yuh2G0a2fYrFceQaVK756Y/r06trvoEKQAe7KL8KJKVKGajt4:Yuh2faiYrFceQaVfY/rxTBAe7KwKwVrE
MD5:	26D752C8896B324FFD12827A5E4B2808
SHA1:	447979FA03F78CB7210A4E4BA365085AB2F42C22
SHA-256:	BD33548DBDBB178873BE92901B282BAD9C6817E3EAC154CA50A666D5753FD7EC
SHA-512:	99C87AB9920E79A03169B29A2F838D568CA4D4056B54A67BC51CAF5C0FF5A4897ED02533BA504F884C6F983EBC400743E6AD52AC451821385B1E25C3B1EBCEE0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.582548725691534
Encrypted:	false
SSDEEP:	384:b9yLTFInPLnIdHqp3DT90IZIAQGyHQIYiSy1pCQ273bAM+o/8E9VF0Nypyn4:6inzUHqN1rZIAQGo5YiSyvUrAMxkEjh
MD5:	8A273F518973801F3C63D92AD726EC03
SHA1:	069FC26B9BD0F6EA3F9B3821AD7C812FD94B021F
SHA-256:	AF358285A7450DE6E2E5E7FF074F964D6A257FB41D9EB750146E03C7DDA503CA
SHA-512:	7FEDAE0573ECB3946EDE7D0B809A98ACAD3D4C95D6C531A40E51A31BDB035BADC9F416D8AAA26463784FF2C5E7A0CC2C793D62B5FDB2B8E9FAD357F93D3A65F8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d......e.........." ...%.....2.......................................................y....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1500440
Entropy (8bit):	6.5886408023548295
Encrypted:	false
SSDEEP:	24576:ATqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFq++I:nk0jwv4tP5kf8ar/74EF2/An4acrVUc2
MD5:	31CD2695493E9B0669D7361D92D46D94
SHA1:	19C1BC5C3856665ECA5390A2F9CD59B564C0139B
SHA-256:	17D547994008F1626BE2877497912687CB3EBD9A407396804310FD12C85AEAD4
SHA-512:	9DD8D1B900999E8CEA91F3D5F3F72D510F9CC28D7C6768A4046A9D2AA9E78A6ACE1248EC9574F5F6E53A6F1BDBFDF153D9BF73DBA05788625B03398716C87E1C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d....Bre.........." ...%..................................................................`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\ucrtbase.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1035728
Entropy (8bit):	6.630126944065657
Encrypted:	false
SSDEEP:	24576:EsKxVJ/pRRK0Y/9fCrl4NbpjONcncXEomxvSZX0yp49C:lKxDPHQCrlQBXxw
MD5:	849959A003FA63C5A42AE87929FCD18B
SHA1:	D1B80B3265E31A2B5D8D7DA6183146BBD5FB791B
SHA-256:	6238CBFE9F57C142B75E153C399C478D492252FDA8CB40EE539C2DCB0F2EB232
SHA-512:	64958DABDB94D21B59254C2F074DB5D51E914DDBC8437452115DFF369B0C134E50462C3FDBBC14B6FA809A6EE19AB2FB83D654061601CC175CDDCB7D74778E09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........of...5...5...5..5...5...5&..5...5...5...4...5...4...5...4...5...4...5...4..5...5...5...4...5Rich...5........PE..d.....$%.........." .....:..........0Z..............................................7^....`A................................................................. ...........!.............p........................... f..............................................text...09.......:.................. ..`.rdata..^....P.......>..............@..@.data....&..........................@....pdata....... ......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1137944
Entropy (8bit):	5.462202215180296
Encrypted:	false
SSDEEP:	12288:hrEHdcM6hbFCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfciFt:hrEXYCjfk7bPNfv42BN6yzUiFt
MD5:	04F35D7EEC1F6B72BAB9DAF330FD0D6B
SHA1:	ECF0C25BA7ADF7624109E2720F2B5930CD2DBA65
SHA-256:	BE942308D99CC954931FE6F48ED8CC7A57891CCBE99AAE728121BCDA1FD929AB
SHA-512:	3DA405E4C1371F4B265E744229DCC149491A112A2B7EA8E518D5945F8C259CAD15583F25592B35EC8A344E43007AE00DA9673822635EE734D32664F65C9C8D9B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d......e.........." ...%.>..........`*.......................................p............`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	5.851293297484796
Encrypted:	false
SSDEEP:	3072:bPwB2zC1vwC3XetCf5RlRVFhLaNKPRyymoh5Lm9b0e:bIB2zkvwGXetCfDlRVlPRy85Lm9
MD5:	3A80FEA23A007B42CEF8E375FC73AD40
SHA1:	04319F7552EA968E2421C3936C3A9EE6F9CF30B2
SHA-256:	B70D69D25204381F19378E1BB35CC2B8C8430AA80A983F8D0E8E837050BB06EF
SHA-512:	A63BED03F05396B967858902E922B2FBFB4CF517712F91CFAA096FF0539CF300D6B9C659FFEE6BF11C28E79E23115FD6B9C0B1AA95DB1CBD4843487F060CCF40
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\her.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	5.966619585818369
Encrypted:	false
SSDEEP:	3072:07jbPA0SD9S3vrCqf93qMHxCjdLZn1Ya:07jtS9SfuCRCjFV
MD5:	47C91C74BB2C5CF696626AF04F3705AB
SHA1:	C086BC2825969756169FAB7DD2E560D360E1E09C
SHA-256:	F6EAD250FC2DE4330BD26079A44DED7F55172E05A70E28AD85D09E7881725155
SHA-512:	E6B6A4425B3E30CEA7BF8B09971FA0C84D6317B1A37BC1518266DC8D72C166099A8FC40A9B985300901BD921E444FF438FD30B814C1F1C6A051DF3471615C2BD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.v.S.......Q.......E.......].......V.....Q...A...R...U........\.....T.....T...RichU...........PE..d......d.........." ................(........................................ ............`..........................................o..................d.......................H....G..T............................H..8............................................text...~........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..............................@..@.rsrc...d...........................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\her.exe

Download File

Process:	C:\Users\user\Desktop\hKgrI6tqYx.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17524998
Entropy (8bit):	7.996486556715774
Encrypted:	true
SSDEEP:	393216:UEkZgf8fdntpUTLfhJe1+TtIiFyuvB5IjWqJ6eoWez1HGwFXiWCR:URbFHUTLJE1QtItS3ILJ6e/UGhVR
MD5:	A02BD3671B7DAB9F036B13C8B0339714
SHA1:	9C48E8A80A0CF0A1CA1E4328091241C242DFC5B4
SHA-256:	FC5586CA851CBF4EED21AE5C11B8E5D7C23379561016F779F5FE346439E2F55D
SHA-512:	E9B5C9951B5F4D525E7932A7C0D509DE690F1414C22934A215B4289BF812D0385A436EED6050D49CF5BB71CAD105C9F3B668C7DBB6610A6288396E4234C5A65D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d......e.........."....%.......................@..........................................`.....................................................x....`..4F... ..."..............\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...4F...`...H..................@..@.reloc..\............J..............@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997837662686648
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hKgrI6tqYx.exe
File size:	18'321'667 bytes
MD5:	5ebc550846b0593c0b5c962194f87c92
SHA1:	7ba72751aa4e924fdefbde7c31305594146429b4
SHA256:	ef17e4c80f1630b77985efca374565ae94ba9a0a30a31b2e88ffe2d51bfe599f
SHA512:	e4789391e04783046aa311fd31c4b26ffb2f599264e5f06e1340ce40598a63f34fce06da870f65b04e8ab483683f181a4b43129f3c5f4b1cd5146388c607ba35
SSDEEP:	393216:6gwHEtyIaV2InzgB5Vr7xrzq3Hr/xcbcNMMOefVZ0rgF2YgoGG:6gwktHQ2qgjJp82NeGnYD
TLSH:	C9073343A4E7A2F0D83233348538CA25593B7E58D6BB926A531C052C4E776C32B777A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6....V..6....T.'6....U..6..)MZ..6..)M...6..)M...6..)M...6...N$..6...N4..6...6...7..'M...6..'M...6..'MX..6..'M...6.

File Icon


Icon Hash:	02e4c2c63ccec224

Static PE Info

General

Entrypoint:	0x421d50
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651BC7F7 [Tue Oct 3 07:51:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	75e9596d74d063246ba6f3ac7c5369a0

Entrypoint Preview

Instruction
call 00007F463523CCBBh
jmp 00007F463523C66Dh
int3
int3
int3
int3
int3
int3
push 00424F20h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [0044277Ch]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F463522ED91h
push 0043F388h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F463523F1E5h
int3
jmp 00007F46352410B8h
push ebp
mov ebp, esp
and dword ptr [00466078h], 00000000h
sub esp, 24h
or dword ptr [004427B0h], 01h
push 0000000Ah
call dword ptr [004361D0h]
test eax, eax
je 00007F463523C9A2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x405c0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x405f4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x898c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x255c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3e3b0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x388b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3fa9c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x345cc	0x34600	b7a8b04ab2248443b05e8133fb3a9064	False	0.5887343377088305	data	6.708390817791953	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0xb410	0xb600	a418919d63b67e937555eec95d3b6bcb	False	0.45409083104395603	Applesoft BASIC program data, first line number 4	5.215945456388312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0x24758	0x1200	d8d5c95192b51ddad1857caa38e7daa9	False	0.4049479166666667	data	4.078919796039023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x67000	0x1a4	0x200	ee74a17c4eeb586c9811481b77498b43	False	0.4609375	data	3.5194570553957747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x68000	0x898c	0x8a00	d0e392a93e7a6a5c51dd84aaa0a56410	False	0.38357676630434784	data	4.902201009142028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x255c	0x2600	699c6b2b1b2acad2d0f219d9328713af	False	0.783203125	data	6.6660836278877325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x68524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6906c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x6a618	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.10618606916707257
RT_DIALOG	0x6e640	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6e8c8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6ea04	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6eaf0	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6ec20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ef58	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6f1ac	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x6f390	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x6f55c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x6f714	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x6f85c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x6fcc8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x6fe30	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x6ff84	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70090	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7014c	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x70224	0x14	data			1.1
RT_MANIFEST	0x70238	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 09:45:11.000238895 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:11.000266075 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:11.000335932 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:13.432164907 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:13.432193995 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:15.166167021 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:15.173239946 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:15.173254967 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:15.174365997 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:15.175956964 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:15.175956964 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:15.176136971 CET	443	49713	44.196.3.45	192.168.2.6
Dec 9, 2024 09:45:15.176167011 CET	49713	443	192.168.2.6	44.196.3.45
Dec 9, 2024 09:45:15.177382946 CET	49713	443	192.168.2.6	44.196.3.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 09:45:10.858735085 CET	56420	53	192.168.2.6	1.1.1.1
Dec 9, 2024 09:45:10.997772932 CET	53	56420	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 09:45:10.858735085 CET	192.168.2.6	1.1.1.1	0x5b7	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 09:45:10.997772932 CET	1.1.1.1	192.168.2.6	0x5b7	No error (0)	httpbin.org		44.196.3.45	A (IP address)	IN (0x0001)	false
Dec 9, 2024 09:45:10.997772932 CET	1.1.1.1	192.168.2.6	0x5b7	No error (0)	httpbin.org		34.224.200.202	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:45:01
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\hKgrI6tqYx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hKgrI6tqYx.exe"
Imagebase:	0xe00000
File size:	18'321'667 bytes
MD5 hash:	5EBC550846B0593C0B5C962194F87C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:45:03
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"
Imagebase:	0x400000
File size:	105'472 bytes
MD5 hash:	D134FFD0F669B1940AE13A37980B3881
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:45:03
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe"
Imagebase:	0x7ff690d50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:45:03
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:45:03
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
Wow64 process (32bit):	true
Commandline:	Heart-Sender-V1.2.exe -pdefensores102558848defensores1233sda -dC:\Users\user\AppData\Local\Temp
Imagebase:	0xe70000
File size:	976'506 bytes
MD5 hash:	94B6D18D2E0E752E6B9E914D4B6BC33F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:45:04
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\HeartSender.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\HeartSender.exe"
Imagebase:	0x400000
File size:	113'152 bytes
MD5 hash:	7FA598F8A47A856C0F9667C22BFBE056
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\HeartSender.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 49%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:45:04
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\user\AppData\Local\Temp\HeartSender.exe"
Imagebase:	0x7ff690d50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:45:04
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:45:04
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\her.exe
Wow64 process (32bit):	false
Commandline:	her.exe
Imagebase:	0x7ff746630000
File size:	17'524'998 bytes
MD5 hash:	A02BD3671B7DAB9F036B13C8B0339714
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:45:04
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Config\File00.exe
Wow64 process (32bit):	true
Commandline:	config\File00.exe -pEF18367A3B80BB838CC2BCFD1C5E5964:zakariaa
Imagebase:	0x400000
File size:	273'831 bytes
MD5 hash:	D4EA176B0DC54374ABB87A1B9409FE50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 15%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:45:05
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe"
Imagebase:	0x850000
File size:	231'424 bytes
MD5 hash:	9C7691FF597E9EFD7F796B31ACCB78E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:45:07
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Local\Temp\her.exe
Wow64 process (32bit):	false
Commandline:	her.exe
Imagebase:	0x7ff746630000
File size:	17'524'998 bytes
MD5 hash:	A02BD3671B7DAB9F036B13C8B0339714
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.7%
Total number of Nodes:	1778
Total number of Limit Nodes:	42

Executed Functions

Function 00E1EA07 Relevance: 49.5, APIs: 24, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E1D6C7

Part of subcall function 00E1C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E1C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,88F1D862,?,00000000,00000001), ref: 00E1EB53
_wcslen.LIBCMT ref: 00E1EB8D
_wcslen.LIBCMT ref: 00E1EBA1
_wcslen.LIBCMT ref: 00E1EBC6
GetFileAttributesW.KERNEL32(?), ref: 00E1EC0C
DeleteFileW.KERNEL32(?), ref: 00E1EC1E
_swprintf.LIBCMT ref: 00E1EC43
GetFileAttributesW.KERNEL32(?), ref: 00E1EC52
MoveFileW.KERNEL32(?,?), ref: 00E1EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00E1EC7F
_wcslen.LIBCMT ref: 00E1ECFA
_wcslen.LIBCMT ref: 00E1ED03
SetWindowTextW.USER32(?,?), ref: 00E1ED62

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00E1EE0B
ProgramFilesDir, xrefs: 00E1EE36
<br>, xrefs: 00E1ECC4
%s.%d.tmp, xrefs: 00E1EC36

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: 22e85911dacf7a9ac75696dd3226455b8b40e4c28162d4b01953f640cda0ee60
Instruction ID: a2d78ba0c3827b31f63993664455bc7f79b831829604187d2f114bbc4854564f
Opcode Fuzzy Hash: 22e85911dacf7a9ac75696dd3226455b8b40e4c28162d4b01953f640cda0ee60
Instruction Fuzzy Hash: 5DF17F72904258AADB31EFA0DC55EEF37BCBB09314F14152AFD05F7191EB709A898B90

Function 00E2037C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1290A: GetModuleHandleW.KERNEL32 ref: 00E12937
Part of subcall function 00E1290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E12949
Part of subcall function 00E1290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E12973

Part of subcall function 00E1C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E1C5E5

Part of subcall function 00E1CCD9: OleInitialize.OLE32(00000000), ref: 00E1CCF2
Part of subcall function 00E1CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E1CD29
Part of subcall function 00E1CCD9: SHGetMalloc.SHELL32(00E4C460), ref: 00E1CD33

GetCommandLineW.KERNEL32 ref: 00E203C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E203F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00E20404
UnmapViewOfFile.KERNEL32(00000000), ref: 00E20455

Part of subcall function 00E1FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E1FFFE
Part of subcall function 00E1FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E20038

Part of subcall function 00E11421: _wcslen.LIBCMT ref: 00E11445

CloseHandle.KERNEL32(00000000), ref: 00E2045C
GetModuleFileNameW.KERNEL32(00000000,00E62CC0,00000800), ref: 00E20476
SetEnvironmentVariableW.KERNEL32(sfxname,00E62CC0), ref: 00E20482
GetLocalTime.KERNEL32(?), ref: 00E2048D
_swprintf.LIBCMT ref: 00E204E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E204F6
GetModuleHandleW.KERNEL32(00000000), ref: 00E204FD
LoadIconW.USER32(00000000,00000064), ref: 00E20514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00E20565
Sleep.KERNEL32(?), ref: 00E20593
DeleteObject.GDI32 ref: 00E205CC
DeleteObject.GDI32(?), ref: 00E205DC
CloseHandle.KERNEL32 ref: 00E2061F

Strings

winrarsfxmappingfile.tmp, xrefs: 00E203E7
STARTDLG, xrefs: 00E2055A
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00E204D2
sfxname, xrefs: 00E2047D
pP, xrefs: 00E20525
sfxstime, xrefs: 00E204F1

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$pP$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-2894976459
Opcode ID: e0a07e1c27f78d5e03c2644c5e11ff9a29736ecc0d05d4726aa15edeffa62fd3
Instruction ID: 7fd9bb196e17c643048a01295f3d4616a8191bf1f93746b58b84bb43195fef6e
Opcode Fuzzy Hash: e0a07e1c27f78d5e03c2644c5e11ff9a29736ecc0d05d4726aa15edeffa62fd3
Instruction Fuzzy Hash: BF713571604310AFD320AB72FC4ABAB7BE8AB45785F005419F645B22D2DF748988CB71

Function 00E1C652 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C665
SizeofResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C67C
LoadResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C693
LockResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E1DA3D,00000066), ref: 00E1C6BD
GlobalLock.KERNEL32(00000000), ref: 00E1C6CE
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E1C6F2
GlobalUnlock.KERNEL32(00000000), ref: 00E1C756

Part of subcall function 00E1C5B6: GdipAlloc.GDIPLUS(00000010), ref: 00E1C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E1C737
GlobalFree.KERNEL32(00000000), ref: 00E1C75D

Strings

PNG, xrefs: 00E1C656

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 87c29aecd0342206bb55db9d648d9a7dee737c21c710f80e963e2d49c6f2517c
Instruction ID: d8f85499155d3cb34341c311db477544b2f1143b57da6c17e688e82331a57a80
Opcode Fuzzy Hash: 87c29aecd0342206bb55db9d648d9a7dee737c21c710f80e963e2d49c6f2517c
Instruction Fuzzy Hash: 7731D075200716AFD3109F32EC4CD6B7FA8EF85B51B10451AF909E22A1EB71D848CFA0

Function 00E0F963 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,88F1D862), ref: 00E0F9CD

Part of subcall function 00E0E208: _wcslen.LIBCMT ref: 00E0E210

Part of subcall function 00E12663: _wcslen.LIBCMT ref: 00E12669

Part of subcall function 00E13D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,88F1D862,?,?,88F1D862,00000001,00E0DA04,00000000,88F1D862,?,000103C2,?,?), ref: 00E13D2C

_wcslen.LIBCMT ref: 00E0FD00
__fprintf_l.LIBCMT ref: 00E0FE50

Strings

@%s:, xrefs: 00E0FE3A, 00E0FE46
|l, xrefs: 00E0FCD1
*messages***, xrefs: 00E0FAD1
$%s:, xrefs: 00E0FE33
,, xrefs: 00E0FE8B
*messages***, xrefs: 00E0FB0A
RTL, xrefs: 00E0FE12

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL$|l
API String ID: 2646189078-3226807011
Opcode ID: 809121117740dd878e9d4bcafbb9e37b58f4c87dd737f949333c2b5db863ef56
Instruction ID: c34ef9e29c624e526eac42926c1651d6b7020597da1d27003af41d8530a181dd
Opcode Fuzzy Hash: 809121117740dd878e9d4bcafbb9e37b58f4c87dd737f949333c2b5db863ef56
Instruction Fuzzy Hash: 8042F271A00219AADF34EFA4D841BEEB7B4FF18704F50252AE905BB1C1EB719AD1CB54

Function 00E0C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000), ref: 00E0C4E6

Part of subcall function 00E0DA1E: _wcslen.LIBCMT ref: 00E0DA59

FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?), ref: 00E0C516
GetLastError.KERNEL32(?,?,00000800,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000,0000003A), ref: 00E0C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000), ref: 00E0C549
GetLastError.KERNEL32(?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E0C555

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 7cd3424f595c24540a1fef6eec7616953036742899faf423945e9ec567dc465d
Instruction ID: 5921c7071695d6fede02f487ef283f9cd7b31a0044f4920717649838714b6d10
Opcode Fuzzy Hash: 7cd3424f595c24540a1fef6eec7616953036742899faf423945e9ec567dc465d
Instruction Fuzzy Hash: 6D4184B5508345AFC724DF34D8859EBF7E8BF88340F105A1EF599E3280D730A9998B91

Function 00E2A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E2A616,?,00E3F7B0,0000000C,00E2A76D,?,00000002,00000000), ref: 00E2A661
TerminateProcess.KERNEL32(00000000,?,00E2A616,?,00E3F7B0,0000000C,00E2A76D,?,00000002,00000000), ref: 00E2A668
ExitProcess.KERNEL32 ref: 00E2A67A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 85b308e71fa28c816d6bcaec6179e0e709e2673015c35bcfedd6ecaf9d28f906
Instruction ID: f86a7df72ade845b38529e3b25c56b665f3358ecae0e87f9d7c5d858f8d0e1e9
Opcode Fuzzy Hash: 85b308e71fa28c816d6bcaec6179e0e709e2673015c35bcfedd6ecaf9d28f906
Instruction Fuzzy Hash: 18E0B631040158AFCF216FA5ED0DA483FAAEB41B45F089424F909AB132CB3AED46CE95

Function 00E09906 Relevance: 2.4, Strings: 1, Instructions: 1169COMMON

Download Yara Rule

Strings

__tmp_reference_source_, xrefs: 00E09C0E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$AttributesFile_swprintf$CurrentH_prolog3Process__aulldiv_wcsrchr
String ID: __tmp_reference_source_
API String ID: 3636405837-685763994
Opcode ID: 36ec9929d126853683c531242c502088e153eb9edfe4270ff83be8a91b61e4c8
Instruction ID: 303238b604adf8e52c181558c92dd5896baa9c6194c0c45ad6508a961d847776
Opcode Fuzzy Hash: 36ec9929d126853683c531242c502088e153eb9edfe4270ff83be8a91b61e4c8
Instruction Fuzzy Hash: A2A2F571904289AEDF25CF60C885BEA7BA5BF05304F0C61BAE949BB1C3D73459C4CBA1

Function 00E18C7E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 9cecb543c4a517486962fdae476f6c92c9922571d7bdca2e71ad0421e40a3ade
Instruction ID: e7d8f294600b0a272d50f008ff2f3d99ccd1b3ec8a2ba32eb0c0c2742012bdba
Opcode Fuzzy Hash: 9cecb543c4a517486962fdae476f6c92c9922571d7bdca2e71ad0421e40a3ade
Instruction Fuzzy Hash: 65D1C6B1A083448FDB14DF28C94479BBBE1BF89308F04556DF889AB382D774E985CB56

Function 00E1290A Relevance: 101.8, APIs: 23, Strings: 35, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00E12937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E12949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E12973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E12C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E12C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E12C4B
ReadFile.KERNEL32(00000000,?,00007FFE,$o,00000000), ref: 00E12C69
CloseHandle.KERNEL32(00000000), ref: 00E12CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E12CE6
CompareStringW.KERNEL32(00000400,00001001,po,?,DXGIDebug.dll,?,$o,?,00000000,?,00000800), ref: 00E12D3A
GetFileAttributesW.KERNELBASE(?,?,$o,00000800,?,00000000,?,00000800), ref: 00E12D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00E12DA0

Part of subcall function 00E128AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E128D4
Part of subcall function 00E128AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E11309,Crypt32.dll,00000000,00E11383,00000200,?,00E11366,00000000,00000000,?), ref: 00E128F4

_swprintf.LIBCMT ref: 00E12E12
_swprintf.LIBCMT ref: 00E12E5E
AllocConsole.KERNEL32 ref: 00E12E66
GetCurrentProcessId.KERNEL32 ref: 00E12E70
AttachConsole.KERNEL32(00000000), ref: 00E12E77
_wcslen.LIBCMT ref: 00E12E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E12E9D
WriteConsoleW.KERNEL32(00000000), ref: 00E12EA4
Sleep.KERNEL32(00002710), ref: 00E12EAF
FreeConsole.KERNEL32 ref: 00E12EB5
ExitProcess.KERNEL32 ref: 00E12EBD

Strings

uxtheme.dll, xrefs: 00E12DDF
Dt, xrefs: 00E12BAD
(p, xrefs: 00E12A01
<o, xrefs: 00E129AE
dwmapi.dll, xrefs: 00E129D9, 00E12DD5
pp, xrefs: 00E12A19
Xp, xrefs: 00E12A11
o, xrefs: 00E129E9
Dq, xrefs: 00E12A61
\t, xrefs: 00E12BB8
$s, xrefs: 00E12B29
SetDefaultDllDirectories, xrefs: 00E1296D
po, xrefs: 00E12D2C
Ls, xrefs: 00E12B3F
Xo, xrefs: 00E129B6
ds, xrefs: 00E12B4A
kernel32, xrefs: 00E1292D
\q, xrefs: 00E12A69
DXGIDebug.dll, xrefs: 00E12D26
4s, xrefs: 00E12B34
xt, xrefs: 00E12BC3
p, xrefs: 00E12A41
(t, xrefs: 00E12BA2
$o, xrefs: 00E12C56, 00E12C5A
xr, xrefs: 00E12ADC
xs, xrefs: 00E12B55
SetDllDirectoryW, xrefs: 00E12943
<, xrefs: 00E12D3A
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00E12E4C
tq, xrefs: 00E12A71
@p, xrefs: 00E12A09
`r, xrefs: 00E12AD1
$r, xrefs: 00E12ABB
,q, xrefs: 00E12A59
<r, xrefs: 00E12AC6

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: $o$$r$$s$(p$(t$,q$4s$<$<o$<r$@p$DXGIDebug.dll$Dq$Dt$Ls$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$Xo$Xp$\q$\t$`r$ds$dwmapi.dll$kernel32$po$pp$tq$uxtheme.dll$xr$xs$xt$o$p
API String ID: 270162209-1550233574
Opcode ID: 1bde9e3e0bb5236308fc4fa009152e06b0d9a233a898b86e735c7b14b8e7a2d2
Instruction ID: 31ae331847ff45d8a68cef183bda14689881a006bd0478735153c1644520f6f5
Opcode Fuzzy Hash: 1bde9e3e0bb5236308fc4fa009152e06b0d9a233a898b86e735c7b14b8e7a2d2
Instruction Fuzzy Hash: 22D14DB1008384AED7359F60DC4EADFBEE8ABC5304F50691DF699B6150D7B08588CB62

Function 00E1DAE0 Relevance: 95.2, APIs: 47, Strings: 7, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01366: GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
Part of subcall function 00E01366: SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1DC24
IsDialogMessageW.USER32(?,?), ref: 00E1DC37
TranslateMessage.USER32(?), ref: 00E1DC45
DispatchMessageW.USER32(?), ref: 00E1DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00E1DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00E1DC95
GetDlgItem.USER32(?,00000068), ref: 00E1DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E1DCD3
SendMessageW.USER32(00000000,000000C2,00000000,00E365F4), ref: 00E1DCE6

Part of subcall function 00E1F77B: _wcslen.LIBCMT ref: 00E1F7A5

SetFocus.USER32(00000000), ref: 00E1DCED
_swprintf.LIBCMT ref: 00E1DD4C

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00E1DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00E1DDD7
GetTickCount.KERNEL32 ref: 00E1DDF5
_swprintf.LIBCMT ref: 00E1DE0D
GetLastError.KERNEL32(?,00000011), ref: 00E1DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 00E1DE92
_swprintf.LIBCMT ref: 00E1DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00E53482,00000200), ref: 00E1DF1D
GetCommandLineW.KERNEL32(?,?,?,?,00E53482,00000200), ref: 00E1DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00E53482,00000400,00000001,00000001,?,?,?,?,00E53482,00000200), ref: 00E1DF8A
ShellExecuteExW.SHELL32(?), ref: 00E1DFB2
Sleep.KERNEL32(00000064,?,?,?,?,00E53482,00000200), ref: 00E1DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00E53482,00000400,?,?,?,?,00E53482,00000200), ref: 00E1E023
CloseHandle.KERNEL32(?,?,?,?,?,00E53482,00000200), ref: 00E1E02C
_swprintf.LIBCMT ref: 00E1E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1E0BE
SetDlgItemTextW.USER32(?,00000065,00E365F4), ref: 00E1E0D5
GetDlgItem.USER32(?,00000065), ref: 00E1E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 00E1E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E1E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1E1A9
_wcslen.LIBCMT ref: 00E1E1FF
_swprintf.LIBCMT ref: 00E1E229
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E1E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00E1E28D
GetDlgItem.USER32(?,00000068), ref: 00E1E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E1E2AC
GetDlgItem.USER32(?,00000066), ref: 00E1E2C6
SetWindowTextW.USER32(00000000,00E5589A), ref: 00E1E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E1E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 00E1E3FE
EnableWindow.USER32(00000000,00000000), ref: 00E1E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E1E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E1E532

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00E1DEB8
%s, xrefs: 00E1E219
winrarsfxmappingfile.tmp, xrefs: 00E1DEF3
STARTDLG, xrefs: 00E1DB2D
LICENSEDLG, xrefs: 00E1E3F3
__tmp_rar_sfx_access_check_%u, xrefs: 00E1DDFC
"%s"%s, xrefs: 00E1E04E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-1712381250
Opcode ID: af7b5c16616bcbd6ab3a12d07d30be123f41fa9db892d6334d0cd763030786ac
Instruction ID: f3a055b3db9198602b6fbb147d9129bb9eb60e3279860159b3a9297d75659c75
Opcode Fuzzy Hash: af7b5c16616bcbd6ab3a12d07d30be123f41fa9db892d6334d0cd763030786ac
Instruction Fuzzy Hash: 5D420671A44344BEEB21AB71EC4AFFE7BA8AB01748F046415FA51B71D1C7B44AC8CB61

Function 00E10244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_swprintf.LIBCMT ref: 00E10284

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

Part of subcall function 00E13F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00E0F801,00000000,00000000,?,00E45070,?,00E0F801,?,?,00000050,?), ref: 00E13F64

_strlen.LIBCMT ref: 00E102A5
SetDlgItemTextW.USER32(?,00E42274,?), ref: 00E102FE
GetWindowRect.USER32(?,?), ref: 00E10334
GetClientRect.USER32(?,?), ref: 00E10340
GetWindowLongW.USER32(?,000000F0), ref: 00E103EB
GetWindowRect.USER32(?,?), ref: 00E1041B
SetWindowTextW.USER32(?,?), ref: 00E1044A
GetSystemMetrics.USER32(00000008), ref: 00E10452
GetWindow.USER32(?,00000005), ref: 00E1045D
GetWindowRect.USER32(00000000,?), ref: 00E1048D
GetWindow.USER32(00000000,00000002), ref: 00E104FF

Strings

d, xrefs: 00E10360
$%s:, xrefs: 00E1026D
t", xrefs: 00E102B9
CAPTION, xrefs: 00E10432

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t"
API String ID: 2407758923-2708843319
Opcode ID: 8418351dd076071a3d99a80f0401955bb26576dadc94c93bd34fbe1be46e858e
Instruction ID: 03b69680a0e75490e15c00e5376d4a642b4f98bb26998cde5e4d5ae932614b2a
Opcode Fuzzy Hash: 8418351dd076071a3d99a80f0401955bb26576dadc94c93bd34fbe1be46e858e
Instruction Fuzzy Hash: DA81B072109301AFD714DF68CD89A6FBBE9EB89708F00191DFA84E3291D770E949CB52

Function 00E1F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1D875
Part of subcall function 00E1D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1D886
Part of subcall function 00E1D864: IsDialogMessageW.USER32(000103C2,?), ref: 00E1D89A
Part of subcall function 00E1D864: TranslateMessage.USER32(?), ref: 00E1D8A8
Part of subcall function 00E1D864: DispatchMessageW.USER32(?), ref: 00E1D8B2

GetDlgItem.USER32(00000068,00E63CF0), ref: 00E1F81F
ShowWindow.USER32(00000000,00000005,?,?,00E1D099,00000001,?,?,00E1DAB9,00E382F0,00E63CF0,00E63CF0,00001000,00E450C4,00000000,?), ref: 00E1F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E1F853
SendMessageW.USER32(00000000,000000C2,00000000,00E365F4), ref: 00E1F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E1F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E1F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E1F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E1F91E
SendMessageW.USER32(00000000,000000C2,00000000,00E3769C), ref: 00E1F92D

Strings

\, xrefs: 00E1F885

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 2ebea52300cda5c653839207bf72d06dbce35a50e25ad7c39ed7f9ba92caafde
Instruction ID: c023c11f8a7990784ff0f6d1e9d38b46cef21f01e06a60db628c6c46474aa691
Opcode Fuzzy Hash: 2ebea52300cda5c653839207bf72d06dbce35a50e25ad7c39ed7f9ba92caafde
Instruction Fuzzy Hash: 4B31E47124A3007FE310DF25EC4AFAB7FACEB47748F00091AF5A1BA191C7A0594887A6

Function 00E1FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00E1FB35
ShellExecuteExW.SHELL32(?), ref: 00E1FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 00E1FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1FD78

Strings

.inf, xrefs: 00E1FC34
.exe, xrefs: 00E1FD1C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 40e36fe95de12956cc395b90f2caf6e5ae14c5d7ce6aa355486cce3669b3a4f2
Instruction ID: 1076c10718f2f26c13acdb03b5529e9cabe03563c755dc4ebd9ef0f797ed394d
Opcode Fuzzy Hash: 40e36fe95de12956cc395b90f2caf6e5ae14c5d7ce6aa355486cce3669b3a4f2
Instruction Fuzzy Hash: 8B61B2715083849ED7309F21E850AFBBBE4AB84748F04682DF8C5B7191DBB0D9C9C792

Function 00E1D41C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000001,?,?,?,00000800), ref: 00E1D470
RegCloseKey.ADVAPI32(?), ref: 00E1D4E1
EndDialog.USER32(?,00000001), ref: 00E1D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 00E1D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 00E1D5B9

Strings

GETPASSWORD1, xrefs: 00E1D548
Software\WinRAR SFX, xrefs: 00E1D466

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ItemText$CloseDialogOpen
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 817918715-1315819833
Opcode ID: bfd491611e8ac9b27e6e5d03b8b03e3baf740619645f6b42aa7baaa2171a664f
Instruction ID: 0624adcf8778971838d1d3c5a38545e11d946587fdf1e6aa28db475d30b366bd
Opcode Fuzzy Hash: bfd491611e8ac9b27e6e5d03b8b03e3baf740619645f6b42aa7baaa2171a664f
Instruction Fuzzy Hash: FE41D272908208ABEB30AB64DC45FFF77ADEB48744F10443AF615F3181DB74A9848B61

Function 00E2CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E27F99,00E27F99,?,?,?,00E2D1FC,00000001,00000001,?), ref: 00E2D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E2D1FC,00000001,00000001,?,?,?,?), ref: 00E2D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E2D185
__freea.LIBCMT ref: 00E2D192

Part of subcall function 00E2BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E26A24,?,0000015D,?,?,?,?,00E27F00,000000FF,00000000,?,?), ref: 00E2BCC0

__freea.LIBCMT ref: 00E2D19B
__freea.LIBCMT ref: 00E2D1C0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 98771d1139c1e61fa828be03006ec336e55154e77e15f382d7c3283d621d2f49
Instruction ID: 5b5bf041fc7e23bcdaa0a831e1ea25f2e7e47de38506d897d49747c1e892b890
Opcode Fuzzy Hash: 98771d1139c1e61fa828be03006ec336e55154e77e15f382d7c3283d621d2f49
Instruction Fuzzy Hash: 2A510072605226AFEB258F64EC42EFF7BAAEB40714F155628FE05F6190DB34DC90C690

Function 00E1FF24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,00E5589A,?,00000800,?,00000800,?,00E1DD77), ref: 00E1FF8E
_wcslen.LIBCMT ref: 00E1FF99
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,00000000), ref: 00E1FFB2
RegCloseKey.KERNELBASE(?), ref: 00E1FFBB

Strings

Software\WinRAR SFX, xrefs: 00E1FF84

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CloseCreateValue_wcslen
String ID: Software\WinRAR SFX
API String ID: 951825311-754673328
Opcode ID: eab75651511e5f619f253bd3e54d8812eba120f3195d0e9e86cd5658e63aaf63
Instruction ID: 5fd2de7d4707bb7df7a773b1754f2ab9b0ca10ddf533df2da2bc3768f34c0825
Opcode Fuzzy Hash: eab75651511e5f619f253bd3e54d8812eba120f3195d0e9e86cd5658e63aaf63
Instruction Fuzzy Hash: 6A118672600158AEE730AB61EC49FEF7BBCEF89744F50406AF515B6091DAB15548CBA0

Function 00E0B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00E08846,?,00000005), ref: 00E0B342
GetLastError.KERNEL32(?,?,00E08846,?,00000005), ref: 00E0B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00E08846,?,00000005), ref: 00E0B382
GetLastError.KERNEL32(?,?,00E08846,?,00000005), ref: 00E0B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E08846,?,00000005), ref: 00E0B3D9

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 0112f7dee25dc0cb59578cdd9a1031db6c6b920d1249235f2afd6dcee9f54c2b
Instruction ID: 168e908ea0772671ef568337e29a2beb14e79978b591611687bf5226c5254b17
Opcode Fuzzy Hash: 0112f7dee25dc0cb59578cdd9a1031db6c6b920d1249235f2afd6dcee9f54c2b
Instruction Fuzzy Hash: 46412630544345AFD720DF24DC46B9ABBD8BB45324F201A19F9A1B62D0D7F4A988CB91

Function 00E1D864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1D886
IsDialogMessageW.USER32(000103C2,?), ref: 00E1D89A
TranslateMessage.USER32(?), ref: 00E1D8A8
DispatchMessageW.USER32(?), ref: 00E1D8B2

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 1a8ecee9d599787ae086821915a91220ecac253f5a5a8d8ca6686857310f5a35
Instruction ID: 80016cb7531173242f847e7b029d0c69dc6ace00201d8b507be8e96378c30bd3
Opcode Fuzzy Hash: 1a8ecee9d599787ae086821915a91220ecac253f5a5a8d8ca6686857310f5a35
Instruction Fuzzy Hash: F6F0D071905219AFDB60ABE6EC4CDDB7F7CEF052D97004415F956E2050E768D509C7B0

Function 00E1CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00E1CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 00E1CBA1

Part of subcall function 00E14168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E0E084,00000000,.exe,?,?,00000800,?,?,?,00E1AD5D), ref: 00E1417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E1CB91

Strings

EDIT, xrefs: 00E1CB75, 00E1CB80, 00E1CB8D

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: f5ffed435d6712d6c5f3fef1af97c6ce6f1af677285f0c2271d8cb9abc5df91b
Instruction ID: 8ae132cca9066846bdd6396baefaa53820aa09b0f7a8aef632f53f096a55e4b5
Opcode Fuzzy Hash: f5ffed435d6712d6c5f3fef1af97c6ce6f1af677285f0c2271d8cb9abc5df91b
Instruction Fuzzy Hash: 9BF0A471A05218AFDB209B259C06F9F77AC9F86744F110055F941F6180DAB0EE4586A5

Function 00E1FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E1FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E20038

Strings

sfxcmd, xrefs: 00E1FFF9
sfxpar, xrefs: 00E20033

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: f755e065907ff40ab52012518195f141789c55d9ea81ce0a727795f5c9090590
Instruction ID: 13843e39c26815a36054e62ed2b82c6d1942a07d58f661f765838274ab46a11b
Opcode Fuzzy Hash: f755e065907ff40ab52012518195f141789c55d9ea81ce0a727795f5c9090590
Instruction Fuzzy Hash: 70F0FC71901334AFD7109F659C09DEF77DCDF1D740B405455BD45B7182DA709D44C6A1

Function 00E1CCD9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E128AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E128D4
Part of subcall function 00E128AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E11309,Crypt32.dll,00000000,00E11383,00000200,?,00E11366,00000000,00000000,?), ref: 00E128F4

OleInitialize.OLE32(00000000), ref: 00E1CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E1CD29
SHGetMalloc.SHELL32(00E4C460), ref: 00E1CD33

Strings

riched20.dll, xrefs: 00E1CCE1

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 6fe4be01f16e71ce4789c5acb0793eafe21903f81b95bad54f8f4680ae2b14c6
Instruction ID: 46ea41c7ecc61c3765f95efae5bd2927d010b3a45d8eb3827b668ec1e23e9243
Opcode Fuzzy Hash: 6fe4be01f16e71ce4789c5acb0793eafe21903f81b95bad54f8f4680ae2b14c6
Instruction Fuzzy Hash: EBF0F9B1D04209AFCB50AF9AE8499EFFFFCEF94704F00445AE451B2251DBB856498BA1

Function 00E26232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00E261E3,00000000,00000001,00E660C8,?,?,?,00E26386,00000004,InitializeCriticalSectionEx,00E39624,InitializeCriticalSectionEx), ref: 00E2623F
GetLastError.KERNEL32(?,00E261E3,00000000,00000001,00E660C8,?,?,?,00E26386,00000004,InitializeCriticalSectionEx,00E39624,InitializeCriticalSectionEx,00000000,?,00E2613D), ref: 00E26249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00E25083), ref: 00E26271

Strings

api-ms-, xrefs: 00E26256

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 02075a9d7eac27ef5d7edc33af4352c94954d37855c0e9f96f2f6febaca379e7
Instruction ID: 0b5c0e94421fa55e61eced46b71ed9792c240661ef5eb210d5fc72daa06fdae8
Opcode Fuzzy Hash: 02075a9d7eac27ef5d7edc33af4352c94954d37855c0e9f96f2f6febaca379e7
Instruction Fuzzy Hash: E9E04F31680308FBEF211F71FC0AF5A3F65AB10B55F505160F90DB80F1DBA19D549984

Function 00E0B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00E0B662,?,?,00000000,?,?), ref: 00E0B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,00E0B662,?,?,00000000,?,?), ref: 00E0B179
GetLastError.KERNEL32(?,?,?,00000000,00E0B662,?,?,00000000,?,?), ref: 00E0B1AB
GetLastError.KERNEL32(?,?,?,00000000,00E0B662,?,?,00000000,?,?), ref: 00E0B1CA

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 313756eedb5c69861287963654b400ffdb9cbd2623909fea38154c3f250ff746
Instruction ID: 308fda11343be8176a5aa0d7562b1bb04183701e0c75a9810134f94af8f8ebae
Opcode Fuzzy Hash: 313756eedb5c69861287963654b400ffdb9cbd2623909fea38154c3f250ff746
Instruction Fuzzy Hash: 5F11CE30911208EFDF315F21CC19AAA3BA9FB053A9F109629F8A6F52D0D770DEC48B51

Function 00E2D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E2688D,00000000,00000000,?,00E2D32B,00E2688D,00000000,00000000,00000000,?,00E2D528,00000006,FlsSetValue), ref: 00E2D3B6
GetLastError.KERNEL32(?,00E2D32B,00E2688D,00000000,00000000,00000000,?,00E2D528,00000006,FlsSetValue,00E3AC00,FlsSetValue,00000000,00000364,?,00E2BA77), ref: 00E2D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E2D32B,00E2688D,00000000,00000000,00000000,?,00E2D528,00000006,FlsSetValue,00E3AC00,FlsSetValue,00000000), ref: 00E2D3D0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cafdcea12369cfb2a3a1450ef06d448956fd2e3862836599740cef6513c40713
Instruction ID: fa58ea34e017fc110c2f9c8f49b001c02058726aeabdef50ba775914198f9bf9
Opcode Fuzzy Hash: cafdcea12369cfb2a3a1450ef06d448956fd2e3862836599740cef6513c40713
Instruction Fuzzy Hash: A401FC3261933AAFCB21DB79FC48A577B5CEF147A57151620FA16F7150C720D8048AE1

Function 00E2E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00E2B9A5: GetLastError.KERNEL32(?,00E450C4,00E26E12,00E450C4,?,?,00E2688D,?,?,00E450C4), ref: 00E2B9A9
Part of subcall function 00E2B9A5: _free.LIBCMT ref: 00E2B9DC
Part of subcall function 00E2B9A5: SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BA1D
Part of subcall function 00E2B9A5: _abort.LIBCMT ref: 00E2BA23

Part of subcall function 00E2E19E: _abort.LIBCMT ref: 00E2E1D0
Part of subcall function 00E2E19E: _free.LIBCMT ref: 00E2E204

Part of subcall function 00E2DE0B: GetOEMCP.KERNEL32(00000000,?,?,00E2E094,?), ref: 00E2DE36

_free.LIBCMT ref: 00E2E0EF
_free.LIBCMT ref: 00E2E125

Strings

p,, xrefs: 00E2E119

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p,
API String ID: 2991157371-2703748495
Opcode ID: bff33c502366c47c73dc24e4b6c9decbd4a414986b7bfdca8401fab4cf3b4cb1
Instruction ID: 986b4ca47d67169b05c63ef1d58bd0fa108fa5223f872d0679195a1ad9575a7a
Opcode Fuzzy Hash: bff33c502366c47c73dc24e4b6c9decbd4a414986b7bfdca8401fab4cf3b4cb1
Instruction Fuzzy Hash: C431B331904238AFDB11EFA9E841A99B7F5EF41324F2550A9F504BB3A1EBB25D42CB40

Function 00E13105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00E13129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00E13170

Part of subcall function 00E07BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E07BD5

Strings

CreateThread failed, xrefs: 00E13135

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c36b343e6c9c773e3066f794332aebab89fb65547fae6ed3904dad3ce20ef313
Instruction ID: 1d7e4e2193544471de43e79cf299d70a4d58d88c82eef52ef58b7e212f48eec8
Opcode Fuzzy Hash: c36b343e6c9c773e3066f794332aebab89fb65547fae6ed3904dad3ce20ef313
Instruction Fuzzy Hash: 51012BB63057067FD3257F70AC46FA27798EB41711F10112DF6C1761C1CAA078C58A64

Function 00E2AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E580: GetEnvironmentStringsW.KERNEL32 ref: 00E2E589
Part of subcall function 00E2E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2E5AC
Part of subcall function 00E2E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E2E5D2
Part of subcall function 00E2E580: _free.LIBCMT ref: 00E2E5E5
Part of subcall function 00E2E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E2E5F4

_free.LIBCMT ref: 00E2AB00
_free.LIBCMT ref: 00E2AB07

Strings

pb, xrefs: 00E2AAED

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: pb
API String ID: 400815659-3672949377
Opcode ID: 038b03aa75bf7cd4f029e2d0512c55c61a03b8d34c2b047a9a4abc4bbde7fc36
Instruction ID: 1ffe1089d2452894b788dc0d4b071eeed84212b0a517306a4b64f64df252335c
Opcode Fuzzy Hash: 038b03aa75bf7cd4f029e2d0512c55c61a03b8d34c2b047a9a4abc4bbde7fc36
Instruction Fuzzy Hash: 1BE02BA2A454305AE771B63F7D12E9B1A954FC1374B183335F435FB1D2DE91880540D3

Function 00E0B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00E0F306,00000001,?,?,?,00000000,00E17564,?,?,?,?), ref: 00E0B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00E0BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00E0F306,00000001,?,?,?), ref: 00E0BA51

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 62fc09a5bf00eb0ee09100ad070eb10f87ec27ffc85dd65c06b5f62f06c028db
Instruction ID: cf441ed160fa83436c98167c9fb05ac689ccafb679bd8bd9d86d32e181a07fcd
Opcode Fuzzy Hash: 62fc09a5bf00eb0ee09100ad070eb10f87ec27ffc85dd65c06b5f62f06c028db
Instruction Fuzzy Hash: 1731A231208306AFDB14CF20D848BAA77B9FB80715F04591DF991BB2D0CB759D88CBA2

Function 00E0BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00E0E1EC: _wcslen.LIBCMT ref: 00E0E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,00E0BBD0,?,00000001,00000000,?,?), ref: 00E0BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,00E0BBD0,?,00000001,00000000,?,?), ref: 00E0BF45
GetLastError.KERNEL32(?,?,?,00000000,00E0BBD0,?,00000001,00000000,?,?), ref: 00E0BF62

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: aebb52de38ca93506d2b7d36bbf28e5ea502f40c03756ca4acb04a5f03f60dd9
Instruction ID: 5eda89f3cc8105d3ad88837077998275d1c8c96bd3dc7f2b0c430df089613595
Opcode Fuzzy Hash: aebb52de38ca93506d2b7d36bbf28e5ea502f40c03756ca4acb04a5f03f60dd9
Instruction Fuzzy Hash: 8E11C23130021AAADB25AB718C06BEE7798BF09704F005894FA01F71D1DB249EC58E65

Function 00E2DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E2DF08

Strings

, xrefs: 00E2DF4D

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 76b026943609cab9d675c6f31d55abe0aefbe91e932d60ba5be277d4f6536c35
Instruction ID: 9fe80b65248a32874db4d335bc4fefc2bb04906ad1c54725f8cd0ef507c44972
Opcode Fuzzy Hash: 76b026943609cab9d675c6f31d55abe0aefbe91e932d60ba5be277d4f6536c35
Instruction Fuzzy Hash: 93413D706083A89EDF218E24DD84FF6BBE9EF45304F1414ECE69A97142D2759A45CF20

Function 00E2D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,000000FF), ref: 00E2D62D

Strings

LCMapStringEx, xrefs: 00E2D5CD, 00E2D5D7

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0c29b9e0fb2188dcb8e59113f0a7edb6a7f4c10fab855dd0ce0e4b68073769a2
Instruction ID: 59a57c457c1f378c30e674b3f083e11fedc09dcde856bfa91d1822f62bc8ba68
Opcode Fuzzy Hash: 0c29b9e0fb2188dcb8e59113f0a7edb6a7f4c10fab855dd0ce0e4b68073769a2
Instruction Fuzzy Hash: A5011332504218BBCF126FA1ED0ADEE7FA6EF48710F055115FE0835160CA329971EB81

Function 00E2D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E2CBBF), ref: 00E2D5A5

Strings

InitializeCriticalSectionEx, xrefs: 00E2D56B, 00E2D575

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 59bb488d0d76f01c68b4a2f75aeb12a8a8e2c2ed36c57ca2d21e44ba6f8b56e9
Instruction ID: 9dce1af98f7cece26175ce0cf3615dde6f87667689280be2236e6f0e6173d61a
Opcode Fuzzy Hash: 59bb488d0d76f01c68b4a2f75aeb12a8a8e2c2ed36c57ca2d21e44ba6f8b56e9
Instruction Fuzzy Hash: 86F0B43168522CFBCF019F61ED09DAEBFA5EF58710F005165FD083A1A0CA765A50D791

Function 00E2D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00E2D43E

Strings

FlsAlloc, xrefs: 00E2D410, 00E2D41A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 50c6f80e0e2926618576251321c978ce237f9ba31a7c06c881c957e506ab204c
Instruction ID: 30a781c2deae6f67fb7c5c7c8bb312c5b96eb65bb8825cba3c8c875529c1803d
Opcode Fuzzy Hash: 50c6f80e0e2926618576251321c978ce237f9ba31a7c06c881c957e506ab204c
Instruction Fuzzy Hash: 24E05530A45328BB86006FA5AC0ADAEFFA9CF48710F400279FD0536250CD716E40D286

Function 00E2E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00E2DE0B: GetOEMCP.KERNEL32(00000000,?,?,00E2E094,?), ref: 00E2DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E2E0D9,?,00000000), ref: 00E2E2B4
GetCPInfo.KERNEL32(00000000,00E2E0D9,?,?,?,00E2E0D9,?,00000000), ref: 00E2E2C7

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: e938824b900560404a4f179d59a8e4273be1c543b343cc858793789a6de4663d
Instruction ID: cb14b2263e67d18f2b82ed320704bb3bf841fea768fd1f6e439785e36b88a2db
Opcode Fuzzy Hash: e938824b900560404a4f179d59a8e4273be1c543b343cc858793789a6de4663d
Instruction Fuzzy Hash: B2515370D002359EDB20DF71E8816BBBBE5EF41305F18A46EE196AB351D734A941CB90

Function 00E0B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,00E0B43B,00000800,00000800,00000000,?,?,00E0A31D,?), ref: 00E0B5EB
GetLastError.KERNEL32(?,?,00E0A31D,?,?,?,?,?,?,?,?), ref: 00E0B5FA

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4b6315cdbfcc981a312b749077673a25e13cdef063f55caa1064da1ca4594260
Instruction ID: d60671a1b9364492e5a091f3705e0377abba02fc57a13140df4402029028f3ec
Opcode Fuzzy Hash: 4b6315cdbfcc981a312b749077673a25e13cdef063f55caa1064da1ca4594260
Instruction Fuzzy Hash: 90412430204345DBC7209F61D884ABA73E6FF58324F10566DE896A32C2E7B4DDC48B91

Function 00E0B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E0B967,?,?,00E087FD), ref: 00E0B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E0B967,?,?,00E087FD), ref: 00E0B0D4

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2ded10c115d05ed72e3e58f661b4cdd796f2fd6f117bfd9b60a03d24a2568c6
Instruction ID: b177ad9c41c3cf10d0e15a95b8f15282f146665c6963abb1064b2943bdd9c4f6
Opcode Fuzzy Hash: d2ded10c115d05ed72e3e58f661b4cdd796f2fd6f117bfd9b60a03d24a2568c6
Instruction Fuzzy Hash: 85219E71504344AFE3309F25CC89BB7B7DCFB88324F405A29F9E5E21D1D774A9888A62

Function 00E0B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00E0B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E0B8B0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 0795aad0f89207db805dac3bbcfc9ea6c825a2286424332d2ed94a119ae1691c
Instruction ID: 1100d6f8b4dee97b8a6f5cd21cd566c79ef5644b8e8d9f31a006c07b43b7218c
Opcode Fuzzy Hash: 0795aad0f89207db805dac3bbcfc9ea6c825a2286424332d2ed94a119ae1691c
Instruction Fuzzy Hash: CE21E131248281ABC719CF75C492AAABBE8BF51308F08981CF481A71A1D329D98CCB61

Function 00E01FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E01FB7
_wcslen.LIBCMT ref: 00E02052

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: 86a01f47d4ae2b37694af3e7abe8301e9657a073c8398558460e208fc0b84e09
Instruction ID: 183427b8f7681b3c3b4ee58da69058ba959d7c20830db90efc0182fcda69f97f
Opcode Fuzzy Hash: 86a01f47d4ae2b37694af3e7abe8301e9657a073c8398558460e208fc0b84e09
Instruction Fuzzy Hash: E5216A71900219AFCF15AFA4D889AEEBBF2BF48304F10246DF545BB2E1C7355A91DB60

Function 00E26192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,00E660C8,?,?,?,00E26386,00000004,InitializeCriticalSectionEx,00E39624,InitializeCriticalSectionEx,00000000,?,00E2613D,00E660C8,00000FA0), ref: 00E26215
GetProcAddress.KERNEL32(00000000,?), ref: 00E2621F

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 9649b2384f4f389cd5ed6f2c8ee7ae05bc5771ce9faf73f78788c4a212a75434
Instruction ID: 96d837d434c7df9b5173ba8ee5aa1283de77b30a9c6449c79f5806811df08c06
Opcode Fuzzy Hash: 9649b2384f4f389cd5ed6f2c8ee7ae05bc5771ce9faf73f78788c4a212a75434
Instruction Fuzzy Hash: D5118132601125DF8F22CFA5FC8089A77B5FB563647241269E91AF7221E770ED51CBD0

Function 00E0B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00E0B907
GetLastError.KERNEL32 ref: 00E0B914

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f064311023e44fff2c9b5453e4633e44d771e272c87c20e6718175c16a571f03
Instruction ID: ba3274a7287c941c9c4f924ebbea5a1856a0c3d410a1bc9626d455b03a854182
Opcode Fuzzy Hash: f064311023e44fff2c9b5453e4633e44d771e272c87c20e6718175c16a571f03
Instruction Fuzzy Hash: 6E11E531A00701AFE7389729C885BA6B3E8FB85374F905628E262F21D0D770ED85C760

Function 00E2BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2BB55

Part of subcall function 00E2BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E26A24,?,0000015D,?,?,?,?,00E27F00,000000FF,00000000,?,?), ref: 00E2BCC0

RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00E450C4,00E0190A,?,?,00000007,?,?,?,00E01476,?,00000000), ref: 00E2BB91

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 2594e19f012eebe23dddf3203334d3a181ab2813e6b490d4a33d3faa5f4d7d41
Instruction ID: 1d43b270ecf1d2445bdc3ee1935b90d77c11b4b49fed30e7d1e31a7a895dd098
Opcode Fuzzy Hash: 2594e19f012eebe23dddf3203334d3a181ab2813e6b490d4a33d3faa5f4d7d41
Instruction Fuzzy Hash: 1CF0F632500639AADB212A26BC05FAB7BAC9F81BB4F156126F815BA0B5DF20DC0091A5

Function 00E0C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00E0BF5E,?,?), ref: 00E0C305

Part of subcall function 00E0DA1E: _wcslen.LIBCMT ref: 00E0DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E0BF5E,?,?), ref: 00E0C334

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b07b1a26513dbeaf1716182c6b546713e8206c40c4b25c13c24073ff16f2fbbd
Instruction ID: b191a9edf34feba8efc481e7b6726f54fc9b2c833e72d0573918c7683ebb781f
Opcode Fuzzy Hash: b07b1a26513dbeaf1716182c6b546713e8206c40c4b25c13c24073ff16f2fbbd
Instruction Fuzzy Hash: 1DF0903560122DAFDB009F719C05AEF77ACEF09708F4080D9BA01F7290DA35DE898BA4

Function 00E0BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,00E0B14B,?,00000000,00E0AF6E,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?,?), ref: 00E0BC82

Part of subcall function 00E0DA1E: _wcslen.LIBCMT ref: 00E0DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,00E0B14B,?,00000000,00E0AF6E,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?), ref: 00E0BCAE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 42bda4b5fc245b90ecd95387d9f0c2ec097e7ca37d33a0ddeb3cb976f99dab4c
Instruction ID: ceca4727fdb9f59b91f2b01cbf12469e68d148676cada07eccd473c16fb1ba4c
Opcode Fuzzy Hash: 42bda4b5fc245b90ecd95387d9f0c2ec097e7ca37d33a0ddeb3cb976f99dab4c
Instruction Fuzzy Hash: 67F0B435601228ABDB00DF719C85EDE77ECAF09304F404095BA01F3180DF70DE888B94

Function 00E2030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E20341

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

SetDlgItemTextW.USER32(00000065,?), ref: 00E20358

Part of subcall function 00E1D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1D875
Part of subcall function 00E1D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1D886
Part of subcall function 00E1D864: IsDialogMessageW.USER32(000103C2,?), ref: 00E1D89A
Part of subcall function 00E1D864: TranslateMessage.USER32(?), ref: 00E1D8A8
Part of subcall function 00E1D864: DispatchMessageW.USER32(?), ref: 00E1D8B2

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 733711ca139c341bb12f15e7836938c4c97ec5e5cdbf26d13291997073a325ba
Instruction ID: 97761f236534c964d3d49b0df3c1e29a74ca3ffe54edc32f2cb3a23f0e1822b0
Opcode Fuzzy Hash: 733711ca139c341bb12f15e7836938c4c97ec5e5cdbf26d13291997073a325ba
Instruction Fuzzy Hash: 1DF0BB715112186EDB01EF6AED06EDF7BEC9F09304F040096B201F3192D9749A458B61

Function 00E0BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00E0BCD4,?,00E08607,?), ref: 00E0BCFA

Part of subcall function 00E0DA1E: _wcslen.LIBCMT ref: 00E0DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,00E0BCD4,?,00E08607,?), ref: 00E0BD24

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 274b0eb99d8d0d8fe1eb8120a0251affd348964db703c453214c27645dd583fd
Instruction ID: 2f911778c3a05ecafa43d057973025e22393a35dc315a2089fd37c9ba2a1ccfe
Opcode Fuzzy Hash: 274b0eb99d8d0d8fe1eb8120a0251affd348964db703c453214c27645dd583fd
Instruction Fuzzy Hash: 99F0903560021C6BC710EB799D059EEB7F8EB5D760F0101A5FA01F3280DB709E858A90

Function 00E13184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,00E131C7,00E0D526), ref: 00E13191
GetProcessAffinityMask.KERNEL32(00000000,?,00E131C7), ref: 00E13198

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: a24134f95f1033853ad8f82c4ca24d88f80bf55037e2658f023fc084224c46c6
Instruction ID: 06f3da9e5e876c69c20857b7986e801494081a71fb57fcf39705071254d3785c
Opcode Fuzzy Hash: a24134f95f1033853ad8f82c4ca24d88f80bf55037e2658f023fc084224c46c6
Instruction Fuzzy Hash: D9E0D832B01109BB9F1987B49C098EB77EDEB443083109079A503F3200FA34DE4946A0

Function 00E128AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E128D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E11309,Crypt32.dll,00000000,00E11383,00000200,?,00E11366,00000000,00000000,?), ref: 00E128F4

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 0d0f2496f4427d9182e0b910e761dd0accf0e035a62c6f350e696f192e37cab6
Instruction ID: cb578450709ee43f31fb8e20a0496aadccf6a7a66d5cdd7cd4df2313547f468d
Opcode Fuzzy Hash: 0d0f2496f4427d9182e0b910e761dd0accf0e035a62c6f350e696f192e37cab6
Instruction Fuzzy Hash: CAF09A35A00218AECB10DBA5DC09DDBB7ECEF49701F0000AAB605E3140CA74EA898AA4

Function 00E1CD3F Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00E3505D,000000FF), ref: 00E1CD7D
CoUninitialize.COMBASE(?,?,?,?,00E3505D,000000FF), ref: 00E1CD82

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 73f65502c5067769f9373de2ba605dd5f7c84aee90c3d585a7cf24b895a7efdc
Instruction ID: 7e3afa634233726d7845254160ffb67406415631de1fa7da2b935f1beb1d274a
Opcode Fuzzy Hash: 73f65502c5067769f9373de2ba605dd5f7c84aee90c3d585a7cf24b895a7efdc
Instruction Fuzzy Hash: 3EF05476604654AFC700DF15DC05F5AFBB8FB49720F00426BE825E3760DB35A905CA90

Function 00E1C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E1C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E1C375

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 2787b4170e95cb1b62b47ec4fbc276764f31941addd7a354f916dd3aa0d9f85a
Instruction ID: daeeedf3610b15a58cc8e2f012217edcec93b92dffa79076d0889ab2d9ad4662
Opcode Fuzzy Hash: 2787b4170e95cb1b62b47ec4fbc276764f31941addd7a354f916dd3aa0d9f85a
Instruction Fuzzy Hash: 91E0ED71504258EBCB24DF95C945BDAB7F8EB15354F20D09AE896A3201D270AF849B51

Function 00E251AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E251CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E251D5

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: d2a5ea0938d6c2d6673c8d2ffce48e5362334cd4478b16aaf37c980189f17b1e
Instruction ID: 85dc8517d70c4cd2eb11539821d8c8c5c28d8ab868be749ec1c86e62df0d31ee
Opcode Fuzzy Hash: d2a5ea0938d6c2d6673c8d2ffce48e5362334cd4478b16aaf37c980189f17b1e
Instruction Fuzzy Hash: B6D02337556F30488D1076703F03B5B17C099137B53F03746F420B90D1DE3144505512

Function 00E01341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E01356
ShowWindow.USER32(00000000), ref: 00E0135D

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 268c4288f9e574979c7a3e461b63f8c6100443d8027dc9a43aa4d36bd824c70e
Instruction ID: 307f05b9ecd14f547bc70919a22aeaf30de8d70be1648a1e0f19d16062bc2ecc
Opcode Fuzzy Hash: 268c4288f9e574979c7a3e461b63f8c6100443d8027dc9a43aa4d36bd824c70e
Instruction Fuzzy Hash: 31C0123206D200BECB010BB1EC09C2BBFA8ABA6226F10CA4AF0E6D1060C239C014DB11

Function 00E01B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E01B6A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7b83eea81aa613815b57510b8b0c646d6a972b8a6e00b252b1d594e766220740
Instruction ID: 31a46e96a4265f9b062eee9f7143ce4420e62b6fb276eaeff3467f47cea2eb02
Opcode Fuzzy Hash: 7b83eea81aa613815b57510b8b0c646d6a972b8a6e00b252b1d594e766220740
Instruction Fuzzy Hash: D6C16E70A042559BDF29CF24C4C47ADBBA1AF16314F1821F9EC06AF2D6CB35DA85CB61

Function 00E0147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E01483

Part of subcall function 00E06AE8: __EH_prolog3.LIBCMT ref: 00E06AEF

Part of subcall function 00E0EE0F: __EH_prolog3.LIBCMT ref: 00E0EE16

Part of subcall function 00E0668F: __EH_prolog3.LIBCMT ref: 00E06696

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: a095d8d247240afd3a27701cdf28f022cc4c531e6323218af8822ff1b18de7ee
Instruction ID: 19d85f12ae420e4b576da52dc20d0979827042313f33bb7ce64d4bf365eca49c
Opcode Fuzzy Hash: a095d8d247240afd3a27701cdf28f022cc4c531e6323218af8822ff1b18de7ee
Instruction Fuzzy Hash: 134125B1A063808ECB14DF6994802D97BE2AF69300F0812BEEC5DDF29BD7755255CB62

Function 00E15617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E1561E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 8c95cf93cf2c5e8dca57a7b18bc181a259c54d4b50bad794074e63a4675f13d7
Instruction ID: 99f8ed67a20c64c30cb9fbf2b63ba7daa5ce3910cc20002741f5f65b0d3a3c41
Opcode Fuzzy Hash: 8c95cf93cf2c5e8dca57a7b18bc181a259c54d4b50bad794074e63a4675f13d7
Instruction Fuzzy Hash: 382106B2E41721EBDB14EFB49C4269A76E8BB54304F44213AE905FB2C2D7709980C7D8

Function 00E2D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E2D348

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a58662834c05707930f9639f80821fbd93707791a5d6c0940cdb3bb8cbdb8061
Instruction ID: c9c1b2b9989abb6791cb4a44b3b6777730b6db150afee9afe17cf5244e72993a
Opcode Fuzzy Hash: a58662834c05707930f9639f80821fbd93707791a5d6c0940cdb3bb8cbdb8061
Instruction Fuzzy Hash: A3113637A046359F9F21DE29FC4099E7395EBC932471A5224FF24FB254CA30EC0186D2

Function 00E0AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E0AB88

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bf4d669550cde5c97095c09c94e6b079813e8a8985f36d7db4e313e016030fc5
Instruction ID: d451f43b1ad924384c0a486c900a765763c9bc9b08c62e9973273d036760f3da
Opcode Fuzzy Hash: bf4d669550cde5c97095c09c94e6b079813e8a8985f36d7db4e313e016030fc5
Instruction Fuzzy Hash: 1E018836D0072D97CB25EF64C892EAEB3B2AF44740B056529FD11772D1D7349D809B91

Function 00E0EE0F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E0EE16

Part of subcall function 00E06AE8: __EH_prolog3.LIBCMT ref: 00E06AEF

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: ad5e3351583771f5caba77caa7f0df6ad9534677aa1f0612005d4e5c8390079b
Instruction ID: 3bf7e6dab0edae80aaef81f5e7455b3a2ee3c6368daf2b029bd4e381f5616987
Opcode Fuzzy Hash: ad5e3351583771f5caba77caa7f0df6ad9534677aa1f0612005d4e5c8390079b
Instruction Fuzzy Hash: 0501DE61A00344CADB20EBB8E5053AEBAE06F54300F2468ADF485F73D3DE788B40D751

Function 00E06AE8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E06AEF

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: ca6664aa64e4faf9ba7ea1bc285bdb402ead9e38e16f2d93c6026b843d8dc58b
Instruction ID: ff51dd765a7b6dc18a0204475cfd1de4594c7f3905909dc2af6a549289996db2
Opcode Fuzzy Hash: ca6664aa64e4faf9ba7ea1bc285bdb402ead9e38e16f2d93c6026b843d8dc58b
Instruction Fuzzy Hash: 91F0C8F1A80350A6D221EB609807F9F7AD89FD0B00F001059B355BA1C3CBB06340C659

Function 00E2BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E26A24,?,0000015D,?,?,?,?,00E27F00,000000FF,00000000,?,?), ref: 00E2BCC0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2787ce818bcb5eb32d892a2c9bbbed381dbc8302d13bcba25c0cb299df2aada
Instruction ID: d9338db1f51237ac2b2db8bc37cc45b4522be3e9c526fd0baf431e8791f35f8a
Opcode Fuzzy Hash: a2787ce818bcb5eb32d892a2c9bbbed381dbc8302d13bcba25c0cb299df2aada
Instruction Fuzzy Hash: 1AE0303510063257D7212765FD06B5BBB889F513A4F196121AC06B61A2DF55980182E5

Function 00E0C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00E0C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000), ref: 00E0C4E6
Part of subcall function 00E0C4A8: FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?), ref: 00E0C516
Part of subcall function 00E0C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,00E0C39F,000000FF,?,?,?,?,00E087BC,?,?,00000000,0000003A), ref: 00E0C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00E087BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E0C3A5

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 53ad9b9f643ec2f41bd2af77dcb48868e7519869b60b5c4008d91cae67a7581a
Instruction ID: 94d14eecd5d891cdc3f0d49dbd218ac15413e180c2d83e93648413233a5faa45
Opcode Fuzzy Hash: 53ad9b9f643ec2f41bd2af77dcb48868e7519869b60b5c4008d91cae67a7581a
Instruction Fuzzy Hash: CFF08235008790AACA221BB46C057C7BBD06F26336F10DB49F1FD321D2C6B560D89B32

Function 00E12EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00E12F19

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 4dd1bc4746746e988b60ee3dfb3a7e2dca69c5a84ce069c90f435773a6c8aa42
Instruction ID: 69be43f89534c7edea64cad2166fef1c4dc952f605ac9c715195151062b1d00b
Opcode Fuzzy Hash: 4dd1bc4746746e988b60ee3dfb3a7e2dca69c5a84ce069c90f435773a6c8aa42
Instruction Fuzzy Hash: 9AD05B25B081116AD62A37357C0A7FD69975FC7315F082077B189771D38B5A0CC796F2

Function 00E1C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00E1C5BC

Part of subcall function 00E1C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E1C36E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: 1c63be4759a35cc29278e64a6548b3fc751c1951a29a4824e5d68513ee5d67e6
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: 75D0A730280248B6DF012B20CC02DFE75D6DB00344F1090617801E5140EDB1DA906951

Function 00E2017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00E201A4

Part of subcall function 00E1D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E1D875
Part of subcall function 00E1D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E1D886
Part of subcall function 00E1D864: IsDialogMessageW.USER32(000103C2,?), ref: 00E1D89A
Part of subcall function 00E1D864: TranslateMessage.USER32(?), ref: 00E1D8A8
Part of subcall function 00E1D864: DispatchMessageW.USER32(?), ref: 00E1D8B2

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: cea70838b7a150a0770401e8dec5c2d2ce3ddaeb79be462aee5569eacc30170e
Instruction ID: 46986557e363bf1cd44f28382953e48f8009a354f18e37d37ea8bdd7ee2c7b54
Opcode Fuzzy Hash: cea70838b7a150a0770401e8dec5c2d2ce3ddaeb79be462aee5569eacc30170e
Instruction Fuzzy Hash: 60D0C936149300BFDA422B52DE06F1E7AE3BB99F09F005558B388750F1C6B29E75EB16

Function 00E20A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00E20AC0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: aa20906d10395f2885ee54a3b8731dbc71c4e79c3b561ea6c36d258d669d0e39
Instruction ID: 006b2cc9788964ac43425e6083f4cb71e76eb60cd6ea8b5b5cae45f0b3ccc325
Opcode Fuzzy Hash: aa20906d10395f2885ee54a3b8731dbc71c4e79c3b561ea6c36d258d669d0e39
Instruction Fuzzy Hash: CCD0C9B16417289EC251AB65BC9E7662290B348788F962840F649B50D6CAE054848605

Function 00E0B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00E0B18A,?,?,?,00000000,00E0B662,?,?,00000000,?,?), ref: 00E0B294

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 43924b92855dd0761dd2a2661c51210a7d3227cf176781c152327780f7e60030
Instruction ID: 1578419ef76b1be4fdc0da007b5c1279f0b675798dbd7aab3ccafb6f72d93293
Opcode Fuzzy Hash: 43924b92855dd0761dd2a2661c51210a7d3227cf176781c152327780f7e60030
Instruction Fuzzy Hash: 24C01234000109AACE305A38984A09C7722BE533AA7B4A694C028A90F2C3238CD7EA00

Function 00E06B70 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E06B77

Part of subcall function 00E111A5: __EH_prolog3.LIBCMT ref: 00E111AC

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 0a3d08ad2650cadec1bbdf2c8b734c3ff1ce12052b4f924f41da6ad7740a00ed
Instruction ID: 289b6063877807ffea39650091b707b98db5031e67c1a30a07a7e3b0d6fdcb82
Opcode Fuzzy Hash: 0a3d08ad2650cadec1bbdf2c8b734c3ff1ce12052b4f924f41da6ad7740a00ed
Instruction Fuzzy Hash: 53C012B2F0957093EB05B7A4A41735CA5E06BA4B01F8020C8F200BB2C6CBB84B01938A

Function 00E210A8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E210BA

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d10265356eeea5f799976019edecc5091804a14703b5daf97748b0df7c5390f5
Instruction ID: 95050c8fbcac5d7cbcd80def9c4e77d01385adc531a8573382c0d0d6c99da9d9
Opcode Fuzzy Hash: d10265356eeea5f799976019edecc5091804a14703b5daf97748b0df7c5390f5
Instruction Fuzzy Hash: 80B012E17DD210FD32142244BC17C36010CC4C4B14330FA2EF441F00C1D4412EC84032

Function 00E206E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d15a0836b549408ea0a0a0795b3e45f3b1f1b76051ea3b548774e32f6f17093b
Instruction ID: c5dc8d063164e449e262d8a2a851848296ce3237d62370858ae49afd3bbf04ff
Opcode Fuzzy Hash: d15a0836b549408ea0a0a0795b3e45f3b1f1b76051ea3b548774e32f6f17093b
Instruction Fuzzy Hash: 9AB012C53AE116AD310892487D07C3F014CC0C1B14330F43BF408F01C3D4501C1D4031

Function 00E206F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a65b60034e7c690f7727849d7f214c027ffe7ddaec8e7696d705c4c2ad0ea676
Instruction ID: 00535e6891d6b9c37e46b667801c8f5a00971b936a778b7b9259047010b6adf6
Opcode Fuzzy Hash: a65b60034e7c690f7727849d7f214c027ffe7ddaec8e7696d705c4c2ad0ea676
Instruction Fuzzy Hash: F5B012C53BE116AD310892987C07C3F014CD0C1B18330F83BF008F01C3D4401C084031

Function 00E206FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9551a73562c2490ac381cb9a543eaf6a217ab2f451dd71868e024cc18004354c
Instruction ID: 446be3a7dbd58cf3584d286c8b46f54fd80cf2934b105a743495d3f9d6471cbd
Opcode Fuzzy Hash: 9551a73562c2490ac381cb9a543eaf6a217ab2f451dd71868e024cc18004354c
Instruction Fuzzy Hash: 4FB0129539E116AD710492487C07C3F014CC0C2B14330F53BF408F00C2D4401C484031

Function 00E206C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1177c4b787f62949e07cc9b239cd6d9b11ccc95c6bae412ee671eca5cdf3c4de
Instruction ID: 381a22492f19bba2afdca29b32848f52c42306859b88b66bd9c6446ed1b99c66
Opcode Fuzzy Hash: 1177c4b787f62949e07cc9b239cd6d9b11ccc95c6bae412ee671eca5cdf3c4de
Instruction Fuzzy Hash: 93B012893AE21AAD310492487C07C3F014CD0C1B14330B43BF008F01C3D4401C044131

Function 00E206D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 507830504af0688ad78582263ee460d70a88044f5ae77f480a5c6af6e5516f12
Instruction ID: c448925e5b4b10a0961b7430fcd36683661a465cf01f64490e085846e7a69922
Opcode Fuzzy Hash: 507830504af0688ad78582263ee460d70a88044f5ae77f480a5c6af6e5516f12
Instruction Fuzzy Hash: 54B012C53AE117AD310896487C07C3F014CC0C2B14330F53BF408F01C3D4401C084031

Function 00E206DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9bbb3fb3ceb57949b1fd75ec025a0a775985576484509caa1e3456ed20384da
Instruction ID: 0a833d18fcc4c8da37ae0fa627fd69d1b1c484c5cdff2e60611386e812183491
Opcode Fuzzy Hash: a9bbb3fb3ceb57949b1fd75ec025a0a775985576484509caa1e3456ed20384da
Instruction Fuzzy Hash: EDB012C53BE256AE324892487C07C3F014CC0C1B14330F53BF008F01C3D4401C484031

Function 00E206A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9cc99965b229ddde37c5af6185bba7a750e77d929801c5e03e9580fbedaaaea3
Instruction ID: ee7c3dc78581f6fa053d1433182f3629f89a80299ecccbb524f6daf53fbdeada
Opcode Fuzzy Hash: 9cc99965b229ddde37c5af6185bba7a750e77d929801c5e03e9580fbedaaaea3
Instruction Fuzzy Hash: 0BB012853BE216AD31049248BC07C3F055CD0C1B14330B53BF008F00C2D4401C044031

Function 00E206AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 13727f042c0b58aaf5b415f64d6a3f04d54e01c32e1692dbc1bf6b845d74ef38
Instruction ID: 09779ee72ee8c8796eeda6a2f380f7c6e72b607653d7c7e89f02ffa82ee1072e
Opcode Fuzzy Hash: 13727f042c0b58aaf5b415f64d6a3f04d54e01c32e1692dbc1bf6b845d74ef38
Instruction Fuzzy Hash: 76B0128939E216AD310492487C07C3F014CC0C2B14330F53BF408F01C3D4402C044031

Function 00E206B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 585c96569aae1bf98c332aa15c4a091851d23f484ce2648215279bf96d2ce08f
Instruction ID: b3b0787b5b904d1737776f7d9c12ad5df4f8444ccd3fcff832b06e4ab51f81c5
Opcode Fuzzy Hash: 585c96569aae1bf98c332aa15c4a091851d23f484ce2648215279bf96d2ce08f
Instruction Fuzzy Hash: E3B0128939E316AE324492487C07C3F014CC0C2B14330B53BF008F01C3D4401C448031

Function 00E20697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f5a77f8ce1f727d693d5926e5cdb1ff9463068499664de99e51f78d8a519c01a
Instruction ID: bdbecdb4d84f2e39038a142f3f97cd2c1730e8bffca13caec0deb46931cb659a
Opcode Fuzzy Hash: f5a77f8ce1f727d693d5926e5cdb1ff9463068499664de99e51f78d8a519c01a
Instruction Fuzzy Hash: DDB0128539E116AD31049248BD07C3F055CC0C1B14330B63BF408F00C2D4401C054031

Function 00E2067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 99b366f6bddadf53a95cd2769c78879493d3e99a03d2894ead9c9abcb292ead4
Instruction ID: b691bd4a2d87f77f9380b7f4ef077434e2003683d7150b8e45c77f4e7a65c562
Opcode Fuzzy Hash: 99b366f6bddadf53a95cd2769c78879493d3e99a03d2894ead9c9abcb292ead4
Instruction Fuzzy Hash: F3B012857AF11ABE311452447C07C3F010CD0C1B64330B53BF004F00C2D4501C044031

Function 00E2075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a995613b3e4b009964578dc18149dcf00dd9bd2ca5ab233e9de23ed67cd411e3
Instruction ID: 5c0796a377a334f4f715d965a0acd040c772268d098fd50c748cca86298ca779
Opcode Fuzzy Hash: a995613b3e4b009964578dc18149dcf00dd9bd2ca5ab233e9de23ed67cd411e3
Instruction Fuzzy Hash: DBB0129539E116AD310492487D07C3F01CCC0C1B14730B43BF408F00C2D4401C454031

Function 00E2072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3e9129caab5d688a14902890424a785cfc3d727b34b45bfa7e7e930b0a446b25
Instruction ID: b03226730149c9bd5ae82f7a016c633c7bdd20d6f8702318574aff9574c1fe8e
Opcode Fuzzy Hash: 3e9129caab5d688a14902890424a785cfc3d727b34b45bfa7e7e930b0a446b25
Instruction Fuzzy Hash: 58B0129539F216AE324493487C07C3F014CC1C1B24730B53BF408F00C2D4401C444031

Function 00E2070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3510b90e059db8ac09fb05004245475a63d8ee41b2425649dd429b074f748d64
Instruction ID: 6907d46772e4369238e206118ef88ced057b70c720b4215d590456e57abe8007
Opcode Fuzzy Hash: 3510b90e059db8ac09fb05004245475a63d8ee41b2425649dd429b074f748d64
Instruction Fuzzy Hash: 80B0129539E116AD710492487D07C3F014CC0C1B14330B43BF408F00C2D4401D454031

Function 00E20719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c5d5df887dd0d5812d4880037d5440e1798ea9faac19dce0d2cc674b7cb5e26
Instruction ID: f88fedd24af2ad4375875ade86c1891cef2803631e0a9a341c9b589fa1bbe3d3
Opcode Fuzzy Hash: 2c5d5df887dd0d5812d4880037d5440e1798ea9faac19dce0d2cc674b7cb5e26
Instruction Fuzzy Hash: DCB012953AE116AD710492497C07C3F014CD0C1B14330B43BF008F00C2D4401C444031

Function 00E208F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ce4330891334f10c0afa201be60e6e081c9f029afafd673eb34bbef2c6be408
Instruction ID: 1de9ca79363da873254844dc66356a20b665be117b35e7dd1ddd14599cf31a25
Opcode Fuzzy Hash: 6ce4330891334f10c0afa201be60e6e081c9f029afafd673eb34bbef2c6be408
Instruction Fuzzy Hash: B4B012823BD120AD314C6248BC07D3B064CE0C0B54330B62FF008F01C3D4401C404031

Function 00E208C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0029d2908bd3ce0a9279ad62010fa6e33d7660318275dd1824552c480814f860
Instruction ID: bcc65df83bf259e134680087d75bb2080456d210a43c39ea0aaaa7f6ce3308b3
Opcode Fuzzy Hash: 0029d2908bd3ce0a9279ad62010fa6e33d7660318275dd1824552c480814f860
Instruction Fuzzy Hash: 8FB0128239D320AD324C62487C07C3B024CD0C0B54330B52EF008F02C3D4401C849031

Function 00E208CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f3976e1132bc56ebb808251bdae63f78d42b6f7427f232bcf6ffe7c1d85ee9d
Instruction ID: 2923c7b0be4b9358cbdb4ecfaec0c07d4f3bd991cdfd5e5077d4d1f634d2256c
Opcode Fuzzy Hash: 4f3976e1132bc56ebb808251bdae63f78d42b6f7427f232bcf6ffe7c1d85ee9d
Instruction Fuzzy Hash: C3B012823ED224AD314C62487C07D3B024CE0C0B54330B42EF008F02C3D4401C405131

Function 00E209EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0891818151ad84ef7c55d1cebe0513590bfa5097b01e154df3175f1e92a3c9c7
Instruction ID: 5f1c0445c785f83065f279b32f6b35b8b1b5012fbb1a3e69ac5301c2b3708b98
Opcode Fuzzy Hash: 0891818151ad84ef7c55d1cebe0513590bfa5097b01e154df3175f1e92a3c9c7
Instruction Fuzzy Hash: A4B012C63DD111BE31041248BD0BC76010CD8C0B1C730F53AF041F00C3DC615C414031

Function 00E20A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc142d61edfcc1d64d9f7db20e7b882e6705023eccf9a9876233a7a2b8744995
Instruction ID: cb79f33aa2367fcbfe2f14a9961006cc39f5a43c21a463706f21bd40a9eb1f2f
Opcode Fuzzy Hash: bc142d61edfcc1d64d9f7db20e7b882e6705023eccf9a9876233a7a2b8744995
Instruction Fuzzy Hash: 5BB012D17EE310FE33445298BC17C36058CD0C0B24730B52BF044F00C2D8501C414031

Function 00E20A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de40dce4bc75d7234df962141c3f8f44ad87535db17e805bdef3df25d0ea955c
Instruction ID: b60a98d966aade59b5b9f533dfc1892de5b4ed9424f015bbbeaa733d475e3531
Opcode Fuzzy Hash: de40dce4bc75d7234df962141c3f8f44ad87535db17e805bdef3df25d0ea955c
Instruction Fuzzy Hash: C5B012D17DE210FD32045298BC17C36058CD0C1B24730F66BF444F10C2D8501C054031

Function 00E20A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd0ca7ce5d7dcc8af6b359667442895ce7b6d2558c5a1877968aaad0e9722d40
Instruction ID: 523d901d3d36b1f3bad806919eae60b5876e477b99cef6c6fa35d7156fe8d0f0
Opcode Fuzzy Hash: dd0ca7ce5d7dcc8af6b359667442895ce7b6d2558c5a1877968aaad0e9722d40
Instruction Fuzzy Hash: 25B012D17DE210ED32045298BD17C37058CD0C0B14730B43BF444F00C2D8411C034031

Function 00E20A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa6b2621d5f3e6ff5c52fa8dc2c2c93919e415a6b9c3a385d132199350d17a8b
Instruction ID: da98a0b2a0fb16a8d28e451e0b29f07a3758e7355dd2140c80a925d802b54183
Opcode Fuzzy Hash: aa6b2621d5f3e6ff5c52fa8dc2c2c93919e415a6b9c3a385d132199350d17a8b
Instruction Fuzzy Hash: 25B012C13DD110EE35445248BC0BC77015CD0C0B24330F73AF405F10C3D4A05C444131

Function 00E20A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fdbc28f577a6fefa0866b58dfe512a2dbe0d80a8988089ba59667d0b02c7a79a
Instruction ID: ca38b56a82db331755c86296763df32299cd706eb09fdf0378ed73ddfd417b94
Opcode Fuzzy Hash: fdbc28f577a6fefa0866b58dfe512a2dbe0d80a8988089ba59667d0b02c7a79a
Instruction Fuzzy Hash: CFB012C13DD210AE32445258BC0BC76054CD0C0B14330B63AF005F01C3D4515C884131

Function 00E20A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9813e183f7917c15e7ef91b45d8c1905875c314eae3d794748838ce351de93e
Instruction ID: d5dd6da494fe9bd69be6b4f96dc981a823274238edc2b040d1f512f7c41421ca
Opcode Fuzzy Hash: b9813e183f7917c15e7ef91b45d8c1905875c314eae3d794748838ce351de93e
Instruction Fuzzy Hash: ACB012C13DD110BE31445258BD0BC77014CD0C0B14330F53AF005F00C3D4515C454131

Function 00E206C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c2ce27fbb4d330ca4bbeb21bdbcf277bc3685fe8aec77a639fad46c2cabba66f
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: c2ce27fbb4d330ca4bbeb21bdbcf277bc3685fe8aec77a639fad46c2cabba66f
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E20782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e02fd9fa1aae972d7b7f2f169bb342dd987385744434c3d9951554b5af2704e7
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: e02fd9fa1aae972d7b7f2f169bb342dd987385744434c3d9951554b5af2704e7
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E2076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 311aad23f600c2a5e4e025af77b0392828164a8050ad6e1d1ab6cba834ad08c5
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 311aad23f600c2a5e4e025af77b0392828164a8050ad6e1d1ab6cba834ad08c5
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E20778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23062caf50de19c26e97f83bb37d8c695c3279dfbad3aa3d6b7971ee21b00c5c
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 23062caf50de19c26e97f83bb37d8c695c3279dfbad3aa3d6b7971ee21b00c5c
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E20746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7713569e59c9a38a2ddcfa130f6c16ccf73014f3c8e04c7fc884401a2e85a70f
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 7713569e59c9a38a2ddcfa130f6c16ccf73014f3c8e04c7fc884401a2e85a70f
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E20750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9fb58db8f88a6de3ce5d9d3daab969a599fe28c6ef4b5a53bb611a27020b14fc
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 9fb58db8f88a6de3ce5d9d3daab969a599fe28c6ef4b5a53bb611a27020b14fc
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E2075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37c7020983efa64f4635654563a6cf9c6ea732364eab8b1e54fd581ae3c75fd3
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 37c7020983efa64f4635654563a6cf9c6ea732364eab8b1e54fd581ae3c75fd3
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E20728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ebfd09de7dd0351dd29a74ec3310989fa488df81fae10e53984e28ae2e61d8a
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 0ebfd09de7dd0351dd29a74ec3310989fa488df81fae10e53984e28ae2e61d8a
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E2073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64b4c66c96ef6ee816035c4ea47ba71a5849b0eb9744f607944511e95c877528
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: 64b4c66c96ef6ee816035c4ea47ba71a5849b0eb9744f607944511e95c877528
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E2070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E2068E

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c6cca831385edb5ffc3f53e22cedbe26a0cc23b96f6f1d0b7bfd9ac5cc3a63ac
Instruction ID: b183c7c821e2b0a398bfd656900bfebfc1dfefa0812c2955e9701af6615acefe
Opcode Fuzzy Hash: c6cca831385edb5ffc3f53e22cedbe26a0cc23b96f6f1d0b7bfd9ac5cc3a63ac
Instruction Fuzzy Hash: D6A0118A2AA22BBC3008A280BC0AC3F020CC0C0B20330A82AF00AE00C2A88028088030

Function 00E208E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44b841b2bc7c8371d8c489671d33e39151dc98637c145618c2d41ddeb6fcc874
Instruction ID: f4b90008e4d68b1295986a8fbbda0e07301774b842ccae9de9926d6ca6cc5c4d
Opcode Fuzzy Hash: 44b841b2bc7c8371d8c489671d33e39151dc98637c145618c2d41ddeb6fcc874
Instruction Fuzzy Hash: 9DA001966AA226BD310D6295BD0AC7B165CE4C4BA5730A92EF40AE41C3E8902C859471

Function 00E208F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 71a97f216478edad41a6e4bed7c0d914ba02ffcb4db339095dcee815bacf6800
Instruction ID: f4b90008e4d68b1295986a8fbbda0e07301774b842ccae9de9926d6ca6cc5c4d
Opcode Fuzzy Hash: 71a97f216478edad41a6e4bed7c0d914ba02ffcb4db339095dcee815bacf6800
Instruction Fuzzy Hash: 9DA001966AA226BD310D6295BD0AC7B165CE4C4BA5730A92EF40AE41C3E8902C859471

Function 00E208DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b97891e6a18004d8760dbd4aefbdd7f527dfa5d842d5940522d64168587b31cc
Instruction ID: f4b90008e4d68b1295986a8fbbda0e07301774b842ccae9de9926d6ca6cc5c4d
Opcode Fuzzy Hash: b97891e6a18004d8760dbd4aefbdd7f527dfa5d842d5940522d64168587b31cc
Instruction Fuzzy Hash: 9DA001966AA226BD310D6295BD0AC7B165CE4C4BA5730A92EF40AE41C3E8902C859471

Function 00E208B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db2b1807583c0f5ddfecfd02c90bde70179a51967cbed77b8fc5e0a16f4bb9cc
Instruction ID: f4b90008e4d68b1295986a8fbbda0e07301774b842ccae9de9926d6ca6cc5c4d
Opcode Fuzzy Hash: db2b1807583c0f5ddfecfd02c90bde70179a51967cbed77b8fc5e0a16f4bb9cc
Instruction Fuzzy Hash: 9DA001966AA226BD310D6295BD0AC7B165CE4C4BA5730A92EF40AE41C3E8902C859471

Function 00E208BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9817ca8b8506ab9138827ff919c346e622eef6de5b13e64b85329d9bfeb9416f
Instruction ID: f4b90008e4d68b1295986a8fbbda0e07301774b842ccae9de9926d6ca6cc5c4d
Opcode Fuzzy Hash: 9817ca8b8506ab9138827ff919c346e622eef6de5b13e64b85329d9bfeb9416f
Instruction Fuzzy Hash: 9DA001966AA226BD310D6295BD0AC7B165CE4C4BA5730A92EF40AE41C3E8902C859471

Function 00E2089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E208A7

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 401acacd2e9726c5a4902898ddf57b3fe38dd0f4676da2eecc56f975fe681de5
Instruction ID: 861c050f17d922252efa665b3b132e9611a820023eaa6a76f6615f90fa1cdc75
Opcode Fuzzy Hash: 401acacd2e9726c5a4902898ddf57b3fe38dd0f4676da2eecc56f975fe681de5
Instruction Fuzzy Hash: E6A001966AA225BD310D62A5BD0AC7B265CE4C0B65730A96EF409F41C7E8902C859471

Function 00E20A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16d82f81789a357516d00dc74ca1df760fbbccc364fd5ac694d6d2b3d922b8c2
Instruction ID: d2d559efb6d6f04fc5e02f4a00659c9e12a77c56f8c51a324d076a69d54f0b9f
Opcode Fuzzy Hash: 16d82f81789a357516d00dc74ca1df760fbbccc364fd5ac694d6d2b3d922b8c2
Instruction Fuzzy Hash: 8DA002D5799211FD31055295BD16C76455CD4C4B55770B91AF445E40C2985118455431

Function 00E20A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9a2df02e30df4552488593857344e3583b8dfe95bae60134077db4fefb95f26
Instruction ID: d2d559efb6d6f04fc5e02f4a00659c9e12a77c56f8c51a324d076a69d54f0b9f
Opcode Fuzzy Hash: e9a2df02e30df4552488593857344e3583b8dfe95bae60134077db4fefb95f26
Instruction Fuzzy Hash: 8DA002D5799211FD31055295BD16C76455CD4C4B55770B91AF445E40C2985118455431

Function 00E20A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6be364b640843ec7ec1c0d90d8e5732ffe0279176f7e9a7b4a89dcd8a4c13a5b
Instruction ID: d397a895b73e1af5f03448d516bf4fa35dfd391cfaa91863d5f49667c273c798
Opcode Fuzzy Hash: 6be364b640843ec7ec1c0d90d8e5732ffe0279176f7e9a7b4a89dcd8a4c13a5b
Instruction Fuzzy Hash: F0A011C23AA222BE30082280BC0BCBA020CE0C0B20330AA2AF002E00C3E8A028808030

Function 00E20A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20A5D

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 700e49cbc95988e7d23e1a9b3ea2c5e8f1a6df093f6dc316f09452cf0aca04fd
Instruction ID: 450c5ea9a634160c51c2a38ca254a6350c4233e28b463c76646b0631acb6ce16
Opcode Fuzzy Hash: 700e49cbc95988e7d23e1a9b3ea2c5e8f1a6df093f6dc316f09452cf0aca04fd
Instruction Fuzzy Hash: C0A002D5795211BD31055295BD1AD76469CD4C0B15770B51AF545F40C2A85118455431

Function 00E20A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30bdfa9a4cf87afe84beaefcb3dd88aa80aa007835593ded28901c2ee71e8302
Instruction ID: d397a895b73e1af5f03448d516bf4fa35dfd391cfaa91863d5f49667c273c798
Opcode Fuzzy Hash: 30bdfa9a4cf87afe84beaefcb3dd88aa80aa007835593ded28901c2ee71e8302
Instruction Fuzzy Hash: F0A011C23AA222BE30082280BC0BCBA020CE0C0B20330AA2AF002E00C3E8A028808030

Function 00E20A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 13885bac01835e9562b28a59351bf62f59756d8dc11847a75409237880d0921f
Instruction ID: d397a895b73e1af5f03448d516bf4fa35dfd391cfaa91863d5f49667c273c798
Opcode Fuzzy Hash: 13885bac01835e9562b28a59351bf62f59756d8dc11847a75409237880d0921f
Instruction Fuzzy Hash: F0A011C23AA222BE30082280BC0BCBA020CE0C0B20330AA2AF002E00C3E8A028808030

Function 00E20A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E209FC

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: edc32647b69fd63f254fd27f4b8add56c2ebb74dba9b083863b8d46b66c74fb9
Instruction ID: d397a895b73e1af5f03448d516bf4fa35dfd391cfaa91863d5f49667c273c798
Opcode Fuzzy Hash: edc32647b69fd63f254fd27f4b8add56c2ebb74dba9b083863b8d46b66c74fb9
Instruction Fuzzy Hash: F0A011C23AA222BE30082280BC0BCBA020CE0C0B20330AA2AF002E00C3E8A028808030

Function 00E2092F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E20937

Part of subcall function 00E20D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E20DAD
Part of subcall function 00E20D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E20DBE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2aae468ea5216b8eb4aeb1d87f8f2bccca7073cd79aa5dec7ce9810d4bd4b81c
Instruction ID: 5f41ef3e9079f1eb1dd949cd746258ff620b48c456b802e41cd0aad55ffcbf32
Opcode Fuzzy Hash: 2aae468ea5216b8eb4aeb1d87f8f2bccca7073cd79aa5dec7ce9810d4bd4b81c
Instruction Fuzzy Hash: 32A002D67AA311BD31096396BD0BC3F165CD8C0F25730EE2EF408E80C2E8D02D858431

Function 00E0B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00E0A712,?,?,?,?,?,?,?), ref: 00E0B94C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 1edf329c1195d95811220f74e50b1d6ccbfb99a58baac15fc66505b0d866e0f3
Instruction ID: 1095908d0e055c7a30c4e61d637e5326292a1dd451138c41eb8a60297bcec8d9
Opcode Fuzzy Hash: 1edf329c1195d95811220f74e50b1d6ccbfb99a58baac15fc66505b0d866e0f3
Instruction Fuzzy Hash: 57A0113008800E8A8E202B32CA0A00C3B20EB20BC830082A8A00BCA0A2CB22880B8A00

Function 00E1CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00E1CBBA

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 830e9b3913859fb93593602e8e71ad52636eb00243ccc46e214b56060c457745
Instruction ID: c576e99c40154e1c1f77554f16fc5768f228c66bbca6d6b86b068453f42ad1b2
Opcode Fuzzy Hash: 830e9b3913859fb93593602e8e71ad52636eb00243ccc46e214b56060c457745
Instruction Fuzzy Hash: 2AA01130202200AB82000B328F0AA0EBAAAAFA2A00F00C028A00A80030CB328820AA00

Function 00E0AFD0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00E0AF75,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?,?), ref: 00E0AFEB

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4085585494b1b5e8d9ac8fd60bddd1799aff6bdd928c0d7c2137ec12b8147caa
Instruction ID: 724e6eae3255b0fa7cebd8aa369e931e7c1bde317debab9ba1aee2bbe267e675
Opcode Fuzzy Hash: 4085585494b1b5e8d9ac8fd60bddd1799aff6bdd928c0d7c2137ec12b8147caa
Instruction Fuzzy Hash: F8F0E971581B069FDB348B20C458793B7E4AF12329F082B2DC0F7634E0D36065CDDA41

Non-executed Functions

Function 00E1E560 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01366: GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
Part of subcall function 00E01366: SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E1E602
EndDialog.USER32(?,00000006), ref: 00E1E615
GetDlgItem.USER32(?,0000006C), ref: 00E1E631
SetFocus.USER32(00000000), ref: 00E1E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 00E1E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E1E69F
FindFirstFileW.KERNEL32(?,?), ref: 00E1E6B5

Part of subcall function 00E1CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1CBEE
Part of subcall function 00E1CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E1CC05
Part of subcall function 00E1CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 00E1CC19
Part of subcall function 00E1CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1CC2A
Part of subcall function 00E1CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E1CC42
Part of subcall function 00E1CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00E1CC66
Part of subcall function 00E1CBC8: _swprintf.LIBCMT ref: 00E1CC85

_swprintf.LIBCMT ref: 00E1E704

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E1E717
FindClose.KERNEL32(00000000), ref: 00E1E71E
_swprintf.LIBCMT ref: 00E1E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 00E1E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E1E7A0
_swprintf.LIBCMT ref: 00E1E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E1E7EC
_swprintf.LIBCMT ref: 00E1E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00E1E84F

Part of subcall function 00E1D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E1D0E1
Part of subcall function 00E1D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,00E4272C,?,?), ref: 00E1D12A

Strings

%s %s, xrefs: 00E1E6F1, 00E1E6FD, 00E1E769, 00E1E7CF, 00E1E832
-, xrefs: 00E1E68C
REPLACEFILEDLG, xrefs: 00E1E59C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$-$REPLACEFILEDLG
API String ID: 3464475507-3135309196
Opcode ID: 528cbe385055fff252903d122dbaf36b6e48cd100fc0f64365da6acedc5e3f67
Instruction ID: 6e1db3f91a9efaaac7275dbcd49cbeefe3fdaed4df3aa167272fa0bdd3c9bafe
Opcode Fuzzy Hash: 528cbe385055fff252903d122dbaf36b6e48cd100fc0f64365da6acedc5e3f67
Instruction Fuzzy Hash: 6E71C5B2648304BFE3319B64EC49FFF779DAB89744F040819FA89F21C1D6B199488672

Function 00E07FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0807F
_wcslen.LIBCMT ref: 00E08112

Part of subcall function 00E08C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E08CB2
Part of subcall function 00E08C95: GetLastError.KERNEL32 ref: 00E08CF6
Part of subcall function 00E08C95: CloseHandle.KERNEL32(?), ref: 00E08D05

Part of subcall function 00E0BC65: DeleteFileW.KERNELBASE(?,?,?,?,00E0B14B,?,00000000,00E0AF6E,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?,?), ref: 00E0BC82
Part of subcall function 00E0BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,00E0B14B,?,00000000,00E0AF6E,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?), ref: 00E0BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00E081C1
CloseHandle.KERNEL32(00000000), ref: 00E081DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,88F1D862,00000000), ref: 00E08329

Part of subcall function 00E0B7E2: FlushFileBuffers.KERNEL32(?), ref: 00E0B7FC
Part of subcall function 00E0B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00E0B8B0

Part of subcall function 00E0AFD0: CloseHandle.KERNELBASE(?,?,?,00E0AF75,88F1D862,00000000,00E3517A,000000FF,?,00E08882,?,?), ref: 00E0AFEB

Part of subcall function 00E0C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00E0BF5E,?,?), ref: 00E0C305
Part of subcall function 00E0C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E0BF5E,?,?), ref: 00E0C334

Strings

SeRestorePrivilege, xrefs: 00E08034
UNC\, xrefs: 00E080D2
SeCreateSymbolicLinkPrivilege, xrefs: 00E0803E
\??\, xrefs: 00E080A1

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 374897892-3508440684
Opcode ID: bf9313ae5a6d4d9e3b012468df75113654ca7eb6812b0881dffd906864d85f39
Instruction ID: 7f22bdd16eb8291128467d19ffffbb9d6e50bb2a1137e85dd88c145820ef4b32
Opcode Fuzzy Hash: bf9313ae5a6d4d9e3b012468df75113654ca7eb6812b0881dffd906864d85f39
Instruction Fuzzy Hash: 34D1C5B1900249AFDB25DB60DD85BEEB7ECBF04704F00551AF695F7181DB78AA84CBA0

Function 00E2FF3E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E30084

Strings

1#QNAN, xrefs: 00E3128A
1#IND, xrefs: 00E3127C
1#INF, xrefs: 00E31291
1#SNAN, xrefs: 00E31283

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ce994d62e07525919ac40c50021d5822cf85549c76b6c6c481f647ca77d38b78
Instruction ID: f5d6c39f8a87910d7166e0064fae703047e0a223b63b16b010989c39b2195751
Opcode Fuzzy Hash: ce994d62e07525919ac40c50021d5822cf85549c76b6c6c481f647ca77d38b78
Instruction Fuzzy Hash: C5C24871E086288FDB25CE289D587EABBB5EB84304F1551EAD84DF7240E775AE81CF40

Function 00E03AB7 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 677COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E03F3A

Strings

hc%u, xrefs: 00E03F80
CMT, xrefs: 00E04288
h%u, xrefs: 00E03F2C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _swprintf
String ID: CMT$h%u$hc%u
API String ID: 589789837-3282847064
Opcode ID: 6b0ba3fa77955d05c2ec96364dbf7bb5dad0f881db16a3a7442014b25854f41d
Instruction ID: a22d1fb8d95793221d5ed5ed96edd15857ea3678ae534fff3e8e62719288e28f
Opcode Fuzzy Hash: 6b0ba3fa77955d05c2ec96364dbf7bb5dad0f881db16a3a7442014b25854f41d
Instruction Fuzzy Hash: 5F42E5B19012849ADF14DF74C885BEE7BE5AF15304F04247DE94ABB2C2DB746AC9CB60

Function 00E02FCB Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 830COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E035C3

Part of subcall function 00E13D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,88F1D862,?,?,88F1D862,00000001,00E0DA04,00000000,88F1D862,?,000103C2,?,?), ref: 00E13D2C

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E0370D

Strings

CMT, xrefs: 00E03738

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1610651222-2756464174
Opcode ID: cf255a73d6f7517e2a66eaf2415875a48d00e962e21d768ff28e9182714eb440
Instruction ID: 1c9c6f6aadc6436056e1507e668dfb1dc2b600d7f75ae9b6b3fbcc45037ec506
Opcode Fuzzy Hash: cf255a73d6f7517e2a66eaf2415875a48d00e962e21d768ff28e9182714eb440
Instruction Fuzzy Hash: CB623571A002448FCB29DF78C8856EE7BF5AF14304F08157EE85ABB2C2D6749A85CB60

Function 00E21FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E21FD6
IsDebuggerPresent.KERNEL32 ref: 00E220A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E220C2
UnhandledExceptionFilter.KERNEL32(?), ref: 00E220CC

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8b36ab9776a6d76c6169f75164d1ec4e63010ae6001949352656721767346f25
Instruction ID: c1bc4bc33186a9613fe4f6c596778b6cc3394198b4e3e22d9a5fc0de5aed55e7
Opcode Fuzzy Hash: 8b36ab9776a6d76c6169f75164d1ec4e63010ae6001949352656721767346f25
Instruction Fuzzy Hash: FF311A75D0522CAFDB20DFA4D989BCCBBF8AF08304F10409AE50DA7250EB715A88CF15

Function 00E20B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00E20AC5,0000001C,00E20CBA,00000000,?,?,?,?,?,?,?,00E20AC5,00000004,00E65D24,00E20D4A), ref: 00E20B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E20AC5,00000004,00E65D24,00E20D4A), ref: 00E20BAC

Strings

D, xrefs: 00E20BA0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 7441515c6cda0ac4945f50ace901958da4be8ac9cb7bc4a0781fb03af2afea7a
Instruction ID: 2c908d5b02f4a27d23c1815fca17119dc56e6c77fbfe2c7dc2c707bc7d42b60c
Opcode Fuzzy Hash: 7441515c6cda0ac4945f50ace901958da4be8ac9cb7bc4a0781fb03af2afea7a
Instruction Fuzzy Hash: 0D01F732A001196FCB24DF29DC09FDE7BA9AFC432CF0CC124AD59E7285D634E8058680

Function 00E2647F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E26577
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E26581
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00E2658E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 129e441aacfc4f7f6c387734a3be0dfa2164fc5477fe0048baf832e54c2655e4
Instruction ID: b693d3d5c58d0efce47a82c7568fbffa1686f2e04e42e1132b24f82f1e800625
Opcode Fuzzy Hash: 129e441aacfc4f7f6c387734a3be0dfa2164fc5477fe0048baf832e54c2655e4
Instruction Fuzzy Hash: FE31D87590122CABCB21DF65E88979CBBB8BF08310F5051DAE91CA7251E7309F858F44

Function 00E2D998 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00E2DB2B

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 867ef43aa4e1e7aefe006397d7abb6e3a1f3ce6d65e2104742cde79d64690a3f
Instruction ID: e6b61929832e50786c28518aa36679eb71a98db09898ac1d9493080e6979b90a
Opcode Fuzzy Hash: 867ef43aa4e1e7aefe006397d7abb6e3a1f3ce6d65e2104742cde79d64690a3f
Instruction Fuzzy Hash: 343124B19042286FCB249E78DC88EFB7BBDEB85308F14529CFA19E7251E6309D448B50

Function 00E2FA90 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
Instruction ID: 2dbfc9e43b321ebc25ccf0ce051cb8b7eff48929ded2bd076adac475aca1d872
Opcode Fuzzy Hash: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
Instruction Fuzzy Hash: 08022B71E002299BDF14CFA9D8906ADF7F1EF88324F25927AD819F7345D730AA418B94

Function 00E1D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E1D0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,00E4272C,?,?), ref: 00E1D12A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 95a1d0165fca184e814e80559096d7b80c32407f9a086c8c9c2a2fb6e38c50c5
Instruction ID: 78953c1a8f531cef3f9734b9521af886045f48bb966c7de167d6d27c2016b292
Opcode Fuzzy Hash: 95a1d0165fca184e814e80559096d7b80c32407f9a086c8c9c2a2fb6e38c50c5
Instruction Fuzzy Hash: E9115739210308AED710DF71EC45BABBBB8EF48700F40942AFA01B7291D670AA59CB65

Function 00E07BFF Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E07D6C,?,00000400), ref: 00E07BFF
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E07C20

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c8f2f1fc52e1c88a25cda1fe5f437df20b6997b2fc5a5009d0ce10e955bc14f9
Instruction ID: cb45606ab2e1cd49127f39bef0b7a84bffb98938090a8d6756f7ad7a0e5b5516
Opcode Fuzzy Hash: c8f2f1fc52e1c88a25cda1fe5f437df20b6997b2fc5a5009d0ce10e955bc14f9
Instruction Fuzzy Hash: A6D0A730348300BFFE100A314C4BF2ABB59AB58B41F10D404B341F40E0C6709055AA18

Function 00E34044 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E3403F,?,?,00000008,?,?,00E33CDF,00000000), ref: 00E34271

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c45d29ebc6eeab35c906d6c1d3b6b1c7ff8ec6e9bfd20b26061853dd8d7b4ff1
Instruction ID: 9b7f2728cb1754542ab390e97cd803be0d20341c93091740ef75c175f3df5242
Opcode Fuzzy Hash: c45d29ebc6eeab35c906d6c1d3b6b1c7ff8ec6e9bfd20b26061853dd8d7b4ff1
Instruction Fuzzy Hash: 2DB14BB16106089FD719CF28C48ABA57FE0FF45368F259698E899DF2E1C335E991CB40

Function 00E0D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00E0D0A7

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3b8a3a1d189a6a07a22a526e540660d7aca625e73cf0113d6a8dd939710321fb
Instruction ID: 02e288307750708f006060517a0d5a3be87202e834ebe9083a0d62fdc18540e5
Opcode Fuzzy Hash: 3b8a3a1d189a6a07a22a526e540660d7aca625e73cf0113d6a8dd939710321fb
Instruction Fuzzy Hash: A6014B79904208CFDB24CF65EC81A9977B2BB5A304F60421DE61AB7392DB70A94ECF40

Function 00E04C6E Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

gj, xrefs: 00E04D3E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 6099d5d51825c4b873383274f7ab6a99536bea040d254d9d9f1a1984e82dda4c
Instruction ID: 22ad1204578a7cb8f35c2afc2c79f8abaf04b0f7d430a7a7a647676a10d07d70
Opcode Fuzzy Hash: 6099d5d51825c4b873383274f7ab6a99536bea040d254d9d9f1a1984e82dda4c
Instruction Fuzzy Hash: 1BD13AB2A083458FC754CF29D88065AFBE2BFC9308F55892EE998D7301D774A955CB82

Function 00E2215D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00022170,00E21BC5), ref: 00E22162

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 66798e2f2c67eea6ab610207c355cfbfc8943924f4d348c3a953df9f32733d22
Instruction ID: e6d3a4526fe17eb06fe982c5ec1c31d8f72b5a8d0d852fc431405527eb5f631c
Opcode Fuzzy Hash: 66798e2f2c67eea6ab610207c355cfbfc8943924f4d348c3a953df9f32733d22
Instruction Fuzzy Hash:

Function 00E127A9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

, xrefs: 00E127DC

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction ID: 8fdf0d490f245610a9861c5240e452b1e652fc776ffa9fb9269f049a63d612e3
Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction Fuzzy Hash: B91128B19047069AD72C8F688C557EBBBE4FB00304F20D82ED6AAF2280D371A590CB40

Function 00E2E680 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E2E680

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 467a6742bafbef3c2fdd34de92de662cec8f76be9916ae78d7f57cf7bb5db254
Instruction ID: efe27a05537987179e8fcd51b1d6c8df266523190be0dddb381da4a9c263050a
Opcode Fuzzy Hash: 467a6742bafbef3c2fdd34de92de662cec8f76be9916ae78d7f57cf7bb5db254
Instruction Fuzzy Hash: B0A012301112009F83004F33690C20939E4A7031C1704C0269008D0120D62550144F40

Function 00E182D0 Relevance: .8, Instructions: 807COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
Instruction ID: dc5b996a33e572fac81866ed316841fdac20b9b6e315ef3311e5b5247a326ce2
Opcode Fuzzy Hash: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
Instruction Fuzzy Hash: 06620771604B858FCB29CF38C5906F9BBE1EF95304F18956DE89B9B382DB34A985C710

Function 00E1976F Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
Instruction ID: 47427cf49e872869eddaf24a08c821639d05b0be8e3c05c2a2eefdcdf0e249aa
Opcode Fuzzy Hash: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
Instruction Fuzzy Hash: 2162D4716082459FCB18CF28C4A06E8BBE1FF95304F08966DEC9A9B347D734E985DB91

Function 00E11476 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
Instruction ID: a88e619f451a7f25050dd2ee0feb33e94eda5d0baccd30369a33018498d43de4
Opcode Fuzzy Hash: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
Instruction Fuzzy Hash: 1E526AB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA59CB86

Function 00E19111 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c652954a2653d8af5ce33b973ceb3efc55440f5898f72266f9350d23ad383ed
Instruction ID: c78530072900dffa700d1e655eb887ed716cde59ba8e6fba76faeccbe940b611
Opcode Fuzzy Hash: 8c652954a2653d8af5ce33b973ceb3efc55440f5898f72266f9350d23ad383ed
Instruction Fuzzy Hash: 4512CE716047069FC728CF28C4A06F9B7E1FB44308F14992EE9ABD7682D378A9D5CB45

Function 00E0E394 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f395b086e355b39f830dc68421323238cc5b0c8d06f3b2a6256e4771b537494
Instruction ID: e7e548f1c232bdb7cbc4bcd268437f20a7f96a3b03357325bd61c10d2ecac399
Opcode Fuzzy Hash: 3f395b086e355b39f830dc68421323238cc5b0c8d06f3b2a6256e4771b537494
Instruction Fuzzy Hash: 52F19C71A083118FC718CF28D58462ABBE1EFD9304F18AE6EE485A7391D731E985CB52

Function 00E10949 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6af919aa56343330f8f4e8750c0947f6232417f11b12d2eac13f585665d8e2
Instruction ID: 58e8589105bb201ee93d5ce7a41bd1f76fc3c0e35660db1b95a58732bba421d3
Opcode Fuzzy Hash: fc6af919aa56343330f8f4e8750c0947f6232417f11b12d2eac13f585665d8e2
Instruction Fuzzy Hash: 98E15D755183908FD304CF2AD49056BBBF0BB9A304F4A095EF6D4A7352D234EA5ACF92

Function 00E160F7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271ebf49aca098cf633a32de72f8785fa1463a0770c7478da9a0644b429eab93
Instruction ID: 694dc3208cdd6509d5b44133307074347b6260a330848319b93f45bc1bce196a
Opcode Fuzzy Hash: 271ebf49aca098cf633a32de72f8785fa1463a0770c7478da9a0644b429eab93
Instruction Fuzzy Hash: 379136B12007449BDB24EF68E891BFE77D5EB94304F20292DE5A7A72C2DB7495C4C741

Function 00E16445 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e119a6aae28746bf5e7d3a5c214f05b9987e3ae65459caff709f2f257ab33e7
Instruction ID: 700c7f83ad32b176ea859d8297ac9e0b4c75cc12f59884032c5f5bf8d56bf729
Opcode Fuzzy Hash: 7e119a6aae28746bf5e7d3a5c214f05b9987e3ae65459caff709f2f257ab33e7
Instruction Fuzzy Hash: 4C813A717043419BDB34DF28D891BFD77D5EB94708F10293EEA86AB282DA74D8C48792

Function 00E27967 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d762bd332ae925461a78e2dbea427710536ec5f194b82c178b9ec774e48eac9f
Instruction ID: 82a4c3e9e4e0fe3ea3e7ed5a6812e81c1f158eaa147bb645f02032309674c988
Opcode Fuzzy Hash: d762bd332ae925461a78e2dbea427710536ec5f194b82c178b9ec774e48eac9f
Instruction Fuzzy Hash: 086199B120C73966DE389A28B852BFF23C5EB95328F10391EE8C3FB281D5119E81C355

Function 00E27738 Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 0be47fdc9274ea752c0714f5fd77073c517ff6234a8cf7b7d9f08b7ddff638c6
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 0E51567160C73957DB3C4968B59A7FE27CA9B12309F18390BE8C2FB282D615DD41D3A2

Function 00E10FAC Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39444270ed6ae154a60cd17decd146c57e324b09e05e6e5fe3cb682c219f4583
Instruction ID: fbd7152408e44c736a86bee671284ca7e701f76c906b54fe05983c2d5abc9512
Opcode Fuzzy Hash: 39444270ed6ae154a60cd17decd146c57e324b09e05e6e5fe3cb682c219f4583
Instruction Fuzzy Hash: 05510631A093D54FC711DF3884404AEFFE0AE9A314F4A59DEF6D96B242D221D6CACB52

Function 00E12125 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6919e15d28fd5391ec30605917731073791c1c7709b1728af821a2ce30164cc
Instruction ID: 7baf052f5265c690f0177aaebd602084fca7d82a9bb2afd131f3b76b4a480f3a
Opcode Fuzzy Hash: e6919e15d28fd5391ec30605917731073791c1c7709b1728af821a2ce30164cc
Instruction Fuzzy Hash: 2151DEB1A087119FC748CF29D88055AF7E1FF88314F058A2EE999E7341DB30E959CB96

Function 00E15E86 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
Instruction ID: 589009cb2bb13a2cc6f2c61277be9a64133eeee90e94c99306d8338f3c0f6281
Opcode Fuzzy Hash: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
Instruction Fuzzy Hash: C031C0B2714B158FC714DF28C8511AEBBD0EB99304F145A2EE495E7342C735E98ACB92

Function 00E2F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E2F1B6

Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2ED6E
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2ED80
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2ED92
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDA4
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDB6
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDC8
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDDA
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDEC
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EDFE
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EE10
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EE22
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EE34
Part of subcall function 00E2ED51: _free.LIBCMT ref: 00E2EE46

_free.LIBCMT ref: 00E2F1AB

Part of subcall function 00E2BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?), ref: 00E2BB10
Part of subcall function 00E2BAFA: GetLastError.KERNEL32(?,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?,?), ref: 00E2BB22

_free.LIBCMT ref: 00E2F1CD
_free.LIBCMT ref: 00E2F1E2
_free.LIBCMT ref: 00E2F1ED
_free.LIBCMT ref: 00E2F20F
_free.LIBCMT ref: 00E2F222
_free.LIBCMT ref: 00E2F230
_free.LIBCMT ref: 00E2F23B
_free.LIBCMT ref: 00E2F273
_free.LIBCMT ref: 00E2F27A
_free.LIBCMT ref: 00E2F297
_free.LIBCMT ref: 00E2F2AF

Strings

h), xrefs: 00E2F25E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h)
API String ID: 161543041-3328819710
Opcode ID: be1ac3b9fc8aad8224a7e99a83eb6dc25a53913e20833277af3cd259996eb8d9
Instruction ID: 345efb2bb3ca05164575bae72af3ad6fc33c3ef6c4dc70dfa1641c28a3ddb517
Opcode Fuzzy Hash: be1ac3b9fc8aad8224a7e99a83eb6dc25a53913e20833277af3cd259996eb8d9
Instruction Fuzzy Hash: 50315972600325DFEB20AA79F845B9673F9FF41314F606639E45AF7161DF71AC508A20

Function 00E0CE64 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E0CE6B
VariantClear.OLEAUT32(?), ref: 00E0D015

Strings

f, xrefs: 00E0CE88
Windows 10, xrefs: 00E0CFFB
K, xrefs: 00E0CF0D
Name, xrefs: 00E0CFE9
ROOT\CIMV2, xrefs: 00E0CE99
SELECT * FROM Win32_OperatingSystem, xrefs: 00E0CF2C
WQL, xrefs: 00E0CF3E

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: K$Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$f
API String ID: 3629354427-107462878
Opcode ID: b4bcff5e7713923706239bb823eadba76bd5e2ef27ecd39ea0880dde43b89d6c
Instruction ID: e361113ef1d0f5bdbf103658b525daf60257678a8fdfb76ceb016634ecae7961
Opcode Fuzzy Hash: b4bcff5e7713923706239bb823eadba76bd5e2ef27ecd39ea0880dde43b89d6c
Instruction Fuzzy Hash: 85713A70A00219AFDB14DFA5CC98DBFBBB9EF48714B245269F506B72A0CB346D46CB50

Function 00E1B631 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1B656
_wcslen.LIBCMT ref: 00E1B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00E1B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E1B726
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E1B74D

Strings

</html>, xrefs: 00E1B6D7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00E1B680
<html>, xrefs: 00E1B675, 00E1B6AE
utf-8"></head>, xrefs: 00E1B68B

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 3f2758fb28b66a4609a599d63e3d94eb76b1874d1482d2b1d029a9e808491712
Instruction ID: 5584f63d26d7c1da9adb1cb01d6c253986cbe9f69c77dc8952918dcf85d5c117
Opcode Fuzzy Hash: 3f2758fb28b66a4609a599d63e3d94eb76b1874d1482d2b1d029a9e808491712
Instruction Fuzzy Hash: 3C3129722093157EE729AB30EC0AFAF7BDC9F91314F10251EF441B61D2FBA4998483A5

Function 00E1F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00E1FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 00E1FA4C

Part of subcall function 00E14168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E0E084,00000000,.exe,?,?,00000800,?,?,?,00E1AD5D), ref: 00E1417E

GetWindowLongW.USER32(00000000,000000F0), ref: 00E1FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E1FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 00E1FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E1FABC
DeleteObject.GDI32(00000000), ref: 00E1FAC3
GetWindow.USER32(00000000,00000002), ref: 00E1FACC

Strings

STATIC, xrefs: 00E1FA52

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 59f6558fe9ec78f9d5629e2b603cfbc6ac33f772242bf1fa350538ce48d2504c
Instruction ID: 1a7f0e70a08e0c41e16bab234ba2784453701a3a32732e8ed7644894c5139393
Opcode Fuzzy Hash: 59f6558fe9ec78f9d5629e2b603cfbc6ac33f772242bf1fa350538ce48d2504c
Instruction Fuzzy Hash: 812137725453107FE220AB30AC4AFEF36DCAF49748F001426F985F6192DBB89D8586E1

Function 00E2B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2B8C5

Part of subcall function 00E2BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?), ref: 00E2BB10
Part of subcall function 00E2BAFA: GetLastError.KERNEL32(?,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?,?), ref: 00E2BB22

_free.LIBCMT ref: 00E2B8D1
_free.LIBCMT ref: 00E2B8DC
_free.LIBCMT ref: 00E2B8E7
_free.LIBCMT ref: 00E2B8F2
_free.LIBCMT ref: 00E2B8FD
_free.LIBCMT ref: 00E2B908
_free.LIBCMT ref: 00E2B913
_free.LIBCMT ref: 00E2B91E
_free.LIBCMT ref: 00E2B92C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1e530985f3529fc37b23d50014b18cf67d379b1b63fb9dcd4a7b57540d63918
Instruction ID: 4cd1e12444a9c77906986ebadb87647793ad023f5238e57ae117dd3645a6b29e
Opcode Fuzzy Hash: a1e530985f3529fc37b23d50014b18cf67d379b1b63fb9dcd4a7b57540d63918
Instruction Fuzzy Hash: E211B9BA100158BFCB05EF59E992CD93BB5EF04350B0192A5FA1A5F132DB72EE51DB80

Function 00E25451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E25570
___TypeMatch.LIBVCRUNTIME ref: 00E2567E
_UnwindNestedFrames.LIBCMT ref: 00E257D0
CallUnexpected.LIBVCRUNTIME ref: 00E257EB
_abort.LIBCMT ref: 00E257F0

Strings

csm, xrefs: 00E2548E
csm, xrefs: 00E255A7
csm, xrefs: 00E254FB

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 89dc09383486e28e9bae820d7832fef71e66112d214f5edbfd712540b8aa6086
Instruction ID: 8754873f35c5e8d1595f23c338ded958b73b8d4f2559e449019caf360d4c6784
Opcode Fuzzy Hash: 89dc09383486e28e9bae820d7832fef71e66112d214f5edbfd712540b8aa6086
Instruction Fuzzy Hash: BCB1BC72800A29EFCF24DFA4EA819AEB7B5FF14314F14655AE8017B202D731DA61CF91

Function 00E31CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E32452,00000000,00000000,00000000,00000000,00000000,?), ref: 00E31D1F
__fassign.LIBCMT ref: 00E31D9A
__fassign.LIBCMT ref: 00E31DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E31DDB
WriteFile.KERNEL32(?,00000000,00000000,R$,00000000,?,?,?,?,?,?,?,?,?,00E32452,00000000), ref: 00E31DFA
WriteFile.KERNEL32(?,00000000,00000001,R$,00000000,?,?,?,?,?,?,?,?,?,00E32452,00000000), ref: 00E31E33

Strings

R$, xrefs: 00E31DEE, 00E31E26, 00E31DF1, 00E31E29

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: R$
API String ID: 1324828854-3750934788
Opcode ID: 46187d056343c6472ece144abfe0ad53354b644994713dd57313a1aa2cdba6c7
Instruction ID: 32df67ae4623bf7dfc64ac3baa11f402d694d5d7d01a74496179a8ca02675357
Opcode Fuzzy Hash: 46187d056343c6472ece144abfe0ad53354b644994713dd57313a1aa2cdba6c7
Instruction Fuzzy Hash: 02518B71A00249AFDB10CFA9DC89AEEBBF8EF09300F14455AE956F7291D731A945CB60

Function 00E1D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01366: GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
Part of subcall function 00E01366: SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

EndDialog.USER32(?,00000001), ref: 00E1D910
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E1D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E1D950
SetWindowTextW.USER32(?,?), ref: 00E1D961
GetDlgItem.USER32(?,00000065), ref: 00E1D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E1D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E1D994

Strings

LICENSEDLG, xrefs: 00E1D8D4

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: f56b86ce5094d3a44a2f7c270616f1e81861a736ba3c3aeb60228b600416367d
Instruction ID: aadba13834e868056390c9f62d9de5ffd82f06f48a6c8dd480791e3ca6643d0b
Opcode Fuzzy Hash: f56b86ce5094d3a44a2f7c270616f1e81861a736ba3c3aeb60228b600416367d
Instruction Fuzzy Hash: 7621BF322082047FD7115F76FC49FBB7BACEB86BC9F005019F640B21A0CAE299459671

Function 00E0BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0BFA3

Part of subcall function 00E134D7: GetSystemTime.KERNEL32(?,00000000), ref: 00E134EF
Part of subcall function 00E134D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00E134FD

Part of subcall function 00E13480: __aulldiv.LIBCMT ref: 00E13489

__aulldiv.LIBCMT ref: 00E0BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 00E0BFD6
_swprintf.LIBCMT ref: 00E0C001

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

_wcslen.LIBCMT ref: 00E0C00B
_swprintf.LIBCMT ref: 00E0C061
_wcslen.LIBCMT ref: 00E0C06B

Strings

%u.%03u, xrefs: 00E0BFF1, 00E0C055

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: 0557b0a0cb01d1f00b3d4dce2bfe01be250f464bd49af7c3d59af55d6aa1d2fe
Instruction ID: 3ef145ed45df4c71f5cb8a564e33763f558f3dcd94ca4de02848721ad675f19b
Opcode Fuzzy Hash: 0557b0a0cb01d1f00b3d4dce2bfe01be250f464bd49af7c3d59af55d6aa1d2fe
Instruction Fuzzy Hash: DA217172A04340AFC614EF75DC86EABB7DCEB94740F545A1DF584E3291DA30D94887A2

Function 00E1CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E1CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E1CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E1CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00E1CC66
_swprintf.LIBCMT ref: 00E1CC85

Strings

%s %s, xrefs: 00E1CC7C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 68d829977ddaacbbe25464697ef7d5f43c3503165d3ed336adfc5ae42acf8659
Instruction ID: 357209a6cc9db3c23fa48839b27fd70c2642c3867f4a9659c3a5fac9f34d593e
Opcode Fuzzy Hash: 68d829977ddaacbbe25464697ef7d5f43c3503165d3ed336adfc5ae42acf8659
Instruction Fuzzy Hash: 3021F9B250024CAEDB21DFA1DD48EEA77BCEB49304F104566BA09E7052E6309A49CB60

Function 00E22360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00E0CEA9,00E0CEAB,00000000,00000000,88F1D862,00000001,00000000,00000000,?,00E0CD87,?,00000004,00E0CEA9,ROOT\CIMV2), ref: 00E223E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00E0CEA9,?,00000000,00000000,?,?,00E0CD87,?,00000004,00E0CEA9), ref: 00E22464
SysAllocString.OLEAUT32(00000000), ref: 00E2246F
_com_issue_error.COMSUPP ref: 00E22498
_com_issue_error.COMSUPP ref: 00E224A2
GetLastError.KERNEL32(80070057,88F1D862,00000001,00000000,00000000,?,00E0CD87,?,00000004,00E0CEA9,ROOT\CIMV2), ref: 00E224A7
_com_issue_error.COMSUPP ref: 00E224BA
GetLastError.KERNEL32(00000000,?,00E0CD87,?,00000004,00E0CEA9,ROOT\CIMV2), ref: 00E224D0
_com_issue_error.COMSUPP ref: 00E224E3

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 9f1b220a1aeebd9bc6a1f9ee4e77c40b62fca8f80cb2ede3e5f84358ad541e5c
Instruction ID: 7373dfaa2ea02394083a47490d3ca7d41c3b01bf167296e893f5377f291b3bb3
Opcode Fuzzy Hash: 9f1b220a1aeebd9bc6a1f9ee4e77c40b62fca8f80cb2ede3e5f84358ad541e5c
Instruction Fuzzy Hash: 5441D671A00325BBDB10EF65EC45BAEBBE8EB48714F10922DF615F7291DB359800CBA5

Function 00E2C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E2C0F5
__alldvrm.LIBCMT ref: 00E2C2F6
__alldvrm.LIBCMT ref: 00E2C318

Strings

=z, xrefs: 00E2C2B7
=z, xrefs: 00E2C074
=z, xrefs: 00E2C080, 00E2C0DB, 00E2C0F4, 00E2C27A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: =z$=z$=z
API String ID: 1036877536-137230230
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: c19a6ad68acd13afaecd01170fcad50dea17067cea668de11a96707435243b51
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: 70A179729007A6DFDB25CF58E8927AEBBE4EF11354F3851ADE485BB282C6388D41C750

Function 00E24F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E24F57
___except_validate_context_record.LIBVCRUNTIME ref: 00E24F5F
_ValidateLocalCookies.LIBCMT ref: 00E24FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E25013
_ValidateLocalCookies.LIBCMT ref: 00E25068

Strings

csm, xrefs: 00E24FFD
M, xrefs: 00E25005, 00E2500E, 00E2501F

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: M$csm
API String ID: 1170836740-3563121880
Opcode ID: 9345b3747ab90b40aff23d2223296dfe0d6f07ceaba590ba51b56ef0002b0880
Instruction ID: 056c9563868c7b9945104d131ff34cac39ca9b0ea99064c2a6fba10b19cced14
Opcode Fuzzy Hash: 9345b3747ab90b40aff23d2223296dfe0d6f07ceaba590ba51b56ef0002b0880
Instruction Fuzzy Hash: C641E374A00228AFCF10DF28E984A9EBFF5BF44328F14A156F8147B392C731A905CB90

Function 00E132F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E1331D

Part of subcall function 00E0D076: GetVersionExW.KERNEL32(?), ref: 00E0D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E13340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E13352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E13363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E13373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E13383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00E133BE
__aullrem.LIBCMT ref: 00E13464

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 6058f9291d7d8b0c396696d5a0054d7e1e80bb7a3bc298c4e7a3919a3dba28f9
Instruction ID: 7479ace040f262bceb31491c7aa9025cf9b76cf232853eb1beb10701f57e684e
Opcode Fuzzy Hash: 6058f9291d7d8b0c396696d5a0054d7e1e80bb7a3bc298c4e7a3919a3dba28f9
Instruction Fuzzy Hash: D7512AB1508345AFC710DF65C8849ABFBE9FF88714F40892EF596D2210E735E649CB52

Function 00E1BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1BC8A

Strings

>, xrefs: 00E1BCCB
<br>, xrefs: 00E1BD7E
</style>, xrefs: 00E1BDD2
</p>, xrefs: 00E1BD68
<style>, xrefs: 00E1BDB0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: a22e62bdd4ace21820f6004c1ae4c663eadb008262a4a5e251c2f133f02c34a9
Instruction ID: 810877697b6eef769d07c8389a1bbd2072f88c5cfce2fcec5c223f45b435ae23
Opcode Fuzzy Hash: a22e62bdd4ace21820f6004c1ae4c663eadb008262a4a5e251c2f133f02c34a9
Instruction Fuzzy Hash: 4D51197674036796DB385A19A8117F673E0DFA0798F68242AFDC0BB2C0FB658CC18251

Function 00E0ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E0AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00E0AD4A

Part of subcall function 00E0E208: _wcslen.LIBCMT ref: 00E0E210

Part of subcall function 00E14168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E0E084,00000000,.exe,?,?,00000800,?,?,?,00E1AD5D), ref: 00E1417E

_swprintf.LIBCMT ref: 00E0ADEC

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

MoveFileW.KERNEL32(?,?), ref: 00E0AE5E
MoveFileW.KERNEL32(?,?), ref: 00E0AE9E

Strings

rtmp%d, xrefs: 00E0ADD5

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: 182d1798c69db9d3e22f3848e8ea1d6e6fa079d9491265243d1225def332a77d
Instruction ID: af659ba7f16a61a140fa6c18ff35c7a8eea7340ecf1174e8f73bba7d180adad6
Opcode Fuzzy Hash: 182d1798c69db9d3e22f3848e8ea1d6e6fa079d9491265243d1225def332a77d
Instruction Fuzzy Hash: CA515C7190065CAADB20EBA0CC89EEF77BCAF04345F0818B9B555B3191EB349AC5DF61

Function 00E1BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00E1BE8A
GetWindowRect.USER32(?,?), ref: 00E1BED1
ShowWindow.USER32(?,00000005,00000000), ref: 00E1BF6C
SetWindowTextW.USER32(?,00000000), ref: 00E1BF74
ShowWindow.USER32(00000000,00000005), ref: 00E1BF8A

Strings

RarHtmlClassName, xrefs: 00E1BF31

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 5a437e14e1874bb5cbf950b44dac9e0bd05b8a29917c1c849eee7202675b4fcf
Instruction ID: 04cb97a141342199dfb122296f00e2f68615c738c309b112e20dada45bca5270
Opcode Fuzzy Hash: 5a437e14e1874bb5cbf950b44dac9e0bd05b8a29917c1c849eee7202675b4fcf
Instruction Fuzzy Hash: 2A41D372109304AFCB109F64EC48B9B7BE8EF4D754F05555AF989BA162CB70D884CFA1

Function 00E1B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1B8DE
_wcslen.LIBCMT ref: 00E1B913

Strings

, xrefs: 00E1B930
<br>, xrefs: 00E1B95F
 , xrefs: 00E1B9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00E1B907

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: c4eedabb6d42b5f1b54fad4c7ac101b96f71533b8bc481283fa105befe97036e
Instruction ID: 9d30438cfed7735e9fb6c0624d0c5da4de8eda71d7921f3dfe953ce57cb3e710
Opcode Fuzzy Hash: c4eedabb6d42b5f1b54fad4c7ac101b96f71533b8bc481283fa105befe97036e
Instruction Fuzzy Hash: A031297264430956D634AB54AC42BFBB3E4FBD0324F60552EFA95B72C0FB51ACC683A1

Function 00E2EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E2EEB8: _free.LIBCMT ref: 00E2EEE1

_free.LIBCMT ref: 00E2EF42

Part of subcall function 00E2BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?), ref: 00E2BB10
Part of subcall function 00E2BAFA: GetLastError.KERNEL32(?,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?,?), ref: 00E2BB22

_free.LIBCMT ref: 00E2EF4D
_free.LIBCMT ref: 00E2EF58
_free.LIBCMT ref: 00E2EFAC
_free.LIBCMT ref: 00E2EFB7
_free.LIBCMT ref: 00E2EFC2
_free.LIBCMT ref: 00E2EFCD

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 9d8d3ca819e861f2f85571617e0845b25b5f7d3951a6ae177f425a26be0dac3f
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: 5711FC72940B24AAE520F7B1EC06FCB77EC7F04700F415D1AF2AB762A2DB75A5054654

Function 00E08C95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00E08CB2
GetLastError.KERNEL32 ref: 00E08CF6
CloseHandle.KERNEL32(?), ref: 00E08D05

Strings

J, xrefs: 00E08CEC
^, xrefs: 00E08CD7
@, xrefs: 00E08CB9

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CloseCurrentErrorHandleLastProcess
String ID: @$J$^
API String ID: 1009092642-3858163224
Opcode ID: 601f8fcf6270fbe707a6e7ce081236542210a2e477b4b025b68ceb29281c0399
Instruction ID: 3f20435e2c1895d06dc7835ff114e0a8f2f786e2b2557422018b4870423c54de
Opcode Fuzzy Hash: 601f8fcf6270fbe707a6e7ce081236542210a2e477b4b025b68ceb29281c0399
Instruction Fuzzy Hash: C00129B0601209AFDB109FB6DD8EBBFBBBCEB14348F405429F541F2190DA709D488AB0

Function 00E20ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E20B46,00E20AA9,00E20D4A), ref: 00E20AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E20AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E20B0D

Strings

AcquireSRWLockExclusive, xrefs: 00E20AF2
KERNEL32.DLL, xrefs: 00E20ADD
ReleaseSRWLockExclusive, xrefs: 00E20B02

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 48a6ece69ecfd806bc62f8848ad96ce3f7c516a937d36984d9ce2a62282ef2f9
Instruction ID: 031589a824b1f6450ec0785e14ec556d4f881834776db393d6b0d038b8e53f92
Opcode Fuzzy Hash: 48a6ece69ecfd806bc62f8848ad96ce3f7c516a937d36984d9ce2a62282ef2f9
Instruction Fuzzy Hash: 12F0AF323517329F4B309FB57D8E56B26C89B1139D7742439E541F21C2EA908C85D6E0

Function 00E1418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E14192
_wcslen.LIBCMT ref: 00E141A3
_wcslen.LIBCMT ref: 00E141B3
_wcslen.LIBCMT ref: 00E141C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E0D2D3,?,?,00000000,?,?,?), ref: 00E141DC

Strings

<, xrefs: 00E141DC

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 3c5812d6a54c0bef7d1568a486b125847a27fd03f498817edc58b75960d1d2c2
Instruction ID: 0d10035264c4cedb561b82552d9cf8e459fefb542c62ce468b588e112c682a71
Opcode Fuzzy Hash: 3c5812d6a54c0bef7d1568a486b125847a27fd03f498817edc58b75960d1d2c2
Instruction Fuzzy Hash: EEF06732108068BFCF122F51EC09CCA3F66EB90770B219101F6296A0A1CA3299A19AD0

Function 00E2B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2B17E

Part of subcall function 00E2BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?), ref: 00E2BB10
Part of subcall function 00E2BAFA: GetLastError.KERNEL32(?,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?,?), ref: 00E2BB22

_free.LIBCMT ref: 00E2B190
_free.LIBCMT ref: 00E2B1A3
_free.LIBCMT ref: 00E2B1B4
_free.LIBCMT ref: 00E2B1C5

Strings

p,, xrefs: 00E2B174

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p,
API String ID: 776569668-2703748495
Opcode ID: e3a563d1ebd00d01bc7a7ff4e4e742838c8ed37ee9f4835abcbf0a75a7dd1e3d
Instruction ID: c0d2ff14c98a4680082a92d458ac43f13eae6328985658d9c6e661fdb9a79aed
Opcode Fuzzy Hash: e3a563d1ebd00d01bc7a7ff4e4e742838c8ed37ee9f4835abcbf0a75a7dd1e3d
Instruction Fuzzy Hash: A0F017F48212209F8B42AB17FC1248A3BA5F715769340620BF52672270CBB3181A8F90

Function 00E13583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00E135E6

Part of subcall function 00E0D076: GetVersionExW.KERNEL32(?), ref: 00E0D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E1360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E13624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E13637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E13647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E13657

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 475295e362e689436137283303431a68f1d299a17495018db7d8208c2460414e
Instruction ID: f74b45b435c8c4b4e402aebf20ced9f164d253bbe2e88c697a19d689d1e06e89
Opcode Fuzzy Hash: 475295e362e689436137283303431a68f1d299a17495018db7d8208c2460414e
Instruction Fuzzy Hash: 71413C76108305AFCB04DFA9C88499BBBE8FF98704F04991EF999D7210E730D549CBA6

Function 00E2511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E25111,00E24ECC,00E221B4), ref: 00E25128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E25136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E2514F
SetLastError.KERNEL32(00000000,00E25111,00E24ECC,00E221B4), ref: 00E251A1

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 68b45fc4d851bb1fdc60e77dee8d0f99248338292aea8eb5bf8287d807a9652b
Instruction ID: 6196a3bde5ec2c630f7d210a107e9989e3dd538c5e2521fbc1a1b2811ace437c
Opcode Fuzzy Hash: 68b45fc4d851bb1fdc60e77dee8d0f99248338292aea8eb5bf8287d807a9652b
Instruction Fuzzy Hash: 1D01FC3711AF316EA6251775BD8A7662BD4EB42374BA0332EF110B50E0EF714C659184

Function 00E2B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E450C4,00E26E12,00E450C4,?,?,00E2688D,?,?,00E450C4), ref: 00E2B9A9
_free.LIBCMT ref: 00E2B9DC
_free.LIBCMT ref: 00E2BA04
SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BA11
SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BA1D
_abort.LIBCMT ref: 00E2BA23

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d6df4814e6e467f4c0a7b543c15a317cdb1ad31c7d4976449894b56cee39c6a3
Instruction ID: 97d39285372be1d5f2e23f70948fd1b602df8287034abca3656aa8f54a10fb2a
Opcode Fuzzy Hash: d6df4814e6e467f4c0a7b543c15a317cdb1ad31c7d4976449894b56cee39c6a3
Instruction Fuzzy Hash: 1AF028361446317BC61AB3367C0FBAB3BAA8FC1734F292515F715F2192EF628C065020

Function 00E2004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E20059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E20073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E20084
TranslateMessage.USER32(?), ref: 00E2008E
DispatchMessageW.USER32(?), ref: 00E20098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E200A3

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: dadda427880db053fd6385ca122477ed5ebf2f123094720201bf3b36f6e2098e
Instruction ID: 171691b3dae47df39a8b9a080ce85af9da407587adfb5599371dcde0b663a3b4
Opcode Fuzzy Hash: dadda427880db053fd6385ca122477ed5ebf2f123094720201bf3b36f6e2098e
Instruction Fuzzy Hash: 7AF01972A01229BACA205BA2EC4DECB7E6DEB41795F008411F54AE2091D6648549CAB0

Function 00E13748 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E13910
_swprintf.LIBCMT ref: 00E139BF

Strings

%s: %s, xrefs: 00E1391F
{, xrefs: 00E13748
%ls, xrefs: 00E13795, 00E137AB

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s${
API String ID: 589789837-3648917259
Opcode ID: 4bedc9bdae59ef003dde9f1adbdd3ef53bbd3f180f35b8ec200aec298ba0f6e1
Instruction ID: f6273b78a3a90446c7917408575c736d2d41f4c0a30d4278a885b215bd90fad1
Opcode Fuzzy Hash: 4bedc9bdae59ef003dde9f1adbdd3ef53bbd3f180f35b8ec200aec298ba0f6e1
Instruction Fuzzy Hash: ED51D8F5248305FAF6211BB48D46FFABAA5BB05F00F20A507B387740D5C6E297D0AB12

Function 00E0E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00E12663: _wcslen.LIBCMT ref: 00E12669

Part of subcall function 00E0D848: _wcsrchr.LIBVCRUNTIME ref: 00E0D85F

_wcslen.LIBCMT ref: 00E0E105
_wcslen.LIBCMT ref: 00E0E14D

Strings

.rar, xrefs: 00E0E04F, 00E0E0A2
.sfx, xrefs: 00E0E088
.exe, xrefs: 00E0E079

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 1e4458a188033b2f839f153a923de891cd7d8746b2da84112e6aa9096af70903
Instruction ID: ad7fd1813fd51b7b4d16ed136e36f15d3927a5d21f3303209b6102fdbd477ec9
Opcode Fuzzy Hash: 1e4458a188033b2f839f153a923de891cd7d8746b2da84112e6aa9096af70903
Instruction Fuzzy Hash: D1411232501711A6C732AF348846ABBB7A8EF41748F14AD2EF9D1BB2C0E7A19DC1D351

Function 00E0DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00E0BD19,?,?,00000800,?,?,?,00E0BCD4), ref: 00E0DB02
_wcslen.LIBCMT ref: 00E0DB70

Strings

UNC, xrefs: 00E0DAE8
\\?\, xrefs: 00E0DA90, 00E0DADC, 00E0DB38, 00E0DB87

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: aa7d8138f53b983c02e5aab21f8bc47f90f8ee463303f7ffe1d6e06498538ee9
Instruction ID: 2495cc8c60add7c6ffed8432f3239ffaae6ee646e99c6cd0a4d01db22cb2f0be
Opcode Fuzzy Hash: aa7d8138f53b983c02e5aab21f8bc47f90f8ee463303f7ffe1d6e06498538ee9
Instruction Fuzzy Hash: 7941E431508341AADA20ABA08C85EFFB7FCAF95754F01685DF5D4B31C1EBA498D4CB62

Function 00E010E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E01136
_wcslen.LIBCMT ref: 00E0115A
_wcslen.LIBCMT ref: 00E01187
_wcslen.LIBCMT ref: 00E011AC

Strings

%, xrefs: 00E01227

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen
String ID: %
API String ID: 176396367-3325620792
Opcode ID: b257142cd29fead2c9b441f6fb582768bb068b6d3eb03558b143a9677c2efa6d
Instruction ID: 17f2f2a43a24eac3fafcad08b69dabf238cefb0fc8d628652359c8810390f8bb
Opcode Fuzzy Hash: b257142cd29fead2c9b441f6fb582768bb068b6d3eb03558b143a9677c2efa6d
Instruction Fuzzy Hash: 9E41AF719047519FC725DF38994599FBBE8FF85304F00092DF999E3291EB30E9498BA2

Function 00E1D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00E1D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00E1DA12
DeleteObject.GDI32(00000000), ref: 00E1DA44
DeleteObject.GDI32(00000000), ref: 00E1DA67

Part of subcall function 00E1C652: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C665
Part of subcall function 00E1C652: SizeofResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C67C
Part of subcall function 00E1C652: LoadResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C693
Part of subcall function 00E1C652: LockResource.KERNEL32(00000000,?,?,?,00E1DA3D,00000066), ref: 00E1C6A2
Part of subcall function 00E1C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E1DA3D,00000066), ref: 00E1C6BD
Part of subcall function 00E1C652: GlobalLock.KERNEL32(00000000), ref: 00E1C6CE
Part of subcall function 00E1C652: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E1C6F2
Part of subcall function 00E1C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E1C737
Part of subcall function 00E1C652: GlobalUnlock.KERNEL32(00000000), ref: 00E1C756
Part of subcall function 00E1C652: GlobalFree.KERNEL32(00000000), ref: 00E1C75D

Strings

], xrefs: 00E1DA1A

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: c11ddc6006f8e02dfed8243880f720bdd956369860a03f473db2e9f2b002348e
Instruction ID: 10bfc480fb8f9ca9447d6961bb8b66a10244ed01824b4a5107ab28afa5bd7a2b
Opcode Fuzzy Hash: c11ddc6006f8e02dfed8243880f720bdd956369860a03f473db2e9f2b002348e
Instruction Fuzzy Hash: 1301D6365882116BC712A7755C05AFF3ABA9F81BA5F281010F804F7291DF718C8996B1

Function 00E1F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E01366: GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
Part of subcall function 00E01366: SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

EndDialog.USER32(?,00000001), ref: 00E1F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E1F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E1F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 00E1F9D4

Strings

RENAMEDLG, xrefs: 00E1F968

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 542b3e865651e5d19f073de11e0eff106967c20d634eb3071d19e9e6879672e4
Instruction ID: 29eb6f1d96e50d5ee92f8f49395817cb1637b35784a5a498ee33bf7c7745991e
Opcode Fuzzy Hash: 542b3e865651e5d19f073de11e0eff106967c20d634eb3071d19e9e6879672e4
Instruction Fuzzy Hash: F90128337453107FD2116BA5AD09FE7BB5CFB8A785F105422F241B50D0C6E2994887B1

Function 00E2A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E2A676,?,?,00E2A616,?,00E3F7B0,0000000C,00E2A76D,?,00000002), ref: 00E2A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E2A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,00E2A676,?,?,00E2A616,?,00E3F7B0,0000000C,00E2A76D,?,00000002,00000000), ref: 00E2A71B

Strings

CorExitProcess, xrefs: 00E2A6F0
mscoree.dll, xrefs: 00E2A6DE

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5f6de1c75739f6a6fd64ee56f748887a873962b369240f10edcefa8e57c50425
Instruction ID: 81d3a777baa5ec904d245dacd6290deed9fe852585a4875922badd71698f8080
Opcode Fuzzy Hash: 5f6de1c75739f6a6fd64ee56f748887a873962b369240f10edcefa8e57c50425
Instruction Fuzzy Hash: 34F08130900218BFCB109FB1EC4DBAEBFB5EB04705F04406AF805B2161CB715D44CA90

Function 00E01366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00E10244: _swprintf.LIBCMT ref: 00E10284
Part of subcall function 00E10244: _strlen.LIBCMT ref: 00E102A5
Part of subcall function 00E10244: SetDlgItemTextW.USER32(?,00E42274,?), ref: 00E102FE
Part of subcall function 00E10244: GetWindowRect.USER32(?,?), ref: 00E10334
Part of subcall function 00E10244: GetClientRect.USER32(?,?), ref: 00E10340

GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

Strings

pP, xrefs: 00E013CB
pP, xrefs: 00E0137B
0, xrefs: 00E01369

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$pP$pP
API String ID: 2622349952-623278422
Opcode ID: 3f8a5c52a55bdd10fb30e0d583c39feba58f505fffb508967be5edc1d9b56525
Instruction ID: c1579789b8fa9dd2f5268ec9e23e42cb51298d2c1bea39221b0ef9b1b41ef6af
Opcode Fuzzy Hash: 3f8a5c52a55bdd10fb30e0d583c39feba58f505fffb508967be5edc1d9b56525
Instruction Fuzzy Hash: D5F03130144248ABDF151F62BC0DBEA3BA8AB05358F05A194FC85799E2CBB8C5D4DA50

Function 00E112F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E128AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E128D4
Part of subcall function 00E128AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E11309,Crypt32.dll,00000000,00E11383,00000200,?,00E11366,00000000,00000000,?), ref: 00E128F4

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E11315
GetProcAddress.KERNEL32(00E4C1F0,CryptUnprotectMemory), ref: 00E11325

Strings

CryptProtectMemory, xrefs: 00E1130F
Crypt32.dll, xrefs: 00E112FF
CryptUnprotectMemory, xrefs: 00E1131B

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 272d114f6bd3314dffb05a74ded4b463aaa21a1efdbb831673ac9708fc5cc35d
Instruction ID: d1fc4f69bfadf570ceb511c645686e288eaea9d28be238a0ae927b21c8817655
Opcode Fuzzy Hash: 272d114f6bd3314dffb05a74ded4b463aaa21a1efdbb831673ac9708fc5cc35d
Instruction Fuzzy Hash: 9EE08670A50715BED7316F35990D7827EE45F24704F45D85DE1D5B3550DAB4D480CB20

Function 00E251FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E252C1
___AdjustPointer.LIBCMT ref: 00E252E4
_abort.LIBCMT ref: 00E25332
___AdjustPointer.LIBCMT ref: 00E25380

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 5a2a0a946d1de6fc31130157d141a4cfd18642ce9c3c146ae2bccbff9d8acd79
Instruction ID: 314437d2f186e86edc9b60c71e05205ff47db7518b8a0b65e3802d4d77017529
Opcode Fuzzy Hash: 5a2a0a946d1de6fc31130157d141a4cfd18642ce9c3c146ae2bccbff9d8acd79
Instruction Fuzzy Hash: A051A073600A26EFDB29CF50FA41BAA77A4FF44754F146529E801A72A5D7B1EC40CB90

Function 00E2E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E2E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2E5AC

Part of subcall function 00E2BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E26A24,?,0000015D,?,?,?,?,00E27F00,000000FF,00000000,?,?), ref: 00E2BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E2E5D2
_free.LIBCMT ref: 00E2E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E2E5F4

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3c0f6d1559a3ad346823ee3a19ea9903cf2d2f14a2f6ba2be222dff40c2b5ed6
Instruction ID: 9267d5efef2979209b2dbb23325cca9b7aeb903545251952c807771b284fc71d
Opcode Fuzzy Hash: 3c0f6d1559a3ad346823ee3a19ea9903cf2d2f14a2f6ba2be222dff40c2b5ed6
Instruction Fuzzy Hash: 0501B1726122357F272156777C4DC7B6A6DEEC3B683180129B809E2201EF718D0181B0

Function 00E2BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E2BC80,00E2D7D8,?,00E2B9D3,00000001,00000364,?,00E2688D,?,?,00E450C4), ref: 00E2BA2E
_free.LIBCMT ref: 00E2BA63
_free.LIBCMT ref: 00E2BA8A
SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BA97
SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BAA0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9c78e75503b8d8f1d28e508117c59f30db47e8501c42916aab45fe6e71b98506
Instruction ID: 2e79f457d520d2d5dacc2f6c7cf245493da5ee9adee2612dba529a5274ab930d
Opcode Fuzzy Hash: 9c78e75503b8d8f1d28e508117c59f30db47e8501c42916aab45fe6e71b98506
Instruction Fuzzy Hash: 290149B6144A31BF8619E7357C8A95B37AEDBC13753212024F61AB2151EF618C055120

Function 00E12FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00E132AF: ResetEvent.KERNEL32(?), ref: 00E132C1
Part of subcall function 00E132AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E132D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,88F1D862,?,?,00000001,?,00E352FF,000000FF,?,00E143C0,?,00000000,?,00E04766), ref: 00E13007
CloseHandle.KERNEL32(?,?,?,00E143C0,?,00000000,?,00E04766,?,?,?,00000000,?,?,?,00000001), ref: 00E13021
DeleteCriticalSection.KERNEL32(?,?,00E143C0,?,00000000,?,00E04766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E1303A
CloseHandle.KERNEL32(?,?,00E143C0,?,00000000,?,00E04766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E13046
CloseHandle.KERNEL32(?,?,00E143C0,?,00000000,?,00E04766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E13052

Part of subcall function 00E130CA: WaitForSingleObject.KERNEL32(?,000000FF,00E131E7,?,?,00E1325F,?,?,?,?,?,00E13249), ref: 00E130D0
Part of subcall function 00E130CA: GetLastError.KERNEL32(?,?,00E1325F,?,?,?,?,?,00E13249), ref: 00E130DC

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: d460386ee67723f64da962215c7ff260adbcd9382dbd87f69cfe5bb8febfe12d
Instruction ID: a8c3572d152d045d2d4859710560a662a1d4b66e5af3282a1fa420ede8817afe
Opcode Fuzzy Hash: d460386ee67723f64da962215c7ff260adbcd9382dbd87f69cfe5bb8febfe12d
Instruction Fuzzy Hash: E4116176500748FFC7269F75DC89BC6BBF9FB08710F004929F166A2160CB756A48CB50

Function 00E2EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2EE67

Part of subcall function 00E2BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?), ref: 00E2BB10
Part of subcall function 00E2BAFA: GetLastError.KERNEL32(?,?,00E2EEE6,?,00000000,?,00000000,?,00E2EF0D,?,00000007,?,?,00E2F30A,?,?), ref: 00E2BB22

_free.LIBCMT ref: 00E2EE79
_free.LIBCMT ref: 00E2EE8B
_free.LIBCMT ref: 00E2EE9D
_free.LIBCMT ref: 00E2EEAF

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe9d708e9116dd73197d2a7758650d8b8e168ed57f47ab9824ef75ff765db04a
Instruction ID: 4307f7a6e2d16fcce4089765898c85eba508afc6722f710323a84858f96c4ad1
Opcode Fuzzy Hash: fe9d708e9116dd73197d2a7758650d8b8e168ed57f47ab9824ef75ff765db04a
Instruction Fuzzy Hash: D1F06272500230AFC661EB6AF481C8A73EABB01310795280DF01EF7650CB71FC808A60

Function 00E1C79C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00E1C629: GetDC.USER32(00000000), ref: 00E1C62D
Part of subcall function 00E1C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E1C638
Part of subcall function 00E1C629: ReleaseDC.USER32(00000000,00000000), ref: 00E1C643

GetObjectW.GDI32(?,00000018,?), ref: 00E1C7E0

Part of subcall function 00E1CA67: GetDC.USER32(00000000), ref: 00E1CA70
Part of subcall function 00E1CA67: GetObjectW.GDI32(?,00000018,?), ref: 00E1CA9F
Part of subcall function 00E1CA67: ReleaseDC.USER32(00000000,?), ref: 00E1CB37

Strings

f, xrefs: 00E1C82F
(, xrefs: 00E1C935

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: ($f
API String ID: 1061551593-4043270135
Opcode ID: be1106a10bd1c256fb57f04999da3f7097e90bb4d6f2894f5a265b06bf609e6e
Instruction ID: 12e734deb5448658a34a38b77dc7f0a9681628ed517482dcddcfb43f94ef403c
Opcode Fuzzy Hash: be1106a10bd1c256fb57f04999da3f7097e90bb4d6f2894f5a265b06bf609e6e
Instruction Fuzzy Hash: 9391F571608354AFD610DF25C848D6BBBE8FFC9704F10495EF88AE7260CB71A945CB62

Function 00E2A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hKgrI6tqYx.exe,00000104), ref: 00E2A800
_free.LIBCMT ref: 00E2A8CB
_free.LIBCMT ref: 00E2A8D5

Strings

C:\Users\user\Desktop\hKgrI6tqYx.exe, xrefs: 00E2A7F7, 00E2A7FE, 00E2A82D, 00E2A865

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\hKgrI6tqYx.exe
API String ID: 2506810119-3756829554
Opcode ID: a193edf1d77df3535391536190bd83e1e7ae914236e6550085996bcd91518ca4
Instruction ID: 9158840c2f0694be1eff5ab7252ef7b4bba64ef7e4d566357c823377c1ea4c74
Opcode Fuzzy Hash: a193edf1d77df3535391536190bd83e1e7ae914236e6550085996bcd91518ca4
Instruction Fuzzy Hash: CC31A271A00228EFDB29DB99EC8999EBBFCEB84304F185077F504B7211D6705A41DBA1

Function 00E257F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E2581B
_abort.LIBCMT ref: 00E25926

Strings

MOC, xrefs: 00E2582D
RCC, xrefs: 00E25835

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: ea7fa38849e174410224058bfb77fc36845243bbbfb7cde08fc220433521f2cd
Instruction ID: ab39e119f1561ae055f74ecbc6b747dd9b1caccc2bf7d744cea0d4c7cf12f618
Opcode Fuzzy Hash: ea7fa38849e174410224058bfb77fc36845243bbbfb7cde08fc220433521f2cd
Instruction Fuzzy Hash: 81417832900619EFCF19CF94EE81AAEBBB5FF48318F189069F914B7211D37599A0DB50

Function 00E0F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00E0F82D
_strncpy.LIBCMT ref: 00E0F871

Part of subcall function 00E13F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00E0F801,00000000,00000000,?,00E45070,?,00E0F801,?,?,00000050,?), ref: 00E13F64

Strings

$%s, xrefs: 00E0F822
@%s, xrefs: 00E0F817

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: bcc208d4fcc7542b6cc21917947b633781c8093e01da3bf98bc558ee13b48901
Instruction ID: 8eb672959806582f09e52a79121e1ab5fb48cacb9de90d6ec67fb04404a227e1
Opcode Fuzzy Hash: bcc208d4fcc7542b6cc21917947b633781c8093e01da3bf98bc558ee13b48901
Instruction Fuzzy Hash: 7D217C72900348ABDB24DEA4CC06FEE77E8BB15300F04652AFA21B6591E771E965CB60

Function 00E1CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E01366: GetDlgItem.USER32(00000000,00003021), ref: 00E013AA
Part of subcall function 00E01366: SetWindowTextW.USER32(00000000,00E365F4), ref: 00E013C0

EndDialog.USER32(?,00000001), ref: 00E1CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E1CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E1CE52

Strings

ASKNEXTVOL, xrefs: 00E1CDB8

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: b1365f95836033b7680258078f235540fba36ddd2aa89615ddc9303ad6ea305c
Instruction ID: 40df8947fb05a8e91210aba3f0f03738df652ed14fb9920771a993bc25a23457
Opcode Fuzzy Hash: b1365f95836033b7680258078f235540fba36ddd2aa89615ddc9303ad6ea305c
Instruction Fuzzy Hash: 6211D633384201AFD6119B69EC09FF77BA9FF4AB84F101010F241FA1A4C7A159858765

Function 00E12F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E0CAA0,00000008,00000004,00E0F1F0,?,00000000), ref: 00E12F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E0CAA0,00000008,00000004,00E0F1F0,?,00000000), ref: 00E12F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E0CAA0,00000008,00000004,00E0F1F0,?,00000000), ref: 00E12F7B

Strings

Thread pool initialization failed., xrefs: 00E12F93

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: e2e589ba08f7cc84dc93dd5c45d4f0104fbf12d2a6589550c2fcbeb24823ae9b
Instruction ID: 2896022eda532a9931ae3222ff503e77006529078098894276b6f32f32ec4e45
Opcode Fuzzy Hash: e2e589ba08f7cc84dc93dd5c45d4f0104fbf12d2a6589550c2fcbeb24823ae9b
Instruction Fuzzy Hash: 781182B1604708AFC3315F769C89997FBEDEB99744F10582EF1DAA6200D67159818B50

Function 00E200EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00E20143
REPLACEFILEDLG, xrefs: 00E2012E, 00E20162

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: fce3095b6bda4245f62a3a5988f91ec0c49d69eed22ec3e7671ec8824af1bf07
Instruction ID: c451ef3251209b9d80c8b77728b1044c52201dafb8f781935179c31266b88637
Opcode Fuzzy Hash: fce3095b6bda4245f62a3a5988f91ec0c49d69eed22ec3e7671ec8824af1bf07
Instruction Fuzzy Hash: 4C01247560A224AFC7514F26FC44AA77FB4FB49394F141025F901B32B1C3718C69DBA0

Function 00E04B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00E04B42

Part of subcall function 00E2106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E21079
Part of subcall function 00E2106D: ___delayLoadHelper2@8.DELAYIMP ref: 00E2109F

std::_Xinvalid_argument.LIBCPMT ref: 00E04B4D

Strings

vector too long, xrefs: 00E04B48
string too long, xrefs: 00E04B3D

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: ae9dbfc15747bd679502a81f355ed314ffeb608183f7e4c0a0f93df3802e005d
Instruction ID: c58fff1e27fcef03964a9c3745de48e6665f2076d89c1255637f57906814818e
Opcode Fuzzy Hash: ae9dbfc15747bd679502a81f355ed314ffeb608183f7e4c0a0f93df3802e005d
Instruction Fuzzy Hash: 11F0A7B12007547B87346F59EC4AC4AB7EDEF94B50B10251AFA45E3581C3B0ED84CBB1

Function 00E0C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00E09343,?,?,?), ref: 00E0C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00E09343,?,?), ref: 00E0C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00E09343,?,?,?,?,?,?,?,?), ref: 00E0C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00E09343,?,?,?,?,?,?,?,?,?,?), ref: 00E0C2B6

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: cd47007450949996298eff5c6f6b7046f201efb81a1fc621fb0d55365a8e34ac
Instruction ID: 0697b8f9ba352f9b01d4d1ac425fe7fdd18a8785c7d15c53bac78d8dc7b909c5
Opcode Fuzzy Hash: cd47007450949996298eff5c6f6b7046f201efb81a1fc621fb0d55365a8e34ac
Instruction Fuzzy Hash: 3041E430248385AEE320DF74DC45FABBBE8AF89704F141A1DB5D1E71D1D664DA8C8B52

Function 00E0BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E0BD93
_wcslen.LIBCMT ref: 00E0BDB6
_wcslen.LIBCMT ref: 00E0BE4C
_wcslen.LIBCMT ref: 00E0BEB1

Part of subcall function 00E0C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00E087BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E0C3A5

Part of subcall function 00E0BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 00E0BC1C
Part of subcall function 00E0BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 00E0BC48

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: abad55e3c5af3161aff375d126f3e15d8e41e2b8b3072317f1cc35a876ebaf46
Instruction ID: 23b4e50d077ab28d2d0d9ecc1a97053824c97c8fa6c3f3df398a358384d1dd48
Opcode Fuzzy Hash: abad55e3c5af3161aff375d126f3e15d8e41e2b8b3072317f1cc35a876ebaf46
Instruction Fuzzy Hash: CE41097250439496CB30EB64D8459EBB3E9BF84304F54681EEA85B31C1EB74ADCAC7A1

Function 00E0849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000800,?,?,88F1D862,00000000,?,00000000), ref: 00E08596

Part of subcall function 00E08C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E08CB2
Part of subcall function 00E08C95: GetLastError.KERNEL32 ref: 00E08CF6
Part of subcall function 00E08C95: CloseHandle.KERNEL32(?), ref: 00E08D05

Strings

SeRestorePrivilege, xrefs: 00E08531
T, xrefs: 00E08557, 00E0857A
SeSecurityPrivilege, xrefs: 00E0851C

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege$T
API String ID: 1245819386-1848529312
Opcode ID: ce74a6dad1846631b674ef8246b39d132992f1888b4a79ee15ad547b8760bc02
Instruction ID: 4dd9f94be1afc580ead4781dcc190cc5b0764554eb8408946f3b1b61a731741e
Opcode Fuzzy Hash: ce74a6dad1846631b674ef8246b39d132992f1888b4a79ee15ad547b8760bc02
Instruction Fuzzy Hash: CA41B271A04248AFDF21DF649D45BEE77E8EB49308F04106EF585B72C1DB745E84CA61

Function 00E2EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E27F99,?,00E27F99,?,00000001,?,?,00000001,00E27F99,00E27F99), ref: 00E2F025
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E2F0AE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E2F0C0
__freea.LIBCMT ref: 00E2F0C9

Part of subcall function 00E2BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E26A24,?,0000015D,?,?,?,?,00E27F00,000000FF,00000000,?,?), ref: 00E2BCC0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: dcd4dd03bb261f0b2345d794aa527582e3d2df99f967fa8fd0603ca0df542f92
Instruction ID: 670a5d5ac0043c3da47b49e6adfa48c7c478972e709982d3df77b1bb62a0d2d4
Opcode Fuzzy Hash: dcd4dd03bb261f0b2345d794aa527582e3d2df99f967fa8fd0603ca0df542f92
Instruction Fuzzy Hash: DE31BC72A0022AABDF249F65EC45DAE7BB5EB40714B044239FC04A7192EB35DD54CBA0

Function 00E1C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E1C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E1C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E1C613
ReleaseDC.USER32(00000000,00000000), ref: 00E1C621

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f4179779463c3b66574c5701af24861c86407c28f5469d7d513d49959b19f539
Instruction ID: da0cdd5148a06916736ac85e432dedde7e7f6a9140a4fb94770367c655eb8a65
Opcode Fuzzy Hash: f4179779463c3b66574c5701af24861c86407c28f5469d7d513d49959b19f539
Instruction Fuzzy Hash: 9DE0EC3599E660AFD3A11B62BC1DF973B54EB1AB97F140106F641B6290CAB444498FE0

Function 00E2D808 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E2D974

Part of subcall function 00E26676: IsProcessorFeaturePresent.KERNEL32(00000017,00E26648,00000000,00E2B5F4,00000000,00000000,00000000,00000016,?,?,00E26655,00000000,00000000,00000000,00000000,00000000), ref: 00E26678
Part of subcall function 00E26676: GetCurrentProcess.KERNEL32(C0000417,00E2B5F4,00000000,?,00000003,00E2BA28), ref: 00E2669A
Part of subcall function 00E26676: TerminateProcess.KERNEL32(00000000,?,00000003,00E2BA28), ref: 00E266A1

Strings

*?, xrefs: 00E2D84B
., xrefs: 00E2DB2B

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction ID: 777b56da3ec12a93082abc6631b8e860bf1b2cef2a5ad67bd8a93c6d867ea2f3
Opcode Fuzzy Hash: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction Fuzzy Hash: 9551AF71E04229AFDF18DFA8DC81AADBBF5FF88314F249169E544F7300E6719A418B50

Function 00E1D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E1D7D1
_wcslen.LIBCMT ref: 00E1D7EC

Strings

}, xrefs: 00E1D7C4

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 4f983e8dc226e24f4b334f5fca22e6a96fcac4d612dce0176fd3ecd29fae2e18
Instruction ID: 0a6596f103cd323f5bb14c7d50ad28dd9c20c0bd4b52c2a4342d75c2a02c1e39
Opcode Fuzzy Hash: 4f983e8dc226e24f4b334f5fca22e6a96fcac4d612dce0176fd3ecd29fae2e18
Instruction Fuzzy Hash: 4921D3329083595AD735EB64DD45AABB3ECEF85714F40242AF584E3181EA70ED88C7E2

Function 00E1CEBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E1D392: GetCurrentProcess.KERNEL32(00020008,?), ref: 00E1D3A1
Part of subcall function 00E1D392: GetLastError.KERNEL32 ref: 00E1D3CC

CreateDirectoryW.KERNEL32(?,?), ref: 00E1CF61
LocalFree.KERNEL32(?), ref: 00E1CF6F

Strings

, xrefs: 00E1CF20

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-1651818964
Opcode ID: 9db22be00a96878daa94f51d0bbd126328b68442843ef64d20f0f01d2a9b4f4f
Instruction ID: 695adfdcb56c0fdc7c8aa1a00d9f252622f047c9cbc31c65b0055874563ef067
Opcode Fuzzy Hash: 9db22be00a96878daa94f51d0bbd126328b68442843ef64d20f0f01d2a9b4f4f
Instruction Fuzzy Hash: 5E21C6B1900209AFDB10DF66D9899EF7BF8BB49344F50812AB815E2110E774DA598AA0

Function 00E1136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E112F6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E11315
Part of subcall function 00E112F6: GetProcAddress.KERNEL32(00E4C1F0,CryptUnprotectMemory), ref: 00E11325

GetCurrentProcessId.KERNEL32(?,00000200,?,00E11366), ref: 00E113F9

Strings

CryptUnprotectMemory failed, xrefs: 00E113F1
CryptProtectMemory failed, xrefs: 00E113B0

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 0f96aec6ca1b32d54f66fc1c911b755cd0cae9ad74d647645e44e9e76795b6c6
Instruction ID: b51125b27d251244bfccd9fa228ca25f87b8f0d278b3925d7a38a24e3226a4ca
Opcode Fuzzy Hash: 0f96aec6ca1b32d54f66fc1c911b755cd0cae9ad74d647645e44e9e76795b6c6
Instruction Fuzzy Hash: 6E115631A01225ABDB15AF31DC059EE3B64EF05B28B0191A5FD217B297D630ACC28AD4

Function 00E0D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E0D8D3

Part of subcall function 00E04C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E04C13

Strings

%c:\, xrefs: 00E0D8C9

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: feda732edc08c1f7a7adcd6bca90e11d090c8fd09c64ddfe29c9b5221841b257
Instruction ID: 0504c4b78c8d691a7dd3e0cb6705dc86bb8acffb6377f136fb88304ffc750dc8
Opcode Fuzzy Hash: feda732edc08c1f7a7adcd6bca90e11d090c8fd09c64ddfe29c9b5221841b257
Instruction Fuzzy Hash: F601286350832179D7346BF9AC46D6BB7ECEED5360790A41AF485F20C2EA60D8C0C3B1

Function 00E210F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E2130A
___raise_securityfailure.LIBCMT ref: 00E213F2

Strings

8], xrefs: 00E213ED

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]
API String ID: 3761405300-438778366
Opcode ID: 061437def5e7450a4314e4fd3d762fe5d5c0a0719103e9b7e3506e9687b6c8bc
Instruction ID: dc08a677b7d5e3a9692af6789ee1547537b36d7d23e77dcccab162b1a9a44791
Opcode Fuzzy Hash: 061437def5e7450a4314e4fd3d762fe5d5c0a0719103e9b7e3506e9687b6c8bc
Instruction Fuzzy Hash: FD21E4B6710B00DFDB10CF16F8896563BA4BB59394F50542AE908EB3B0D3F25A89CF45

Function 00E1D392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 00E1D3A1
GetLastError.KERNEL32 ref: 00E1D3CC

Strings

@, xrefs: 00E1D3A8

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: CurrentErrorLastProcess
String ID: @
API String ID: 335030130-2548697605
Opcode ID: a7f58d15ec9e88a921f1bdc93f4bf724d34081d482c8b6ee9e8ceec45b85ea9a
Instruction ID: 004265d4f1cace7cc7bc91277d28f85f2e02c90f19b22f5ff5f53f68e0ae4f54
Opcode Fuzzy Hash: a7f58d15ec9e88a921f1bdc93f4bf724d34081d482c8b6ee9e8ceec45b85ea9a
Instruction Fuzzy Hash: 56016975504208FFDF125FA1AC8AEEF7BBEEB05394F101065F605B1050EAB1AE84AA70

Function 00E2E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E2B9A5: GetLastError.KERNEL32(?,00E450C4,00E26E12,00E450C4,?,?,00E2688D,?,?,00E450C4), ref: 00E2B9A9
Part of subcall function 00E2B9A5: _free.LIBCMT ref: 00E2B9DC
Part of subcall function 00E2B9A5: SetLastError.KERNEL32(00000000,?,00E450C4), ref: 00E2BA1D
Part of subcall function 00E2B9A5: _abort.LIBCMT ref: 00E2BA23

_abort.LIBCMT ref: 00E2E1D0
_free.LIBCMT ref: 00E2E204

Strings

p,, xrefs: 00E2E1FB

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p,
API String ID: 289325740-2703748495
Opcode ID: 0f8170fe824c2c118d9899e00a604cfd3301301d8b9fd5f06aa280f4f30e73ef
Instruction ID: ba973450946e275bcca7dd48c36c5fcff98613964da5841626a5edd4cb2c1670
Opcode Fuzzy Hash: 0f8170fe824c2c118d9899e00a604cfd3301301d8b9fd5f06aa280f4f30e73ef
Instruction Fuzzy Hash: 5D01C472D01631DFCB219F59F80125CB3A4BF55B20B45221AF965773A1CB706D428FC1

Function 00E21405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E21410
___raise_securityfailure.LIBCMT ref: 00E214CD

Strings

8], xrefs: 00E214C8

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]
API String ID: 3761405300-438778366
Opcode ID: 74def2b80b05cb5728cda72d764aac87d3d7e9a311f7df35f8d5bd354eaafea5
Instruction ID: 985c7eca8f441efb825fea7572c39a33a8fa1f9f7aae082fdd3caac30ffde628
Opcode Fuzzy Hash: 74def2b80b05cb5728cda72d764aac87d3d7e9a311f7df35f8d5bd354eaafea5
Instruction Fuzzy Hash: C211C3B6711B04DFCB10DF17F8856563BA5BB18384F00502AE808AB3A0E3F29A498F46

Function 00E130CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00E131E7,?,?,00E1325F,?,?,?,?,?,00E13249), ref: 00E130D0
GetLastError.KERNEL32(?,?,00E1325F,?,?,?,?,?,00E13249), ref: 00E130DC

Part of subcall function 00E07BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E07BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E130E5

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 7eecec2075732dcb6588d7d6e6d3a0763e8e1bfd0042b4814b2a94467937c48c
Instruction ID: 1a16f050a42491757b3bc2a1c03094f6c8bed2ee8a43037272645b8516111916
Opcode Fuzzy Hash: 7eecec2075732dcb6588d7d6e6d3a0763e8e1bfd0042b4814b2a94467937c48c
Instruction Fuzzy Hash: 33D05E72A0C5383BDA2533346C0FDAF3D4A9BA2331F609754F1B9751E5CA204D818AD1

Function 00E101FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00E0F951,?), ref: 00E101FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E0F951,?), ref: 00E1020D

Strings

RTL, xrefs: 00E10207

Memory Dump Source

Source File: 00000000.00000002.2145094523.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2145078754.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145122907.0000000000E36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E45000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145140167.0000000000E66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145245549.0000000000E67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_hKgrI6tqYx.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: b936196772589bfbb6e43082ce0e1c24d57420ebed0897d6535b198524a0ae3f
Instruction ID: f4a3676c6efc645eecf1f8e4e845e9637972c7833862317427e65c373b181ee1
Opcode Fuzzy Hash: b936196772589bfbb6e43082ce0e1c24d57420ebed0897d6535b198524a0ae3f
Instruction Fuzzy Hash: A4C012312407547AD63457726C4EB932E546B01715F055448B541FB1D1D6F6C885CA60

Analysis Process: Heart-Senders-Crackeado.exePID: 5960, Parent PID: 1492COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 0040A756 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040E2C7

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A76D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A77A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A78C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A799
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A79E

Strings

GetLongPathNameW, xrefs: 0040A786
Kernel32.DLL, xrefs: 0040A773

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 1993255246-2943376620
Opcode ID: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction ID: 045e3bd93f30ce5257affd3ba06db84d60efd2c3f80f990f00f7183b84a9fd71
Opcode Fuzzy Hash: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction Fuzzy Hash: C0F0BE722052147FC2212BBAAC4CDAB3E7CDE96752700413AF905E2252EA79881082BD

Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B38

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

Strings

$pA, xrefs: 00401A20
$pA, xrefs: 00401A73
$pA, xrefs: 00401AC8
$pA, xrefs: 00401B2C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: $pA$$pA$$pA$$pA
API String ID: 368575804-1531182785
Opcode ID: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
Instruction ID: 28b0c429ac0839269b991b7b7970ea1d3eb295239ca2258b2b80e935eceb64c8
Opcode Fuzzy Hash: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
Instruction Fuzzy Hash: CD510AB1514600AED600BBB1EC4297F7B7EEB98319F01883FF544690A2CA3D985D9A6D

Function 00401000 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DE30: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
Part of subcall function 0040DE30: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 00409B40: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49

Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(004186D0,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691

Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004186A8,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82

Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A418
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A431
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A43B

Part of subcall function 0040A348: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A35B
Part of subcall function 0040A348: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A370

Part of subcall function 0040DBCA: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
Part of subcall function 0040DBCA: memset.MSVCRT ref: 0040DC35

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011A5
HeapDestroy.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011B5
ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011BA

Strings

:pA, xrefs: 0040112D
.pA, xrefs: 00401085

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonControlsDestroyEnumInitLoadModuleResourceTypes
String ID: .pA$:pA
API String ID: 3272620648-1142403416
Opcode ID: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
Instruction ID: 59fd392a0a4490bdbbe753bcbaae00d60dcbf108960a32b110b84fea6de29b28
Opcode Fuzzy Hash: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
Instruction Fuzzy Hash: 6C313070A80704A9D210B7F29D43F9E3A25AB1874DF51843FB644790E3CEBC55489A6F

Function 00403DF3 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,008A8F78,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(008A8F78,008A8F78,00002710), ref: 00402C34

Part of subcall function 0040E080: TlsGetValue.KERNEL32(0000000D,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E08A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(008A8F78,008A8F78,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,008A8F78,008A89D0,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,008A8A50,00000000,00000000,00000000,00000000,00000000,008A8F78,008A89D0,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,0041702A,00000000,00000000,00000000,00000001,008A8A50,00000000,00000000,00000000,00000000,00000000,008A8F78,008A89D0), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,008A8F78), ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

pA, xrefs: 00404090
*pA, xrefs: 004044BE
*pA, xrefs: 0040452C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: *pA$*pA$pA
API String ID: 1881381519-978732049
Opcode ID: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
Instruction ID: c37fc5d70f496ddafb25d76fc072764247fdd107690a54ecab0fee76e679e4b9
Opcode Fuzzy Hash: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
Instruction Fuzzy Hash: 452219B5504700AED200BBB2D981A7F77BDEB94709F10CD3FF544AA192CA3CD8499B69

Function 0040AAC0 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB31
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB72
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040ABBC
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040ABDE
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040AC17
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC6A

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction ID: b1ded5e7b3c1179952fb066da43177db28dec5f90817629197f40925782b5e59
Opcode Fuzzy Hash: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction Fuzzy Hash: 1F51C0712483006BE3218F19DD44B6B7BF6EB44764F204A3AFA51A73E0D678EC55874A

Function 0040D819 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00418624,0041861C,0040D9E2,00000000,FFFFFFED,00000200,77355E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D85A
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D891
LeaveCriticalSection.KERNEL32(00418624,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8EA
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77355E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D8FB
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D937

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction ID: b7a84fb5e76b6252515cea3da09f74f38e7866411a6d0cfbb28ace0a8fd55691
Opcode Fuzzy Hash: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction Fuzzy Hash: 7B31AEB2E007069FC3209F95D844A56BBF5FB44714B15C67EE465A77A0CB38E908CF98

Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction ID: 2b8263a944a9b57d4591781c670f1b736d97a98816e9e989756960c1ab26e777
Opcode Fuzzy Hash: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction Fuzzy Hash: 66219D71008309AFD700EF54C855A9FBBE8EF44304F10882EF299E2291DB79D909CF96

Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
Instruction ID: 657320b8a0b9e8c73ad23a805e8a4a11547555e009ba7fb8d64ba55fc2021fd8
Opcode Fuzzy Hash: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
Instruction Fuzzy Hash: 22514AB59047007AE2007BB2DD82E7F66AEDBD4709F10893FF944790D2C93C984996AE

Function 0040B020 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B058
memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B092

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction ID: 223037c69186752c1411635bf46ae5d03fa463101b4e1ddb65380de8071f5603
Opcode Fuzzy Hash: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction Fuzzy Hash: 93313A392047019FC320DF29D844E5BB7E1EFD4314F04882EE59A97750D335E919CBA6

Function 0040E260 Relevance: 4.6, APIs: 3, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040E2C7
HeapReAlloc.KERNEL32(008A0000,00000000,?,000FFFF6), ref: 0040E311

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Heap$AllocAllocateValue
String ID:
API String ID: 1566162415-0
Opcode ID: edc564d2c5970f17a08f17f7f2dd8ec1ec7cc92dbf7be1ee396f533a577dd9fd
Instruction ID: 2c0e96d34ae544ae0c5b574433a6328bca7d0891f714ed69c1083be89dc605b3
Opcode Fuzzy Hash: edc564d2c5970f17a08f17f7f2dd8ec1ec7cc92dbf7be1ee396f533a577dd9fd
Instruction Fuzzy Hash: 8D31A874A00109EFCB04CF98D594A9DBBB5FB88318F20C1A9E819AB395D731EE51DF44

Function 0040DEC0 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9
RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction ID: 93a72ebc0765164a1c418c05f64e83f02c193a946cd328b9657e87a1490d81f0
Opcode Fuzzy Hash: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction Fuzzy Hash: F111B974A00208EFCB04DF98D894E9ABBB6FF88314F20C159F9099B355D735AA41DB94

Function 0040A6C5 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040A6E3
wcslen.MSVCRT ref: 0040A6F5
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction ID: 5eb92d4f139d310a1ce384b3b75a423d404f976685da56e70024377017fd7883
Opcode Fuzzy Hash: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction Fuzzy Hash: 3E0167B180131896CB24DB64CC8DEBA73B8DF04304F6086BBE415E71D1E779DAA4DB5A

Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408DFB
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
CoInitialize.OLE32(00000000), ref: 00408E1D

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction ID: d18f3e268914b4fee2ab689e9e6bda8f6ab82eec5aee9dd7765ec6ce908ab83c
Opcode Fuzzy Hash: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction Fuzzy Hash: 12E08CB088430CBBEB009BD0DC0EF8DBB7CEB00315F0041A4F904A2280EBB466488B95

Function 004098C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(008A8F78,008A8F78,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Strings

$0A, xrefs: 004098CF

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: EnvironmentVariable
String ID: $0A
API String ID: 1431749950-513306843
Opcode ID: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
Instruction ID: a83057451cf148fd94e5dae0918d05dd15dd477b401c26288c9a060c20ad275f
Opcode Fuzzy Hash: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
Instruction Fuzzy Hash: E7C01231619201BBD710EA14C904B57BBE5EB50345F04C439B044912B0C338CC44D705

Function 0040ADC0 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040ADF3
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AE15

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID:
API String ID: 3705299215-0
Opcode ID: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction ID: 12139a0eb1477c71ece9156acb4b07c5ee84e209973367f4cf7a68f803bf58ce
Opcode Fuzzy Hash: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction Fuzzy Hash: C1119331140300ABC2305F1AEC44B57BBF9EB85764F14863EF5A5A73E0C7759C158BA9

Function 0040DBCA Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DD1D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DBDB,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040DD5E

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
memset.MSVCRT ref: 0040DC35

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction ID: c1bdd2e89517895a38d7a8cc2bcc280f97e8981c2924b00dcd90f9207400bfe8
Opcode Fuzzy Hash: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction Fuzzy Hash: E51167729043149BC320DF59DC80A8BBBE8EF88B10F01492EB988A7351D774E804CBA5

Function 00401FA9 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00402000
RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 0040200B

Part of subcall function 004053C7: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D7

Part of subcall function 00405436: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
Part of subcall function 00405436: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
Part of subcall function 00405436: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
String ID:
API String ID: 1205394408-0
Opcode ID: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
Instruction ID: f8114c552bbb016f0a76c43bd4124e9f0fb198a1ce0b642fe03d48e839951556
Opcode Fuzzy Hash: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
Instruction Fuzzy Hash: 36F0C030414505AADA257B32EC8299A7E36EB08308B42C43FF440714F2CF3E9D69AE5D

Function 0040DE30 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(008A0000,00000000,0000000C,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6AE
Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(008A0000,00000000,00000010,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6C2
Part of subcall function 0040E6A0: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6EB

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction ID: f6fb69b35e6ce2edff263c55ffd8902d3e18a9f91630c6f11d167ca4d15ccc07
Opcode Fuzzy Hash: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction Fuzzy Hash: 4ED012309C8304ABE7402FB1BC0A7843B789708765F604835F509572D1D9BA6090495C

Function 0040A7B9 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A7F2,008A8F78,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A7D0
DeleteFileW.KERNELBASE(00000000,0040A7F2,008A8F78,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A7DA

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction ID: f7dd43ce8ab679ab9acf2fbd66ade7664d9bbbd5be98dbe0a51a073a4b2bc51f
Opcode Fuzzy Hash: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction Fuzzy Hash: 00D09E30408300B6D7555B20C90D75ABAF17F84745F14C43AF485514F1D7798C65E70A

Function 0040DE60 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(008A0000,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE69
TlsFree.KERNELBASE(0000000D,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE76

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
Instruction ID: 39e23e6c0b6f630abd0a78494d594864f6bb0b6a3747c7bb50b876903a384421
Opcode Fuzzy Hash: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
Instruction Fuzzy Hash: 94C04C71158304ABCB049BA5FC488D57BBDE74C6153408564F51983661CA36E4408B58

Function 0040A9D0 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040AA13
CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AA1B

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction ID: 9ff7f62518d4b0577bac71a3516b051fbd3d19e36237879e48dc57cbe5217eec
Opcode Fuzzy Hash: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction Fuzzy Hash: E0F05E32600200A7CA216B5AED05A8BBBB2EB85764B11853EF124314F5CB355860DB5D

Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

GetShortPathNameW.KERNEL32(008A8F78,008A8F78,00002710), ref: 00402C34

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 00409B80: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(008A0000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
Instruction ID: 7a2999830b1481a9d7ef80217fec4737815e267699ad494388d5f61b71452053
Opcode Fuzzy Hash: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
Instruction Fuzzy Hash: F6012D75508201BAE5007BA1DD06D3F76A9EFD0718F10CD3EB944B50E2CA3D9C599A5E

Function 0040AA40 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040AA08,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA67

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction ID: b59f1f917ceac4f5cea587e7357412edb8aff685aadda2d04846933fd6210d73
Opcode Fuzzy Hash: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction Fuzzy Hash: 0AF09276105700AFD720DF58D948F97BBE8EB58721F10C82EE69AD3690C770E850DB61

Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction ID: e96e1892c4c724b03879bd5233d00e0abab71770c233aa8573b83279bd435b66
Opcode Fuzzy Hash: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction Fuzzy Hash: E6D0126081824986D750BE65850979BB3ECE700304F60883AD085561C1F7BCE9D99657

Function 00409BA0 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction ID: 6d87291edcf2eeb8e990bf82b01346f6326b2aefffcea0088477b931f0527044
Opcode Fuzzy Hash: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction Fuzzy Hash: 6EC04C717441007AD6509B24AE49F5776E9BB70702F00C4357545D15F5DB70EC50D768

Function 0040D2C4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(004011D8,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040D2E1

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
Instruction ID: 02f19102e46f6fc925772832a959dff7ad61b801f58b10c94ac68856fb14f403
Opcode Fuzzy Hash: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
Instruction Fuzzy Hash: 04C04C30405100DBDF268B44ED0C7D53671A784305F4484BD9002112F1CB7C459CDA5C

Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
Instruction ID: 1bee1f37f93e9d35684b03c2e4756e6010034fad4ed660fefd81427f3766245b
Opcode Fuzzy Hash: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
Instruction Fuzzy Hash: 2AB012702C43005AF2500B105C46B8039609304B43F304024B2015A1D4CBF0108045AC

Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409B36

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
Instruction ID: ab699811fd0d87702ef007ec9d9e0afa2980276031b74f33cf565c9ea9518c6e
Opcode Fuzzy Hash: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
Instruction Fuzzy Hash: 98900230404000CBCF015B10ED484843E71F74130532091749015414B0CB314451DA48

Non-executed Functions

Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B

GetStockObject.GDI32(00000011), ref: 00408FB2
LoadIconW.USER32 ref: 00408FE9
LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
RegisterClassExW.USER32 ref: 00409021
IsWindowEnabled.USER32(00000000), ref: 00409048
EnableWindow.USER32(00000000), ref: 00409059
GetSystemMetrics.USER32(00000001), ref: 00409091
GetSystemMetrics.USER32(00000000), ref: 0040909E
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
wcslen.MSVCRT ref: 00409189
wcslen.MSVCRT ref: 00409191
SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
SetForegroundWindow.USER32(00000000), ref: 0040921F
BringWindowToTop.USER32(00000000), ref: 00409226
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
TranslateMessage.USER32(?), ref: 00409259
DispatchMessageW.USER32(?), ref: 00409264
DestroyAcceleratorTable.USER32(00000000), ref: 00409278
wcslen.MSVCRT ref: 00409289
wcscpy.MSVCRT ref: 004092A1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4

Strings

EDIT, xrefs: 0040914D
D0A, xrefs: 00409003
BUTTON, xrefs: 004091C6
STATIC, xrefs: 004090FB
0, xrefs: 00408FC5

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D0A$EDIT$STATIC
API String ID: 54849019-2968808370
Opcode ID: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction ID: 83f6c24ff00e7acae504a8cc9f4403d446bfccf5cce4438541287e2077ea33a9
Opcode Fuzzy Hash: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction Fuzzy Hash: 4E91A070648304BFE7219F64DC49F9B7FA9FB48B50F00893EF644A61E1CBB988448B59

Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

Part of subcall function 0040A6C5: wcsncpy.MSVCRT ref: 0040A6E3
Part of subcall function 0040A6C5: wcslen.MSVCRT ref: 0040A6F5
Part of subcall function 0040A6C5: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Strings

fpA, xrefs: 0040158A
$pA, xrefs: 00401645
fpA, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
2pA, xrefs: 0040169B
6pA, xrefs: 004017CD
fpA, xrefs: 00401835
2pA, xrefs: 004016C5
fpA, xrefs: 004015ED
&pA, xrefs: 0040154F
2pA, xrefs: 004016F3
fpA, xrefs: 004018F7
6pA, xrefs: 00401784
.pA, xrefs: 0040167C
6pA, xrefs: 00401861

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$fpA$fpA$fpA$fpA$fpA
API String ID: 1295435411-3159487945
Opcode ID: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
Instruction ID: b4e4a0b709d291d116e2253cfe1eb4aef96e8d0e4325569d50da54c09323f468
Opcode Fuzzy Hash: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
Instruction Fuzzy Hash: E3B134B1504300AED600BBA1DD81E7F77A9EB88308F108D3FF544B61A2CA3DDD59966D

Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00409373

Part of subcall function 0040E3F0: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E3FA

memset.MSVCRT ref: 00409381
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
wcsncpy.MSVCRT ref: 004093DD
wcslen.MSVCRT ref: 004093F1
CoTaskMemFree.OLE32(?), ref: 0040947A
wcslen.MSVCRT ref: 00409481
FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Strings

SHBrowseForFolderW, xrefs: 004093AA
SHGetPathFromIDListW, xrefs: 004093B2
P, xrefs: 00409429
$0A, xrefs: 004093CD
SHELL32.DLL, xrefs: 00409389

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-92458654
Opcode ID: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction ID: 23f57ca1c929181bfbc58391faabb4ebc57556df945843c0c8e437b0019b5ca4
Opcode Fuzzy Hash: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction Fuzzy Hash: D3416471508704AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B6A

Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 00406405

Part of subcall function 0040E1E0: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E1EA

_wcsdup.MSVCRT ref: 0040644E
_wcsdup.MSVCRT ref: 00406469
_wcsdup.MSVCRT ref: 0040648C
wcsncpy.MSVCRT ref: 00406578
free.MSVCRT ref: 004065DC
free.MSVCRT ref: 004065EF
free.MSVCRT ref: 00406602
wcsncpy.MSVCRT ref: 0040662E

Strings

$0A, xrefs: 0040631F
$0A, xrefs: 0040632F
$0A, xrefs: 0040633E

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $0A$$0A$$0A
API String ID: 1554701960-360074770
Opcode ID: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction ID: a3954b37eea6ac6c251c7ba509b6f2d99b081bbe67bc4aeebc7e0be9c04ba548
Opcode Fuzzy Hash: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction Fuzzy Hash: 30A1BD715043019BCB209F18C881A2BB7F1EF94348F49093EF88667391E77AD965CB9A

Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040E2C7

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A863
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A875
wcscpy.MSVCRT ref: 0040A89B
wcscat.MSVCRT ref: 0040A8A6
wcslen.MSVCRT ref: 0040A8AC
CoTaskMemFree.OLE32(?,00000000,00000000,?,008A8F78,00000000,00000000), ref: 0040A8BA
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A8C1
wcscat.MSVCRT ref: 0040A8D9
wcslen.MSVCRT ref: 0040A8DF

Strings

SHGetKnownFolderPath, xrefs: 0040A86F
Downloads\, xrefs: 0040A8D3
Shell32.DLL, xrefs: 0040A85E

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1878685483-287042676
Opcode ID: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction ID: ae609db33c227b916d8c96984f24cc4820d8d1ee700964f601e6ad2a5a3ba7d8
Opcode Fuzzy Hash: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction Fuzzy Hash: C821F871344701B6D2303B62EC4EF6F2A78DB91B90F11483BF901B51D2D6BC8A6199AF

Function 00412082 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00412092
InitializeCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 0041209E
TlsGetValue.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 004120B4
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120CE
EnterCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 004120DF
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120FB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00412114
GetCurrentThread.KERNEL32 ref: 00412117
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 0041211E
DuplicateHandle.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412121
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041217A,00000000,000000FF,00000008), ref: 00412137
TlsSetValue.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412144
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412155

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction ID: d80fd07e77255670f12a4e616af7295cf706cbaed93ad9a0fedfb01b657d880b
Opcode Fuzzy Hash: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction Fuzzy Hash: 35211971644305FFDB119F64ED88B963FBAFB49311F04C43AFA09962A1CBB49850DB68

Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
Instruction ID: 2364f58bb10a159e0aa11294c57d56a9f179ba7a21fd77f55822fae8b4f54734
Opcode Fuzzy Hash: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
Instruction Fuzzy Hash: F5514075518701AAD600BBB2CC82B2F76A9AFD0709F10CC3FF544790D2CA7CD8599A6E

Function 0040DA43 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D855,0041861C,0040D9E2,00000000,FFFFFFED,00000200,77355E70,00409E76,FFFFFFED,00000010), ref: 0040DA51
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA66
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA81
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA90
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DAA2
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DAB5

Strings

InitOnceExecuteOnce, xrefs: 0040DA60
Kernel32.dll, xrefs: 0040DA4A

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction ID: e7d3430369b103de8e34323ddaa6381870798cc52ac97d2691a1b23ef8b22f52
Opcode Fuzzy Hash: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction Fuzzy Hash: A701B132748204BAD7116FE49C49FEB3B29EF42762F10813AF905A11C0DB7C49458A6D

Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
GetCurrentThreadId.KERNEL32 ref: 0040951F
IsWindowVisible.USER32(?), ref: 00409526

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

GetCurrentThreadId.KERNEL32 ref: 00409543
GetWindowLongW.USER32(?,000000EC), ref: 00409550
GetForegroundWindow.USER32 ref: 0040955E
IsWindowEnabled.USER32(?), ref: 00409569
EnableWindow.USER32(?,00000000), ref: 00409579

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction ID: 9be2ebae674c1fa36b8fc713cd4e728ef3198b0ad07c7790c0b3041e5f2a4f9d
Opcode Fuzzy Hash: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction Fuzzy Hash: A901B9315083016FD3215B769C88AABBAB8AF55750B04C03EF456D3191D7749C40C66D

Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408EED
GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
GetWindowTextLengthW.USER32 ref: 00408F0A
HeapAlloc.KERNEL32(00000000), ref: 00408F1F
GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
DestroyWindow.USER32(?), ref: 00408F3D
UnregisterClassW.USER32 ref: 00408F53

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction ID: dcdd979020c5d84d31bdac08dec077088d7257a56d77306a58cab45369b049af
Opcode Fuzzy Hash: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction Fuzzy Hash: C611183110810ABFCB116F64ED4C9E63F76EB08361B00C53AF44592AB0CF359955EB58

Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00409507,?), ref: 0040959B
GetCurrentThreadId.KERNEL32 ref: 004095B3
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
GetCurrentThreadId.KERNEL32 ref: 004095EF
EnableWindow.USER32(?,00000001), ref: 00409605
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction ID: f5a6386b144a933a28a8080deaf79be6790ca9cb7a06763c23f847dded1acd22
Opcode Fuzzy Hash: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction Fuzzy Hash: 3E11AF32548741BBD7324B16EC48F577BB9EB81B20F14CA3EF052226E1DB766D44CA18

Function 0040D353 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D378
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D38C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D399
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3B0
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3BF
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3CE

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction ID: 1e11015e4a25d7f5304c1c18fd55a95fd758b035f13ce6db6bcec7fc4f8c26ab
Opcode Fuzzy Hash: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction Fuzzy Hash: 22116372A45310AFD7109FA5EC84A967BA9FB58760B05803EF904D33B2DB359C048AAC

Function 00412004 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 0041200E
CloseHandle.KERNEL32(?,?,?,?,0041218A,?), ref: 00412017
EnterCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412023
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412048
HeapFree.KERNEL32(00000000,00000000,?,?,?,0041218A,?), ref: 00412066
HeapFree.KERNEL32(?,?,?,?,?,0041218A,?), ref: 00412078

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction ID: 90751bbfb1e58074f86cd24fa3ef9024ec02ad1f71581e15228f0d3cd8da5416
Opcode Fuzzy Hash: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction Fuzzy Hash: F5012970201601EFC7249F11EE88A96BF75FF493557108539E61AC2A70C731A821DBA8

Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00405853
memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$0A, xrefs: 0040580C
$0A, xrefs: 00405819

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $0A$$0A
API String ID: 1452150355-167650565
Opcode ID: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction ID: fc6078814c183f32d07ee1b1bbfb59dc2b99a9263d9aed9d6ca5449e395b5937
Opcode Fuzzy Hash: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction Fuzzy Hash: 4C31D536904B058BC720FF55888057B77A8EE84344F14893EEC85373C2EB799D61DBAA

Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

RtlGetVersion, xrefs: 0040557B
ntdll.dll, xrefs: 0040556C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction ID: 30d66d9a54b09ec8b40df40bafdfba1d8cbaec4fc0a5d0b23e6a41b72964e000
Opcode Fuzzy Hash: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction Fuzzy Hash: FAE09A3176461176C6202B76AC09FCB2AACDF8AB01B14043AB105E21C5E63C8A018ABD

Function 0040A043 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A0AB
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?,00403C62), ref: 0040A0C1
wcscpy.MSVCRT ref: 0040A0CC
memset.MSVCRT ref: 0040A0FA

Strings

$0A, xrefs: 0040A07C

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $0A
API String ID: 1807340688-513306843
Opcode ID: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction ID: f5e08f91bfd61cb5ee80f18050d08b7446549b79f9f251a776f81db7a0f8ced7
Opcode Fuzzy Hash: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction Fuzzy Hash: ED212431100B04AFC321AF259845B2BB7F9EF88314F14453FFA8562692DB39A8158B1A

Function 00409DE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E9C

Strings

$0A, xrefs: 00409E87

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID: $0A
API String ID: 3901518246-513306843
Opcode ID: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction ID: e0ba865afb0c504cde721ebe6402ca52a8b9bc1920db32d4218675ac1f34fbd8
Opcode Fuzzy Hash: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction Fuzzy Hash: EC213971600616ABD320DF2ADC01B46BBE9BF88710F41852AB548A76A1DB71EC248BD8

Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,?,?,00000000,008A8F78), ref: 004054AB
EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction ID: 0c8983fff82f944e714e95dc609c427016460782395ad7ea9b381996daa8850a
Opcode Fuzzy Hash: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction Fuzzy Hash: 6E110632145604BFC3015F54EC05ED7BBB9EF45752721846BF800972A0EB75A8508F6D

Function 0040D946 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D9C8
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D9D7

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction ID: 8e0b58a532cd0764c064264ab0afec864f9344a56e81b99afb7742a3bcd9c4dc
Opcode Fuzzy Hash: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction Fuzzy Hash: 80112B71501601AFC7209F55DC48B96BBB5FF49311F10843EA45A936A1D738A844CF98

Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040E2C7

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
wcscmp.MSVCRT ref: 004096C2
memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Strings

\\?\, xrefs: 004096BA, 004096D4

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocateFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 2309408642-4282027825
Opcode ID: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction ID: 273bc576c06434c2caee33e7ea90b93358419674725e30c46c8a7bea9ec705d9
Opcode Fuzzy Hash: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction Fuzzy Hash: BBF0E2B31006017BC210677BDC85CAB7EACEB853747000A3FF515D24D2EA38D82496B8

Function 0040B236 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B2D7
memset.MSVCRT ref: 0040B2E0
memset.MSVCRT ref: 0040B2E9
memset.MSVCRT ref: 0040B2F6
memset.MSVCRT ref: 0040B302

Part of subcall function 0040C636: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C690
Part of subcall function 0040C636: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C6DF

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction ID: 0935afcf37e6329c3ac2d0f56793f6a9f9fc9668031c2f15978d8007e640a3dc
Opcode Fuzzy Hash: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction Fuzzy Hash: 322103317506083BE524AA29DC86F9F738CDB81708F40063EF241BA2C1CA79E54947AE

Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C6A
wcsncpy.MSVCRT ref: 00405CC0

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction ID: a3f43ae3cc8438659badc3904afd778ac5f48c872593279c616423bb3bd2bb8e
Opcode Fuzzy Hash: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction Fuzzy Hash: 6D51AD34508B059BDB209F28D844A6B77F4FF84348F544A2EF885A72D0E778E915CB99

Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406696
CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066D0
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066FF
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406705

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction ID: 50cff0fc212774e4e1f85142edc8b720228546f3e888a8e5f893537154114361
Opcode Fuzzy Hash: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction Fuzzy Hash: 582176796043058BC710AF1D9C40077B7E4EB80364F86483BEC85A3380D639EE169BA9

Function 00412240 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412271
malloc.MSVCRT ref: 00412281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041229B
malloc.MSVCRT ref: 004122B0

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction ID: 3c1085fe75aa08d7dfcf325d5fd6ce3d1ff6e0efa089dc1519f7c1eb2db8e9d3
Opcode Fuzzy Hash: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction Fuzzy Hash: F70145373413013BE2204685AC02FAB3B58CBC1B95F1900BAFF04AE6C0C6F3A80182B8

Function 004121A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D0B8,00000000), ref: 004121D4
malloc.MSVCRT ref: 004121E4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00412201
malloc.MSVCRT ref: 00412216

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction ID: ba92e613a2f9bf0a88025da3432e472bc54701246ba04d0c993b0b67be8a7a27
Opcode Fuzzy Hash: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction Fuzzy Hash: 9401F57B38130137E3205695AC42FBB7B59CB81B95F1900BAFB05AE2C1D6F76814C6B9

Function 0040A96C Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,008A8F78,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A91B,00000000,00000000,00000104,?), ref: 0040A97E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A98F
wcslen.MSVCRT ref: 0040A99A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A91B,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A9B8

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction ID: 15676ea375ba95ce47a4ad1d62f3a4f85f84cc5ccd71b7d74cdbb22097095955
Opcode Fuzzy Hash: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction Fuzzy Hash: 51F0D136610614BAC7205B6ADD08DAB7B78EF06660B414126F805E6250E7308920C7E5

Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction ID: 3069acd899a723a1849542c16efb52ddeba99d38bb4cb8d15d413c759c742d3e
Opcode Fuzzy Hash: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction Fuzzy Hash: CDF05432905610AFC2205F619C48AE77B79EF54767715843FF94573190D73868408E6E

Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008A0000,00000000,?,?), ref: 0040DF1C

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5
Part of subcall function 00402E9D: __fprintf_l.LIBCMT ref: 00402F1F

Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
Part of subcall function 00409355: memset.MSVCRT ref: 00409381
Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,008A8E68,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

$pA, xrefs: 004030CC

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
String ID: $pA
API String ID: 790731606-4007739358
Opcode ID: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
Instruction ID: fee6f31afef46dfc3d4b18dc130868db542cea1a9d30875f0fa626089c73850b
Opcode Fuzzy Hash: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
Instruction Fuzzy Hash: E151F6B5904A007EE2007BF2DD82E3F266EDFD4719B10893FF844B9092C93C994DA66D

Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008A0000,00000000,?), ref: 0040DEF9

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(008A8F78,008A8F78,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(008A0000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Strings

*pA, xrefs: 004025FF

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: *pA
API String ID: 1199808876-3833533140
Opcode ID: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
Instruction ID: 21a80edfc212e2aa9d277187ee9bfa0e7f9d15baa35618845dd156f20ee28a4c
Opcode Fuzzy Hash: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
Instruction Fuzzy Hash: 6C412DB5904701AED600BBB2DD8293F77ADEBD4309F108D3FF544A9092CA3CD849966E

Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040D2E8: TlsGetValue.KERNEL32(?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D2EF
Part of subcall function 0040D2E8: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D30A
Part of subcall function 0040D2E8: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D319

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754

Strings

", xrefs: 00409776
, xrefs: 0040976E

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction ID: ab659b79707db7d7869a667e669445cd4c695224699636d93eb587c6e0e94742
Opcode Fuzzy Hash: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction Fuzzy Hash: 4A31A7735252218ADB74AF10981127772A1EFA2B60F18C17FE4926B3D2F37D8D41D369

Function 00409FB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409FED
wcscmp.MSVCRT ref: 0040A026

Strings

$0A, xrefs: 00409FC4

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: _wcsicmpwcscmp
String ID: $0A
API String ID: 3419221977-513306843
Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction ID: ce5e94a217663c04e8d70dd0a479d34a80eb67d33ce446282a7f9ad79867738e
Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction Fuzzy Hash: 2E11C476108B0A8FD3209F46D440923B3E9EF94364720843FD849A3791DB75FC218B6A

Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$0A, xrefs: 0040570B

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: $0A
API String ID: 626452242-513306843
Opcode ID: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction ID: 257aa3cf1744ec2ccb71e28fb2e26357a5123011e6015fa77bf79efc500ed16d
Opcode Fuzzy Hash: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction Fuzzy Hash: 16F0393A3862213BE230215A6C0AF672A69CB86F71F2542327B24BF2D085B5680046AC

Function 0040D57F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?), ref: 0040D593
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?), ref: 0040D648
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000), ref: 0040D66B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?), ref: 0040D6C3

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction ID: 88038414d57a756cd7fad5c0050c74a6e8d04d69e7cdc083c9acd98434601a7e
Opcode Fuzzy Hash: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction Fuzzy Hash: 9C51E370A00B069FC324CF69D980926B7F5FF587103148A3EE89A97B90D335F959CB94

Function 0040E130 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040E145
HeapAlloc.KERNEL32(008A0000,00000000,0000000A), ref: 0040E169
HeapReAlloc.KERNEL32(008A0000,00000000,00000000,0000000A), ref: 0040E18D
HeapFree.KERNEL32(008A0000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E1C4

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction ID: 6002b1c3f5819bc59b30070f24097f674b8c445c60846b79d2129d941eb5fd7b
Opcode Fuzzy Hash: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction Fuzzy Hash: BA21F774604209EFDB14CF94D884FAAB7BAEB48354F108569F9099F390D735EA81CF94

Function 0040D498 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D4E3
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction ID: 44ceb6562d1eb3065d03cece85d0244f92a2e0345c3169311120ea74ede9abb0
Opcode Fuzzy Hash: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction Fuzzy Hash: 0A113D72604600AFC3208FA8DC40E56B7F9FB48325B14892EE896E36A1C734F804CF65

Function 0040D6DD Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D6EF
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D706
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D722
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D73F

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction ID: 19831624efecdb95f34469d84cf285095463f1f7ead1137181efdd2e3cba2855
Opcode Fuzzy Hash: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction Fuzzy Hash: CB012879A0161AAFC7208F96ED04967BB7CFB49751305853AA844A7A60C734E824DFE8

Function 00409ECF Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A11A: memset.MSVCRT ref: 0040A182

Part of subcall function 0040D946: EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
Part of subcall function 0040D946: LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

Memory Dump Source

Source File: 00000002.00000002.2159649613.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2159561063.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159705837.0000000000413000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159740764.0000000000417000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2159896280.0000000000419000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Heart-Senders-Crackeado.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction ID: 731859a3b15cae5753bb7de1e8a6b13bc7caaa2a8ebc947d3a100cd7cc498ee7
Opcode Fuzzy Hash: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction Fuzzy Hash: ABF04471215109BFC6115F16DD40D57BF6DFF8A7A43424129B40493571CB36EC20AAA8

Analysis Process: Heart-Sender-V1.2.exePID: 6960, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1862
Total number of Limit Nodes:	51

Executed Functions

Function 00E9037C Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8290A: GetModuleHandleW.KERNEL32 ref: 00E82937
Part of subcall function 00E8290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E82949
Part of subcall function 00E8290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E82973

Part of subcall function 00E8C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E8C5E5

Part of subcall function 00E8CCD9: OleInitialize.OLE32(00000000), ref: 00E8CCF2
Part of subcall function 00E8CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E8CD29
Part of subcall function 00E8CCD9: SHGetMalloc.SHELL32(00EBC460), ref: 00E8CD33

GetCommandLineW.KERNEL32 ref: 00E903C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E903F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00E90404
UnmapViewOfFile.KERNEL32(00000000), ref: 00E90455

Part of subcall function 00E8FFDD: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E8FFFE
Part of subcall function 00E8FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E90038

Part of subcall function 00E81421: _wcslen.LIBCMT ref: 00E81445

CloseHandle.KERNEL32(00000000), ref: 00E9045C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe,00000800), ref: 00E90476
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe), ref: 00E90482
GetLocalTime.KERNEL32(?), ref: 00E9048D
_swprintf.LIBCMT ref: 00E904E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E904F6
GetModuleHandleW.KERNEL32(00000000), ref: 00E904FD
LoadIconW.USER32(00000000,00000064), ref: 00E90514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00E90565
Sleep.KERNEL32(?), ref: 00E90593
DeleteObject.GDI32 ref: 00E905CC
DeleteObject.GDI32(?), ref: 00E905DC
CloseHandle.KERNEL32 ref: 00E9061F

Strings

sfxname, xrefs: 00E9047D
STARTDLG, xrefs: 00E9055A
sfxstime, xrefs: 00E904F1
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00E904D2
winrarsfxmappingfile.tmp, xrefs: 00E903E7
C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe, xrefs: 00E9046F, 00E90474, 00E9047C, 00E90524
pP, xrefs: 00E90525

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe$STARTDLG$pP$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-3690347860
Opcode ID: 37ec126cf77e6fb6d10d26de6d201917db6785ffaff4040d668f67992ff6a276
Instruction ID: 9ec7bd0fc38a40bbe88671d08d2997899061efa6ee32e78bc773f6c3a7a8f48c
Opcode Fuzzy Hash: 37ec126cf77e6fb6d10d26de6d201917db6785ffaff4040d668f67992ff6a276
Instruction Fuzzy Hash: 0E71F471504340AFDB20BB72EC45F6B7BE8EB4A704F04542AF649B2292DB719948CB72

Function 00E7F963 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,2D272A92), ref: 00E7F9CD

Part of subcall function 00E7E208: _wcslen.LIBCMT ref: 00E7E210

Part of subcall function 00E82663: _wcslen.LIBCMT ref: 00E82669

Part of subcall function 00E83D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,2D272A92,?,?,2D272A92,00000001,00E7DA04,00000000,2D272A92,?,000203DC,?,?), ref: 00E83D2C

_wcslen.LIBCMT ref: 00E7FD00
__fprintf_l.LIBCMT ref: 00E7FE50

Strings

$%s:, xrefs: 00E7FE33
@%s:, xrefs: 00E7FE3A, 00E7FE46
|l, xrefs: 00E7FCD1
*messages***, xrefs: 00E7FAD1
*messages***, xrefs: 00E7FB0A
RTL, xrefs: 00E7FE12
,, xrefs: 00E7FE8B

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL$|l
API String ID: 2646189078-3226807011
Opcode ID: c8d14cbcfdaa9c7fd43ee923f9869cf0453cdba6a5760d54fd13ee1f9a2bfe04
Instruction ID: 49d178982249fbd910e7926ad53f2540b10dcc7b27508539d56603a57aceb280
Opcode Fuzzy Hash: c8d14cbcfdaa9c7fd43ee923f9869cf0453cdba6a5760d54fd13ee1f9a2bfe04
Instruction Fuzzy Hash: EF421671900219ABDF24EFA4C841BEEB3B4FF09714F50552AEA0DBB291EB709A45CB54

Function 00E7C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000), ref: 00E7C4E6

Part of subcall function 00E7DA1E: _wcslen.LIBCMT ref: 00E7DA59

FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?), ref: 00E7C516
GetLastError.KERNEL32(?,?,00000800,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000,0000003A), ref: 00E7C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000), ref: 00E7C549
GetLastError.KERNEL32(?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E7C555

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: ae37fc2fbdf0fad1919dd277e95a81f7e29a116bd3f0415baf46ddcaa7b03223
Instruction ID: 930c50ac2086cdbe3ab49e2d2d6519bc450fd22b42221f084e1222ea7d3895d0
Opcode Fuzzy Hash: ae37fc2fbdf0fad1919dd277e95a81f7e29a116bd3f0415baf46ddcaa7b03223
Instruction Fuzzy Hash: F14183B1508245AFC724EF24C8849EBF3ECBB49744F145A1EF59EE3240D771A9498B91

Function 00E9A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E9A616,?,00EAF7B0,0000000C,00E9A76D,?,00000002,00000000), ref: 00E9A661
TerminateProcess.KERNEL32(00000000,?,00E9A616,?,00EAF7B0,0000000C,00E9A76D,?,00000002,00000000), ref: 00E9A668
ExitProcess.KERNEL32 ref: 00E9A67A

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1ec73f6b74ad4d642e7f3e2d077621ea7e35db5516aa72ed7fa1839b036ca498
Instruction ID: 30c38c25e7c03e21b72d3b6ba4945705bc057659a1e93f1ed9b29fc0b71647d3
Opcode Fuzzy Hash: 1ec73f6b74ad4d642e7f3e2d077621ea7e35db5516aa72ed7fa1839b036ca498
Instruction Fuzzy Hash: C7E04631000108AFCF216F61CD08A483F6AEF56389F094020F908AB133CB36EC86CA80

Function 00E8290A Relevance: 101.8, APIs: 23, Strings: 35, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00E82937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E82949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E82973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E82C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E82C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E82C4B
ReadFile.KERNEL32(00000000,?,00007FFE,$o,00000000), ref: 00E82C69
CloseHandle.KERNEL32(00000000), ref: 00E82CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E82CE6
CompareStringW.KERNEL32(00000400,00001001,po,?,DXGIDebug.dll,?,$o,?,00000000,?,00000800), ref: 00E82D3A
GetFileAttributesW.KERNEL32(?,?,$o,00000800,?,00000000,?,00000800), ref: 00E82D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00E82DA0

Part of subcall function 00E828AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E828D4
Part of subcall function 00E828AB: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00E81309,Crypt32.dll,00000000,00E81383,00000200,?,00E81366,00000000,00000000,?), ref: 00E828F4

_swprintf.LIBCMT ref: 00E82E12
_swprintf.LIBCMT ref: 00E82E5E
AllocConsole.KERNEL32 ref: 00E82E66
GetCurrentProcessId.KERNEL32 ref: 00E82E70
AttachConsole.KERNEL32(00000000), ref: 00E82E77
_wcslen.LIBCMT ref: 00E82E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E82E9D
WriteConsoleW.KERNEL32(00000000), ref: 00E82EA4
Sleep.KERNEL32(00002710), ref: 00E82EAF
FreeConsole.KERNEL32 ref: 00E82EB5
ExitProcess.KERNEL32 ref: 00E82EBD

Strings

<r, xrefs: 00E82AC6
Ls, xrefs: 00E82B3F
tq, xrefs: 00E82A71
pp, xrefs: 00E82A19
Dt, xrefs: 00E82BAD
$s, xrefs: 00E82B29
\t, xrefs: 00E82BB8
$o, xrefs: 00E82C56, 00E82C5A
xs, xrefs: 00E82B55
po, xrefs: 00E82D2C
ds, xrefs: 00E82B4A
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00E82E4C
SetDefaultDllDirectories, xrefs: 00E8296D
DXGIDebug.dll, xrefs: 00E82D26
SetDllDirectoryW, xrefs: 00E82943
Dq, xrefs: 00E82A61
uxtheme.dll, xrefs: 00E82DDF
<o, xrefs: 00E829AE
xt, xrefs: 00E82BC3
`r, xrefs: 00E82AD1
<, xrefs: 00E82D3A
dwmapi.dll, xrefs: 00E829D9, 00E82DD5
Xp, xrefs: 00E82A11
Xo, xrefs: 00E829B6
o, xrefs: 00E829E9
xr, xrefs: 00E82ADC
$r, xrefs: 00E82ABB
4s, xrefs: 00E82B34
(p, xrefs: 00E82A01
p, xrefs: 00E82A41
(t, xrefs: 00E82BA2
@p, xrefs: 00E82A09
kernel32, xrefs: 00E8292D
,q, xrefs: 00E82A59
\q, xrefs: 00E82A69

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: $o$$r$$s$(p$(t$,q$4s$<$<o$<r$@p$DXGIDebug.dll$Dq$Dt$Ls$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$Xo$Xp$\q$\t$`r$ds$dwmapi.dll$kernel32$po$pp$tq$uxtheme.dll$xr$xs$xt$o$p
API String ID: 270162209-1550233574
Opcode ID: a4d74355ad82f7149f2ee5b553cb2b94648c10118b69e8e6384ac3b93cf8d661
Instruction ID: 3392a225ea1603b858cfdc111fb7fb54950b7022da9e59ae8d475c36a9d555cb
Opcode Fuzzy Hash: a4d74355ad82f7149f2ee5b553cb2b94648c10118b69e8e6384ac3b93cf8d661
Instruction Fuzzy Hash: 91D152B11083849FD731EF509C49B9FBAE8ABCB304F14691DF6DDBA151C7B0A5488B62

Function 00E8DAE0 Relevance: 97.0, APIs: 47, Strings: 8, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71366: GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
Part of subcall function 00E71366: SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8DC24
IsDialogMessageW.USER32(?,?), ref: 00E8DC37
TranslateMessage.USER32(?), ref: 00E8DC45
DispatchMessageW.USER32(?), ref: 00E8DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00E8DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00E8DC95
GetDlgItem.USER32(?,00000068), ref: 00E8DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E8DCD3
SendMessageW.USER32(00000000,000000C2,00000000,00EA65F4), ref: 00E8DCE6

Part of subcall function 00E8F77B: _wcslen.LIBCMT ref: 00E8F7A5

SetFocus.USER32(00000000), ref: 00E8DCED
_swprintf.LIBCMT ref: 00E8DD4C

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00E8DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00E8DDD7
GetTickCount.KERNEL32 ref: 00E8DDF5
_swprintf.LIBCMT ref: 00E8DE0D
GetLastError.KERNEL32(?,00000011), ref: 00E8DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 00E8DE92
_swprintf.LIBCMT ref: 00E8DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00EC3482,00000200), ref: 00E8DF1D
GetCommandLineW.KERNEL32(?,?,?,?,00EC3482,00000200), ref: 00E8DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00EC3482,00000400,00000001,00000001,?,?,?,?,00EC3482,00000200), ref: 00E8DF8A
ShellExecuteExW.SHELL32(?), ref: 00E8DFB2
Sleep.KERNEL32(00000064,?,?,?,?,00EC3482,00000200), ref: 00E8DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00EC3482,00000400,?,?,?,?,00EC3482,00000200), ref: 00E8E023
CloseHandle.KERNEL32(?,?,?,?,?,00EC3482,00000200), ref: 00E8E02C
_swprintf.LIBCMT ref: 00E8E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8E0BE
SetDlgItemTextW.USER32(?,00000065,00EA65F4), ref: 00E8E0D5
GetDlgItem.USER32(?,00000065), ref: 00E8E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 00E8E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E8E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8E1A9
_wcslen.LIBCMT ref: 00E8E1FF
_swprintf.LIBCMT ref: 00E8E229
SendMessageW.USER32(?,00000080,00000001,000303CD), ref: 00E8E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00E8E28D
GetDlgItem.USER32(?,00000068), ref: 00E8E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E8E2AC
GetDlgItem.USER32(?,00000066), ref: 00E8E2C6
SetWindowTextW.USER32(00000000,00EC589A), ref: 00E8E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E8E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 00E8E3FE
EnableWindow.USER32(00000000,00000000), ref: 00E8E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E8E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8E532

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 00E8DDFC
"%s"%s, xrefs: 00E8E04E
LICENSEDLG, xrefs: 00E8E3F3
STARTDLG, xrefs: 00E8DB2D
winrarsfxmappingfile.tmp, xrefs: 00E8DEF3
C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe, xrefs: 00E8E11E, 00E8E2FE
%s, xrefs: 00E8E219
-el -s2 "-d%s" "-sp%s", xrefs: 00E8DEB8

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-3416457080
Opcode ID: ca119e5fbaf29134281013180ec2eafaae967a31790b7d51c13bb5cdb3bf42b7
Instruction ID: 0212800d39c5383c5ac4b10cfe95c7a9d0c1b851fa0f8c3f8e6abae43a9bbfd7
Opcode Fuzzy Hash: ca119e5fbaf29134281013180ec2eafaae967a31790b7d51c13bb5cdb3bf42b7
Instruction Fuzzy Hash: 2A421671905344BEEB21BB71EC4AFBE7BA8EB06B04F046126F64CB61D1D7741A49CB21

Function 00E80244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_swprintf.LIBCMT ref: 00E80284

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

Part of subcall function 00E83F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00E7F801,00000000,00000000,?,00EB5070,?,00E7F801,?,?,00000050,?), ref: 00E83F64

_strlen.LIBCMT ref: 00E802A5
SetDlgItemTextW.USER32(?,00EB2274,?), ref: 00E802FE
GetWindowRect.USER32(?,?), ref: 00E80334
GetClientRect.USER32(?,?), ref: 00E80340
GetWindowLongW.USER32(?,000000F0), ref: 00E803EB
GetWindowRect.USER32(?,?), ref: 00E8041B
SetWindowTextW.USER32(?,?), ref: 00E8044A
GetSystemMetrics.USER32(00000008), ref: 00E80452
GetWindow.USER32(?,00000005), ref: 00E8045D
GetWindowRect.USER32(00000000,?), ref: 00E8048D
GetWindow.USER32(00000000,00000002), ref: 00E804FF

Strings

d, xrefs: 00E80360
$%s:, xrefs: 00E8026D
t", xrefs: 00E802B9
CAPTION, xrefs: 00E80432

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t"
API String ID: 2407758923-2708843319
Opcode ID: 46ea0988e83e0834c79c09065ad3775be99f8888f386a9bd705db9a7a04ddbc3
Instruction ID: c11ade25f4264f68d678878bf96774df3e151e5c8ebf3712d988453f77e8582f
Opcode Fuzzy Hash: 46ea0988e83e0834c79c09065ad3775be99f8888f386a9bd705db9a7a04ddbc3
Instruction Fuzzy Hash: 99819F72509301AFD754EF68CD89A6FBBF9EB89704F00191DFA89E3251D734E9088B52

Function 00E8F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E8D875
Part of subcall function 00E8D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8D886
Part of subcall function 00E8D864: IsDialogMessageW.USER32(000203DC,?), ref: 00E8D89A
Part of subcall function 00E8D864: TranslateMessage.USER32(?), ref: 00E8D8A8
Part of subcall function 00E8D864: DispatchMessageW.USER32(?), ref: 00E8D8B2

GetDlgItem.USER32(00000068,00ED3CF0), ref: 00E8F81F
ShowWindow.USER32(00000000,00000005,?,?,00E8D099,00000001,?,?,00E8DAB9,00EA82F0,00ED3CF0,00ED3CF0,00001000,00EB50C4,00000000,?), ref: 00E8F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E8F853
SendMessageW.USER32(00000000,000000C2,00000000,00EA65F4), ref: 00E8F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E8F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E8F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E8F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E8F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E8F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E8F91E
SendMessageW.USER32(00000000,000000C2,00000000,00EA769C), ref: 00E8F92D

Strings

\, xrefs: 00E8F885

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 40550d4878ed4cb99b9cc89c296ebec800276cf45882f4a515641491d971d0da
Instruction ID: 09a875aea7c7ff7ec4071cb87c1d4bd954f7bf9a3db553ed78f70b6056a04983
Opcode Fuzzy Hash: 40550d4878ed4cb99b9cc89c296ebec800276cf45882f4a515641491d971d0da
Instruction Fuzzy Hash: 0231E77124A3016FE310EF25EC4AF6B7B9CEF46704F400A1AF6A1BA1D1D7605D088766

Function 00E8C652 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C665
SizeofResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C67C
LoadResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C693
LockResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C6A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00E8DA3D,00000066), ref: 00E8C6BD
GlobalLock.KERNEL32(00000000), ref: 00E8C6CE
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E8C6F2
GlobalUnlock.KERNEL32(00000000), ref: 00E8C756

Part of subcall function 00E8C5B6: GdipAlloc.GDIPLUS(00000010), ref: 00E8C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E8C737
GlobalFree.KERNEL32(00000000), ref: 00E8C75D

Strings

PNG, xrefs: 00E8C656

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: d7b9319646e2f038aa5c9f1531cc2149cc689611200656dbc24140d96d2a5f5e
Instruction ID: 981afae8f4e963c3394679e0771987df2b1893eae3a0ccd96da20d060f9ce3ef
Opcode Fuzzy Hash: d7b9319646e2f038aa5c9f1531cc2149cc689611200656dbc24140d96d2a5f5e
Instruction Fuzzy Hash: 0A315271605702AFD710AF72DC48D1B7FA8EF4B755714152AF90DA2261EB32E809DBA0

Function 00E8FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00E8FB35
ShellExecuteExW.SHELL32(?), ref: 00E8FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E8FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 00E8FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E8FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E8FD78

Strings

.inf, xrefs: 00E8FC34
.exe, xrefs: 00E8FD1C

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 26b91def1fc1553b827410c56a53129f846217c1140987e96ac2aa668364f955
Instruction ID: a2fa61a5f00c4db2522a26361ce7c95278e97e0e3d79174eb7db529a1c716a4a
Opcode Fuzzy Hash: 26b91def1fc1553b827410c56a53129f846217c1140987e96ac2aa668364f955
Instruction Fuzzy Hash: C361C4715083849EDB30AF61E8407ABB7E4EF85708F04682EF9CCB7291E771D9898756

Function 00E9CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E97F99,00E97F99,?,?,?,00E9D1FC,00000001,00000001,?), ref: 00E9D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E9D1FC,00000001,00000001,?,?,?,?), ref: 00E9D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E9D185
__freea.LIBCMT ref: 00E9D192

Part of subcall function 00E9BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E96A24,?,0000015D,?,?,?,?,00E97F00,000000FF,00000000,?,?), ref: 00E9BCC0

__freea.LIBCMT ref: 00E9D19B
__freea.LIBCMT ref: 00E9D1C0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7ddc7bcfd8d18fc4c030f303ee2c61283c4b325adf22d259365d6b1a8927ba23
Instruction ID: 620cd2e91c8c9cb0984346cb8c997fbb37e1704dbae71d507460552fce6a9d47
Opcode Fuzzy Hash: 7ddc7bcfd8d18fc4c030f303ee2c61283c4b325adf22d259365d6b1a8927ba23
Instruction Fuzzy Hash: 5E51EE73605226ABEF258F65DC81EBF77AAEB84714F255629FC04FA140DB34DC80C6A0

Function 00E8FF24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,00EC589A,?,00000800,?,00000800,?,00E8DD77), ref: 00E8FF8E
_wcslen.LIBCMT ref: 00E8FF99
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,00000000), ref: 00E8FFB2
RegCloseKey.KERNEL32(?), ref: 00E8FFBB

Strings

Software\WinRAR SFX, xrefs: 00E8FF84

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CloseCreateValue_wcslen
String ID: Software\WinRAR SFX
API String ID: 951825311-754673328
Opcode ID: dcc7d947267a3c87567e34e1f99bc4a8d3a93e41db2af90e308970ab18e123ed
Instruction ID: f1fda0b2bf6939c98163af1fea160fb5952b5415ff57907c311fb519ad20fb1f
Opcode Fuzzy Hash: dcc7d947267a3c87567e34e1f99bc4a8d3a93e41db2af90e308970ab18e123ed
Instruction Fuzzy Hash: 91118672600158AEEB30AB61EC49FEF7BBCEB89700F50406BF519B6091DA716548CB60

Function 00E812F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E828AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E828D4
Part of subcall function 00E828AB: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00E81309,Crypt32.dll,00000000,00E81383,00000200,?,00E81366,00000000,00000000,?), ref: 00E828F4

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E81315
GetProcAddress.KERNEL32(00EBC1F0,CryptUnprotectMemory), ref: 00E81325

Strings

Crypt32.dll, xrefs: 00E812FF
CryptProtectMemory, xrefs: 00E8130F
CryptUnprotectMemory, xrefs: 00E8131B

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 413c62fa92d5d7ff0aa67cdb7eb49bab133328ed04c30bd45bee2dd81848b252
Instruction ID: cf96447ee70b7762414ebc243473b0181903c1ac5e5c2f275879fc38dd426be9
Opcode Fuzzy Hash: 413c62fa92d5d7ff0aa67cdb7eb49bab133328ed04c30bd45bee2dd81848b252
Instruction Fuzzy Hash: 8EE02670A407009ED7307F349808B027EE45F2F700F08985CE0CEB7590D6B0F4808B40

Function 00E7B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00E78846,?,00000005), ref: 00E7B342
GetLastError.KERNEL32(?,?,00E78846,?,00000005), ref: 00E7B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00E78846,?,00000005), ref: 00E7B382
GetLastError.KERNEL32(?,?,00E78846,?,00000005), ref: 00E7B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E78846,?,00000005), ref: 00E7B3D9

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: c54c2d33ef3fc20cbf1a2a8938f26bede9c10987ef94dfed5a0716c43d15b131
Instruction ID: e2e500baab98d95d8ed4b8a07df6b61d6f39493ff8cd99155bb8751d3cbb6197
Opcode Fuzzy Hash: c54c2d33ef3fc20cbf1a2a8938f26bede9c10987ef94dfed5a0716c43d15b131
Instruction Fuzzy Hash: 01415730505745BFD730DF24CC45B9AB7E8BB09324F105A19F5A9B62D1D7F0A988CB91

Function 00E8D864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E8D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8D886
IsDialogMessageW.USER32(000203DC,?), ref: 00E8D89A
TranslateMessage.USER32(?), ref: 00E8D8A8
DispatchMessageW.USER32(?), ref: 00E8D8B2

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 6e363dcd7dd4b6645985371230deb8dac2cb5587e5966c3d60b05a395954cf77
Instruction ID: 22c42ebbbe87f03c963e6beb4c0c5bc050c8cf3ae98caa6307f3f2616b1ea6fa
Opcode Fuzzy Hash: 6e363dcd7dd4b6645985371230deb8dac2cb5587e5966c3d60b05a395954cf77
Instruction Fuzzy Hash: B4F0D071906229AFDB20ABE6EC4CDDF7F7CEF052957408416B55AE2090F724D509C7B0

Function 00E8CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00E8CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 00E8CBA1

Part of subcall function 00E84168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E7E084,00000000,.exe,?,?,00000800,?,?,?,00E8AD5D), ref: 00E8417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E8CB91

Strings

EDIT, xrefs: 00E8CB75, 00E8CB80, 00E8CB8D

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 2fbea96078d3d8d21338a8114efd4e64ef4fdff73ef3488869ed037557612581
Instruction ID: f69aa3219850e1683a5ffee39244815b0bb4a5025bbd1d4f20b93b4bd0fea10b
Opcode Fuzzy Hash: 2fbea96078d3d8d21338a8114efd4e64ef4fdff73ef3488869ed037557612581
Instruction Fuzzy Hash: E8F0C831602715AFDB20AB259C06F9FB7ACDF8A700F110056BA49B71C0E670ED0987B5

Function 00E8FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E8FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E90038

Strings

sfxcmd, xrefs: 00E8FFF9
sfxpar, xrefs: 00E90033

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 25f8a4b82ad77f7ceffb8c63de4a4df510f2067b3c16f27d1280111c066e72a0
Instruction ID: bb7a2285eb8e6906985c355a91b804f61afe53eec23652f6d4cfcecfa164e49b
Opcode Fuzzy Hash: 25f8a4b82ad77f7ceffb8c63de4a4df510f2067b3c16f27d1280111c066e72a0
Instruction Fuzzy Hash: D5F04671901234AFCF20AB948C059AF77DCEF1EB40740145ABE09BB142DAB0AD44C7A0

Function 00E8CCD9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E828AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E828D4
Part of subcall function 00E828AB: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00E81309,Crypt32.dll,00000000,00E81383,00000200,?,00E81366,00000000,00000000,?), ref: 00E828F4

OleInitialize.OLE32(00000000), ref: 00E8CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E8CD29
SHGetMalloc.SHELL32(00EBC460), ref: 00E8CD33

Strings

riched20.dll, xrefs: 00E8CCE1

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 9d14f6c79f42d53cffe0f7ed689838822cdc080f6685f80d4f28f20a1c8e998c
Instruction ID: 3e5e8976f8b0bea040925e00857b0faa53457e3815f39969dd6c09c4259f87e5
Opcode Fuzzy Hash: 9d14f6c79f42d53cffe0f7ed689838822cdc080f6685f80d4f28f20a1c8e998c
Instruction Fuzzy Hash: 7BF06DB1D04209AFCB10AF9AD8499EFFFFCEF84704F00405AE455F2240DBB456498BA1

Function 00E96232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00E961E3,00000000,00000001,00ED60C8,?,?,?,00E96386,00000004,InitializeCriticalSectionEx,00EA9624,InitializeCriticalSectionEx), ref: 00E9623F
GetLastError.KERNEL32(?,00E961E3,00000000,00000001,00ED60C8,?,?,?,00E96386,00000004,InitializeCriticalSectionEx,00EA9624,InitializeCriticalSectionEx,00000000,?,00E9613D), ref: 00E96249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00E95083), ref: 00E96271

Strings

api-ms-, xrefs: 00E96256

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a2b958ec07a52febd6b017d7451a5b6a2cbb35ba94d1184cf3fb4d97c93d4c04
Instruction ID: a68fd0bc91f09933f33d4dd5b4cfc939d8f1a8d30967073cb54ac127900ee204
Opcode Fuzzy Hash: a2b958ec07a52febd6b017d7451a5b6a2cbb35ba94d1184cf3fb4d97c93d4c04
Instruction Fuzzy Hash: 08E04F30684304BBEF201F61EC06F593F65AB06B55F151021F90DBC4F1DBA1BD949594

Function 00E7C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00E79343,?,?,?), ref: 00E7C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00E79343,?,?), ref: 00E7C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00E79343,?,?,?,?,?,?,?,?), ref: 00E7C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00E79343,?,?,?,?,?,?,?,?,?,?), ref: 00E7C2B6

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 21bbb1deafd9024217c93b3a9523af2c84c0d33244418bd379ccb36774eecc32
Instruction ID: d4c4fed2f549770069ec563c7c370f6f365477cc9d0f5ccaffa289a7ca201e13
Opcode Fuzzy Hash: 21bbb1deafd9024217c93b3a9523af2c84c0d33244418bd379ccb36774eecc32
Instruction Fuzzy Hash: 5241F0302483819EE320DF74DC45BABB7ECAF89704F18491DB5DAF71D2DA64EA488752

Function 00E7B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00E7B662,?,?,00000000,?,?), ref: 00E7B161
ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,00E7B662,?,?,00000000,?,?), ref: 00E7B179
GetLastError.KERNEL32(?,?,?,00000000,00E7B662,?,?,00000000,?,?), ref: 00E7B1AB
GetLastError.KERNEL32(?,?,?,00000000,00E7B662,?,?,00000000,?,?), ref: 00E7B1CA

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: a7374516bcce50d4a4fafa519f7b91375fa932382a9da3ce94d8fa1a41686ef6
Instruction ID: 015ceebc335eba21fed6d55308927f559d088221f29ce23d821b9ab589b13cf6
Opcode Fuzzy Hash: a7374516bcce50d4a4fafa519f7b91375fa932382a9da3ce94d8fa1a41686ef6
Instruction Fuzzy Hash: 5F11A030511204ABDF319B21C8287AA37A9BB06369F90D529E86AB5290DB70DE849B51

Function 00E9D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E9688D,00000000,00000000,?,00E9D32B,00E9688D,00000000,00000000,00000000,?,00E9D528,00000006,FlsSetValue), ref: 00E9D3B6
GetLastError.KERNEL32(?,00E9D32B,00E9688D,00000000,00000000,00000000,?,00E9D528,00000006,FlsSetValue,00EAAC00,FlsSetValue,00000000,00000364,?,00E9BA77), ref: 00E9D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E9D32B,00E9688D,00000000,00000000,00000000,?,00E9D528,00000006,FlsSetValue,00EAAC00,FlsSetValue,00000000), ref: 00E9D3D0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3e09f5e477dc34fe21758ec0f20ec53a8fe133b9860df629b37da6727e2ef68b
Instruction ID: 8a4781b1828e7ac98b0fce92b7f32d8da63f74bbaa57f1688dcd62ee522c218a
Opcode Fuzzy Hash: 3e09f5e477dc34fe21758ec0f20ec53a8fe133b9860df629b37da6727e2ef68b
Instruction Fuzzy Hash: D201D832215336AFCF219B799C44A57375CEB1A7667161620F916F7190C720E84486E1

Function 00E9E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00E9B9A5: GetLastError.KERNEL32(?,00EB50C4,00E96E12,00EB50C4,?,?,00E9688D,?,?,00EB50C4), ref: 00E9B9A9
Part of subcall function 00E9B9A5: _free.LIBCMT ref: 00E9B9DC
Part of subcall function 00E9B9A5: SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BA1D
Part of subcall function 00E9B9A5: _abort.LIBCMT ref: 00E9BA23

Part of subcall function 00E9E19E: _abort.LIBCMT ref: 00E9E1D0
Part of subcall function 00E9E19E: _free.LIBCMT ref: 00E9E204

Part of subcall function 00E9DE0B: GetOEMCP.KERNEL32(00000000,?,?,00E9E094,?), ref: 00E9DE36

_free.LIBCMT ref: 00E9E0EF
_free.LIBCMT ref: 00E9E125

Strings

p,, xrefs: 00E9E119

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p,
API String ID: 2991157371-2703748495
Opcode ID: d3e0a6264026d38c785ef8e41b297d319497305efd3938d967d56db86c6abcff
Instruction ID: debe9915d3cc948b1836e9a64c322d656dc616841b7386e96fb0bd70d8dba7f1
Opcode Fuzzy Hash: d3e0a6264026d38c785ef8e41b297d319497305efd3938d967d56db86c6abcff
Instruction Fuzzy Hash: 3C31C431904208AFDF10EFA9D941AADBBF5EF40324F25519DE604BB3A1EBB29D41CB50

Function 00E8136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E812F6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E81315
Part of subcall function 00E812F6: GetProcAddress.KERNEL32(00EBC1F0,CryptUnprotectMemory), ref: 00E81325

GetCurrentProcessId.KERNEL32(?,00000200,?,00E81366), ref: 00E813F9

Strings

CryptProtectMemory failed, xrefs: 00E813B0
CryptUnprotectMemory failed, xrefs: 00E813F1

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 0595b68ed41eb6b126bad849f0df161cb76d0df3f5d0b46382bc9997cf7f71cc
Instruction ID: 86fc69730c4f2b89d152a7fb0580c162b7d949a9751557ce300398cb043f41b3
Opcode Fuzzy Hash: 0595b68ed41eb6b126bad849f0df161cb76d0df3f5d0b46382bc9997cf7f71cc
Instruction Fuzzy Hash: 2B115631605324ABDB15BB21DC0196E3B6CEF0AB28B0592A5FC5D7F292D630AC438BD4

Function 00E83105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,Function_00013240,?,00000000,?), ref: 00E83129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00E83170

Part of subcall function 00E77BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E77BD5

Strings

CreateThread failed, xrefs: 00E83135

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: e87fb20f8ce31824c9b480e24ef18a21cd4dc4bc423ef510a21f3301e5b9c017
Instruction ID: c1bb412bf2addcef37713f43e047edfe6c3c7f24f49c52e3b24f7a04af9a8efd
Opcode Fuzzy Hash: e87fb20f8ce31824c9b480e24ef18a21cd4dc4bc423ef510a21f3301e5b9c017
Instruction Fuzzy Hash: 4301D6723497066FD324BF609C86FA777A9EB46F11F20212DF6CD761C0CAA0B8858764

Function 00E7B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00E7F306,00000001,?,?,?,00000000,00E87564,?,?,?,?), ref: 00E7B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00E7BA25
WriteFile.KERNEL32(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00E7F306,00000001,?,?,?), ref: 00E7BA51

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: d9dccd1165358d533cffca4a1880e5988df13fea42503809fb16ea77081a3264
Instruction ID: 633c2fbc9fd17def61defd815a33bc4b9878c469cbd7f3fe6e040fc0cda189a1
Opcode Fuzzy Hash: d9dccd1165358d533cffca4a1880e5988df13fea42503809fb16ea77081a3264
Instruction Fuzzy Hash: 6131E6312083069FDB14DF10D848BAB77A5FBC5719F04951DF599BB290C774AD48CBA2

Function 00E7BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00E7E1EC: _wcslen.LIBCMT ref: 00E7E1F2

CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000,00E7BBD0,?,00000001,00000000,?,?), ref: 00E7BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,00E7BBD0,?,00000001,00000000,?,?), ref: 00E7BF45
GetLastError.KERNEL32(?,?,?,00000000,00E7BBD0,?,00000001,00000000,?,?), ref: 00E7BF62

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 9c13c95712a523f5c2242a1c02b7fa47f2bc51d89ec06f1818c38917213d8043
Instruction ID: 271cfdf2b33a24edb17d1b6e8f5e94c37bee2249946a8fb7c2d45d265b44e6d8
Opcode Fuzzy Hash: 9c13c95712a523f5c2242a1c02b7fa47f2bc51d89ec06f1818c38917213d8043
Instruction Fuzzy Hash: 4811E531300218AADF29AF718C45BEE73EC9F0EB04F44D454FA09F6191DB24DE85CA65

Function 00E9DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E9DF08

Strings

, xrefs: 00E9DF4D

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: d13c7e97b67886dd8a14ff47cc08efb3c428c8ea2bf14ff4839d6aae2472bc85
Instruction ID: e8b92bfeb16f5b5d7917010c105291230e9dc7b5878468ef50d89e39a3d24ba0
Opcode Fuzzy Hash: d13c7e97b67886dd8a14ff47cc08efb3c428c8ea2bf14ff4839d6aae2472bc85
Instruction Fuzzy Hash: DE412E706083589EDF21CE258C85BFABBF9EF45304F1414EDE59AA7242D275AE45CF20

Function 00E9D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,000000FF), ref: 00E9D62D

Strings

LCMapStringEx, xrefs: 00E9D5CD, 00E9D5D7

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 663b653582529714e1555b72090a62c3c6d76d152bbb4c89b145398321a030c8
Instruction ID: 1a7fdee18debe125328ad71d59541be52e6ffb651f0fe0a22f0a701106a6b145
Opcode Fuzzy Hash: 663b653582529714e1555b72090a62c3c6d76d152bbb4c89b145398321a030c8
Instruction Fuzzy Hash: EF011732544219BBCF026F91DD02DEE7FA6EF4D720F044115FE0835161C6329931EB95

Function 00E9D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E9CBBF), ref: 00E9D5A5

Strings

InitializeCriticalSectionEx, xrefs: 00E9D56B, 00E9D575

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 70ae58c3805e40a4bb47220a814d88c490ef1d77c2a9effafd7dcb2f1e1bd063
Instruction ID: a5537b45f5636a076c684c549ad8e4b7cd09cf63c03ec4d09027226a275e2803
Opcode Fuzzy Hash: 70ae58c3805e40a4bb47220a814d88c490ef1d77c2a9effafd7dcb2f1e1bd063
Instruction Fuzzy Hash: 7BF0903164532CBBCF019F61DD05DAEBFA5DB1E720B044165F9083A260CA325A10D7A1

Function 00E9D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00E9D43E

Strings

FlsAlloc, xrefs: 00E9D410, 00E9D41A

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 30822fcfd5fa13e73c45ae3830158fae432b7259509e40cba1fdacd955e7968b
Instruction ID: 139f31d565066824573c98bee3af8c40f3e88e76af7cb66360f859763c6b164f
Opcode Fuzzy Hash: 30822fcfd5fa13e73c45ae3830158fae432b7259509e40cba1fdacd955e7968b
Instruction Fuzzy Hash: 94E05530645328AB8A006BA59C02DAEBBA5CF4E710B04027AFC053B250CE717D00D2EA

Function 00E9E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00E9DE0B: GetOEMCP.KERNEL32(00000000,?,?,00E9E094,?), ref: 00E9DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E9E0D9,?,00000000), ref: 00E9E2B4
GetCPInfo.KERNEL32(00000000,00E9E0D9,?,?,?,00E9E0D9,?,00000000), ref: 00E9E2C7

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 416dc47002b26188aa691987dd6e92bc386eb2e9aab12389583799b70be0c77b
Instruction ID: ed0320e0e80824d304b968043880f39778f972dd587b3abef3bfdff02933c813
Opcode Fuzzy Hash: 416dc47002b26188aa691987dd6e92bc386eb2e9aab12389583799b70be0c77b
Instruction Fuzzy Hash: 965132709042159EDF20CF72C8816BFBBE5EF41304F18A56ED2A6AB362D735A945CB90

Function 00E7B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,?,00000800,?,?,00000000,?,?,00E7B43B,00000800,00000800,00000000,?,?,00E7A31D,?), ref: 00E7B5EB
GetLastError.KERNEL32(?,?,00E7A31D,?,?,?,?,?,?,?,?), ref: 00E7B5FA

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: da59f41f3146b1276a77ec2e6f76f0ea0402eb20ff235c8497a1c87ab0b62163
Instruction ID: 207e68fe1c0af7b4660e5059abda2a50709a11edf66e6e88f7a05f34139d8d57
Opcode Fuzzy Hash: da59f41f3146b1276a77ec2e6f76f0ea0402eb20ff235c8497a1c87ab0b62163
Instruction Fuzzy Hash: 434103712043458BDB209F65D884BBA73E6FF58324F14962DE85EE7242F7B4DC848BA1

Function 00E7B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E7B967,?,?,00E787FD), ref: 00E7B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E7B967,?,?,00E787FD), ref: 00E7B0D4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c07697b85858b3b287e1a1815f787054cc6700cc33591a9435110e9f9966694
Instruction ID: a5dd4c30b6ba94abb702459213a5083e114c3ba01517414bf9e085041812e413
Opcode Fuzzy Hash: 3c07697b85858b3b287e1a1815f787054cc6700cc33591a9435110e9f9966694
Instruction Fuzzy Hash: 50219171504344AFE3309B25CC89BB7B7DCEB49324F409A19F9A9E21D1D774A8888661

Function 00E7B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00E7B7FC
SetFileTime.KERNEL32(?,?,?,?), ref: 00E7B8B0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 3fcdf45c42686507ff731b7bbccbc1280e2926dcce6c500560a027fc65b97748
Instruction ID: a995621e4f85cd394ce5df82234b240f97f4f291163412f01819fe7fee6fbe73
Opcode Fuzzy Hash: 3fcdf45c42686507ff731b7bbccbc1280e2926dcce6c500560a027fc65b97748
Instruction Fuzzy Hash: 002101312482819FE718DF75C891BBBBBE8AF56308F08981CF4C9A7141D329E90CD762

Function 00E71FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E71FB7
_wcslen.LIBCMT ref: 00E72052

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: e93307258cc1d5307d2e32996a3fe928bfaf89aa46112e3a36513a0b0b31ec40
Instruction ID: a334e26918437e14b2983a1da190f7294c7ddb6ec9bb5d21f4a5379ba9734ab5
Opcode Fuzzy Hash: e93307258cc1d5307d2e32996a3fe928bfaf89aa46112e3a36513a0b0b31ec40
Instruction Fuzzy Hash: 98215931900219AFCF15AFA4C845AEDB7F2BF48300F10A46DF549B72A1C7755A51DB60

Function 00E96192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,00ED60C8,?,?,?,00E96386,00000004,InitializeCriticalSectionEx,00EA9624,InitializeCriticalSectionEx,00000000,?,00E9613D,00ED60C8,00000FA0), ref: 00E96215
GetProcAddress.KERNEL32(00000000,?), ref: 00E9621F

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 8079c088e5b7ec16fb96bbd0b687834e15ad987a1e983f031bc238f7dcb9d22f
Instruction ID: c1a635a615ecad0c688ff6f429ade6db627369313d220a7038ba1700e8523fa0
Opcode Fuzzy Hash: 8079c088e5b7ec16fb96bbd0b687834e15ad987a1e983f031bc238f7dcb9d22f
Instruction Fuzzy Hash: 901190726021159F8F22CFA5EC8099A77B5FB4A364724116BE91AF7261E730ED41CBD0

Function 00E7B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 00E7B907
GetLastError.KERNEL32 ref: 00E7B914

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a943577b8c507cd537f494e9d776d34cb4461163192a341606d4cfeaa1518209
Instruction ID: b3ade9868c08b3e22ff1da9cf0105dd00e0cdbad88a5f9af629321afc83aa412
Opcode Fuzzy Hash: a943577b8c507cd537f494e9d776d34cb4461163192a341606d4cfeaa1518209
Instruction Fuzzy Hash: 4211E131A00701AFE7349629C885BE7B3E8AB8A374F609628E266F71D0D770ED45C750

Function 00E9BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9BB55

Part of subcall function 00E9BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E96A24,?,0000015D,?,?,?,?,00E97F00,000000FF,00000000,?,?), ref: 00E9BCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00EB50C4,00E7190A,?,?,00000007,?,?,?,00E71476,?,00000000), ref: 00E9BB91

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: aec7b8262ed14ef6ced082727f43f7ae9c06b7194744e591aac4d46dd629a229
Instruction ID: e9855709e5a8ed56abddb958b845dee03bc712f2794576870c32381c6d3223f1
Opcode Fuzzy Hash: aec7b8262ed14ef6ced082727f43f7ae9c06b7194744e591aac4d46dd629a229
Instruction Fuzzy Hash: 02F0F632500605EADF212A66FE01FAF379C9F82B74F246126F814BA1E5FF20DC0081A5

Function 00E7C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000001,?,00E7BF5E,?,?), ref: 00E7C305

Part of subcall function 00E7DA1E: _wcslen.LIBCMT ref: 00E7DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E7BF5E,?,?), ref: 00E7C334

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: ce56e078c1ddab7c9de965f6cc5933682f2f6af39fb7756ca6548d0096a995b7
Instruction ID: 5d2d736ffe82410f46b3b893ecd0aab8fb02ddb362c5e9f2b9c57f54c01c07a3
Opcode Fuzzy Hash: ce56e078c1ddab7c9de965f6cc5933682f2f6af39fb7756ca6548d0096a995b7
Instruction Fuzzy Hash: 38F06D31201219ABDF009F618C41AEF77ACAF09708F40C099BA05F7250DA31EE898A64

Function 00E7BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?,00E7B14B,?,00000000,00E7AF6E,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?,?), ref: 00E7BC82

Part of subcall function 00E7DA1E: _wcslen.LIBCMT ref: 00E7DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,00E7B14B,?,00000000,00E7AF6E,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?), ref: 00E7BCAE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 5c13948ae68e6d83c34ee9c7776713e1c9b2f003ab92209938b8d2434b33a88c
Instruction ID: 36bad31fef48f974261bcfde4b7507a0219659aac7a3f6c53e59df65a4f23298
Opcode Fuzzy Hash: 5c13948ae68e6d83c34ee9c7776713e1c9b2f003ab92209938b8d2434b33a88c
Instruction Fuzzy Hash: AAF030356012299BDB019F759D41ADF73ECAF0D705B449095BA05F3140DF71EE889A94

Function 00E9030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E90341

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

SetDlgItemTextW.USER32(00000065,?), ref: 00E90358

Part of subcall function 00E8D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E8D875
Part of subcall function 00E8D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8D886
Part of subcall function 00E8D864: IsDialogMessageW.USER32(000203DC,?), ref: 00E8D89A
Part of subcall function 00E8D864: TranslateMessage.USER32(?), ref: 00E8D8A8
Part of subcall function 00E8D864: DispatchMessageW.USER32(?), ref: 00E8D8B2

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 9076fa5ca3af7412e08a054737247fcd76d40d8f145ccf7a2fb3afa7abd67f0f
Instruction ID: 96095a10834fa800b4be3d7225609cdb949b8d3d2963259c1df9a707c8c6bdcb
Opcode Fuzzy Hash: 9076fa5ca3af7412e08a054737247fcd76d40d8f145ccf7a2fb3afa7abd67f0f
Instruction Fuzzy Hash: 40F0BB715052186FDB01FB6AEC06EDF77EC9F09304F450096B245F3192DA349A458B61

Function 00E7BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00E7BCD4,?,00E78607,?), ref: 00E7BCFA

Part of subcall function 00E7DA1E: _wcslen.LIBCMT ref: 00E7DA59

GetFileAttributesW.KERNEL32(?,?,?,00000800,?,?,?,00E7BCD4,?,00E78607,?), ref: 00E7BD24

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 486bb3d5cbac550dd2ca39f9f4c5d0cd489faed9b74c24f587888957e2d6aab1
Instruction ID: e1d83181894e06f8b27581949c8179b69408bded2cb4135e030e1f09d54796c1
Opcode Fuzzy Hash: 486bb3d5cbac550dd2ca39f9f4c5d0cd489faed9b74c24f587888957e2d6aab1
Instruction Fuzzy Hash: 11F0B4356002185FCB10EB799D45AEEB3FCAF4E760F0541A5FB15F3280DB70AD858694

Function 00E83184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,00E831C7,00E7D526), ref: 00E83191
GetProcessAffinityMask.KERNEL32(00000000,?,00E831C7), ref: 00E83198

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5d903ea1552a881fbc842cd3c4150a070fc449aca1e49fbd2feef80718ae5dcd
Instruction ID: b101d40a0e1851e059ea25c7f7ac8c0edd2151a8f663b0f20ed3d7acf218abad
Opcode Fuzzy Hash: 5d903ea1552a881fbc842cd3c4150a070fc449aca1e49fbd2feef80718ae5dcd
Instruction Fuzzy Hash: F3E0D832B011056BDF1997B49C098EB73DDDB49F083155079A51BF3200F934EE0947A0

Function 00E828AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E828D4
LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00E81309,Crypt32.dll,00000000,00E81383,00000200,?,00E81366,00000000,00000000,?), ref: 00E828F4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b36493a600e0fa86697e7536a98d514ef6d42a8b558aff0358cd852daddbb6d7
Instruction ID: b4afc0511ca3c0e1a305f839b8b2907cd4dbc1582b2befd00626287e89362878
Opcode Fuzzy Hash: b36493a600e0fa86697e7536a98d514ef6d42a8b558aff0358cd852daddbb6d7
Instruction Fuzzy Hash: 1DF06731A00218AACF10EB65CC44DDBB3ECAF4A701F0000AAA609E3140CA74AA888A68

Function 00E8CD3F Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00EA505D,000000FF), ref: 00E8CD7D
CoUninitialize.COMBASE(?,?,?,?,00EA505D,000000FF), ref: 00E8CD82

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 94cf449aef6aacd37993d24b132e87b354b2161b2db5f580ec6d34190bbb69d6
Instruction ID: 1d7bc9beaf841775bf1c53f6145989556893b16cb9ae59be68577c5ab1b91617
Opcode Fuzzy Hash: 94cf449aef6aacd37993d24b132e87b354b2161b2db5f580ec6d34190bbb69d6
Instruction Fuzzy Hash: 5AF0B432604644AFC700CF15DC01B0AFBB8FB4D720F00436BE415E7360DB34A804CA90

Function 00E8C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E8C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E8C375

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 653480a739f81b3f00f2212038233bc4d2574ffd921b352526094a45b768b975
Instruction ID: 5c8eb58c586d3fcd90107d0704e170da456559446ccf13f880aec8512930de84
Opcode Fuzzy Hash: 653480a739f81b3f00f2212038233bc4d2574ffd921b352526094a45b768b975
Instruction Fuzzy Hash: CEE0ED71504258EBCB10EF95C941B9AB7F8EB06354F20D0ABE89AA7201D271AE849B61

Function 00E951AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E951CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E951D5

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 2fb60a68c94e1f2a96195dc259a598bb6cb46d5882544e307ba458381cd7ee6e
Instruction ID: d10d6f0bb6776ccc1b0449b1342c41c339ddff3c719530506b1e766f0c6c2fc2
Opcode Fuzzy Hash: 2fb60a68c94e1f2a96195dc259a598bb6cb46d5882544e307ba458381cd7ee6e
Instruction Fuzzy Hash: B3D02227949F10488D2677B26C0379B27C09E037B8BF03B4BE820BA1D2EF1294806B11

Function 00E71341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E71356
ShowWindow.USER32(00000000), ref: 00E7135D

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 7b96f17f27b19f88003b80cd00d95d2ae69f1654db9b32c46e40e7037bb8ce7d
Instruction ID: db0d96a17c6d2168fac70674e2e83184bc90bf43941236132f1338555e3ef771
Opcode Fuzzy Hash: 7b96f17f27b19f88003b80cd00d95d2ae69f1654db9b32c46e40e7037bb8ce7d
Instruction Fuzzy Hash: 4BC0123205E211BECB010BB1EC09C2ABBA8EBA4212F10CA4AF0E6D1060E239C014DB11

Function 00E71B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E71B6A

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c153eb6f597ef1b45bccc85eb228d59e34b4502f9b6b50e67a455ffcd01b0482
Instruction ID: 8961fdbba63246b977356cb495b1ed324811e15ab713683c56059b72b96da293
Opcode Fuzzy Hash: c153eb6f597ef1b45bccc85eb228d59e34b4502f9b6b50e67a455ffcd01b0482
Instruction Fuzzy Hash: 82C18470A043519FDF29CF6CC4847A97BA5AF0A714F18A0F9EC09BF296C7349A44CB61

Function 00E770DA Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E77244

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a2f21d90d9bcd017dc6517da57f4a957c9a7b12b3966358a1a283ef1c21f04a9
Instruction ID: 19c4f368dbba73a73c3e1925adf5a6fd9f15daa830324fecd39008b25741e235
Opcode Fuzzy Hash: a2f21d90d9bcd017dc6517da57f4a957c9a7b12b3966358a1a283ef1c21f04a9
Instruction Fuzzy Hash: A17142B2508304ABD714EB64DC41E9BB3ECBF85304F04992DF6DDE7142EA75E9058BA2

Function 00E7147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E71483

Part of subcall function 00E76AE8: __EH_prolog3.LIBCMT ref: 00E76AEF

Part of subcall function 00E7EE0F: __EH_prolog3.LIBCMT ref: 00E7EE16

Part of subcall function 00E7668F: __EH_prolog3.LIBCMT ref: 00E76696

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: df2bc9a825e6f5afd8681288de2491f177fa2ce4bad68fa33961d1f630285e04
Instruction ID: b917e45a144f0406744f4c77155cf56f2d9ecfefb6878ee0239778d459010847
Opcode Fuzzy Hash: df2bc9a825e6f5afd8681288de2491f177fa2ce4bad68fa33961d1f630285e04
Instruction Fuzzy Hash: 034134B0A0A3808ECB18DF6994802D97BE2AF59300F0851FEEC5DDF29BD7715214CB62

Function 00E85617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E8561E

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 5fab4762d514677442472a01e5cea94e8867188fc2e1d109aaed746b3cd3ada1
Instruction ID: 426fdf8cccc4f03c921a70f1022520eda23916649caab7442bf97f9187ad66be
Opcode Fuzzy Hash: 5fab4762d514677442472a01e5cea94e8867188fc2e1d109aaed746b3cd3ada1
Instruction Fuzzy Hash: 9C21C7B2E41712ABDF14FFB48C4265A76E8AB05314F44613AE90DFB682EB7099008799

Function 00E9D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E9D348

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 26548fcd2809f012a00b2fcdc24866dc170c70b7349be0dbe05b5639083c62f1
Instruction ID: 8ca4be1c9b67c32d5bc3e0a3fd38d541fce54f018b325c37950e675a0bebbfcb
Opcode Fuzzy Hash: 26548fcd2809f012a00b2fcdc24866dc170c70b7349be0dbe05b5639083c62f1
Instruction Fuzzy Hash: A2110633A046359F9F21DE29EC409AF7395EF8932571A5325FE25FB254DA30EC0186D2

Function 00E9EAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00E9D786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E9B9D3,00000001,00000364,?,00E9688D,?,?,00EB50C4), ref: 00E9D7C7

_free.LIBCMT ref: 00E9EB35

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: 209f5f43b1e191a6494acd4f03dea53254cfd6cc85b2e2be04ca85bab4178393
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: 32014972204345ABEB31CF69DC8199AFBECFB85370F25061DE685A3280EA70A805C774

Function 00E7AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E7AB88

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 898cc6d4454e13562fe767dd3720abc00c9316d934815f82bd7eb7ddb44d2c16
Instruction ID: 3b1cccd2c4a65013905beddc56c582d50d5c3cda350a2612b32ef522191ea13a
Opcode Fuzzy Hash: 898cc6d4454e13562fe767dd3720abc00c9316d934815f82bd7eb7ddb44d2c16
Instruction Fuzzy Hash: 3D018836D0062A57CF15EF64C892AAEB3B1AF84740B05D529FD197B241D7349C009791

Function 00E9D786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E9B9D3,00000001,00000364,?,00E9688D,?,?,00EB50C4), ref: 00E9D7C7

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a85b4c5b319dca7c28f0a28175e894a8360d2e2032054033b87ca5d1e058ad31
Instruction ID: 8118f9a6b83ea8078eb597099f3afd8b486c4c52a0a6669eeb241fed7d5cbb44
Opcode Fuzzy Hash: a85b4c5b319dca7c28f0a28175e894a8360d2e2032054033b87ca5d1e058ad31
Instruction Fuzzy Hash: B8F0BE32208734ABDF216BF2EC41B9B7788DF417A0F186023E808B65A5CB24D80082F1

Function 00E9BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E96A24,?,0000015D,?,?,?,?,00E97F00,000000FF,00000000,?,?), ref: 00E9BCC0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4c64ee9cbf1dee7c82d0ffb1c0f25b74e898ea239112415bf48cf5688c747c4c
Instruction ID: d6063d5d27d44c4776668137ffab5849e4285dacc55fe30d4ed906cc76a0b57f
Opcode Fuzzy Hash: 4c64ee9cbf1dee7c82d0ffb1c0f25b74e898ea239112415bf48cf5688c747c4c
Instruction Fuzzy Hash: CEE0E53110022257DF302761FF00B5BBA88CF513A4F292122AC05B61E2CF14CC0182E0

Function 00E7C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00E7C4A8: FindFirstFileW.KERNEL32(?,?,00000000,?,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000), ref: 00E7C4E6
Part of subcall function 00E7C4A8: FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?), ref: 00E7C516
Part of subcall function 00E7C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,00E7C39F,000000FF,?,?,?,?,00E787BC,?,?,00000000,0000003A), ref: 00E7C522

FindClose.KERNEL32(00000000,000000FF,?,?,?,?,00E787BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E7C3A5

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 7d92ddb8955e05c64992b546b14a56163ab10f3bc869668ce79baadffd150844
Instruction ID: 8ff1cc4d5f0507db9a160c43ffca0b1d633d430e639dadae926c04d9ff49f65a
Opcode Fuzzy Hash: 7d92ddb8955e05c64992b546b14a56163ab10f3bc869668ce79baadffd150844
Instruction Fuzzy Hash: 1BF08235008790AACA325BB49C057CBBBD45F2A336F14DA8DF1FD32192C6B560989B32

Function 00E81421 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E81445

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cfe729c344212e501acd3ff8d41938066f3c2ab156a66e833d3dd8b53c6096b8
Instruction ID: cecab28b98f72fb020335d84567b12f278f04af251096d63f80cc5176e9544a2
Opcode Fuzzy Hash: cfe729c344212e501acd3ff8d41938066f3c2ab156a66e833d3dd8b53c6096b8
Instruction Fuzzy Hash: 3CE0DF321001406AC321AB58D800EBBABEC9F81720F14840EF4AC96191CBB4A882CB60

Function 00E82EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00E82F19

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 882feb60ef9167bb2dde72ed24fc5c6f0183120b978982f2f847990c1212c8d6
Instruction ID: 7dac4c91657a32f3b2b3ac34a05dfa69535feec2ea9752530a23e1332aa40674
Opcode Fuzzy Hash: 882feb60ef9167bb2dde72ed24fc5c6f0183120b978982f2f847990c1212c8d6
Instruction Fuzzy Hash: C6D02B1270811019D6237335A80A7FE25871FC3311F092037B28C771C38B4A0C46D3F2

Function 00E8C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00E8C5BC

Part of subcall function 00E8C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E8C36E

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: d21e8af539cdaefacf23c223a29c024ebd790602c36267f0cecd69fd88eaedea
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: B6D0A730200209B6DF023B20CC0297E75D4DB01344F109071790DE6140EEB1DA106B71

Function 00E9017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00E901A4

Part of subcall function 00E8D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E8D875
Part of subcall function 00E8D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8D886
Part of subcall function 00E8D864: IsDialogMessageW.USER32(000203DC,?), ref: 00E8D89A
Part of subcall function 00E8D864: TranslateMessage.USER32(?), ref: 00E8D8A8
Part of subcall function 00E8D864: DispatchMessageW.USER32(?), ref: 00E8D8B2

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: c64711f58cbcf48f048d1b6ac6e40aff26176ed87f3a32f313cca85755ab3f1a
Instruction ID: 28b4e4cfbffc24de7e03717d649d755d4218fc1c8d53a8e5572699a9552e2c47
Opcode Fuzzy Hash: c64711f58cbcf48f048d1b6ac6e40aff26176ed87f3a32f313cca85755ab3f1a
Instruction Fuzzy Hash: 7BD09E35148300AED6012B52DD06F1A7AE2BB98B05F005555B38C740F186629E25AB16

Function 00E90A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00E90AC0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: c7ef6eaca2f3e3e74446cb3f381115bcb5180078049dc96a62315c0605ca0613
Instruction ID: ffbc45d52d771026b96d38ec7167df2bf8e2f82436eadaa78759383864a4fff7
Opcode Fuzzy Hash: c7ef6eaca2f3e3e74446cb3f381115bcb5180078049dc96a62315c0605ca0613
Instruction Fuzzy Hash: CCD022301027148ECE00EB20EE8E32233E0F30C30CFC22C02F008F5190C7F054848626

Function 00E811EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00E811F5

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 96015e73c42e39bcd00dc99eafdfa01e55220ef7e3fb5f230c8f2a01902a2b74
Instruction ID: 56f074a76be7645df7ff034e4345d7062c113caea0c4157c8a8c67d062c3bb08
Opcode Fuzzy Hash: 96015e73c42e39bcd00dc99eafdfa01e55220ef7e3fb5f230c8f2a01902a2b74
Instruction Fuzzy Hash: A2D0CA71414222CFD3B09F39E808782BBE4AF0D310B25886E90DEE2220E670A880CF40

Function 00E7B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(000000FF,00E7B18A,?,?,?,00000000,00E7B662,?,?,00000000,?,?), ref: 00E7B294

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9533425f1720178fa2afb2a1686430ea7abc4569b0d70bbc52e38bbeaac7f2fc
Instruction ID: 60af5e396ff76d43e6f01209b881fbaeb50ba60c54dea332168341db7af6af5c
Opcode Fuzzy Hash: 9533425f1720178fa2afb2a1686430ea7abc4569b0d70bbc52e38bbeaac7f2fc
Instruction Fuzzy Hash: 0DC01234001144AA8E308A28988929C7322AE533AA7B8E694C02CA90B3C3238C87FA00

Function 00E910A8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E910BA

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c24aaa77bbe66107681b243bb6406882d6390589f38f1cc5c5fc035b867a8251
Instruction ID: 9ddee0b71723fcc86c68bf97b57b88318b796294cbc51f6f4db654f61490ac62
Opcode Fuzzy Hash: c24aaa77bbe66107681b243bb6406882d6390589f38f1cc5c5fc035b867a8251
Instruction Fuzzy Hash: FBB012E13DD201BD3A142384BC13C36011CC0C4B18370FA2FF884F40C0A4423CC50032

Function 00E906E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eec828278e46f16bc0975f075cdbfb200a27278148d220f6753fc303b5af6238
Instruction ID: 6acb322aaf01b9cf32fdc3b6f1172f0cf175c0365187945a752bfc5537bb2756
Opcode Fuzzy Hash: eec828278e46f16bc0975f075cdbfb200a27278148d220f6753fc303b5af6238
Instruction Fuzzy Hash: 9BB0128536D102AD360893885D03CBF015CC0C4F14370F53BFC48F4241E4512C0A0031

Function 00E906FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e67f1ea0627443aa94d393a7fa4027021cfd627317eac60ccb600b9d69a0d11
Instruction ID: 877023a3d615d1768cf2468f4d46fa8d9155da85f2ae24219fd8e219d17233ef
Opcode Fuzzy Hash: 2e67f1ea0627443aa94d393a7fa4027021cfd627317eac60ccb600b9d69a0d11
Instruction Fuzzy Hash: DFB0129535D102AD360493885C03CBF014CC0C5F18370F53BFC48F4141E4402C410031

Function 00E906F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 330dfc7cb1a3c2fc01aad8d0134f48390760d6a657ab1c2240a2d5c8cc204d94
Instruction ID: 4f399ec3dab20179b3b5fd88c52ce4e6d3a21b536d23357be125e5370ee66b12
Opcode Fuzzy Hash: 330dfc7cb1a3c2fc01aad8d0134f48390760d6a657ab1c2240a2d5c8cc204d94
Instruction Fuzzy Hash: 66B0128536D103AD360893D85C03CBF015CD0C4F143B0F93BF848F4241E4402C050031

Function 00E906C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: caa64affb6f4974c5f02a56e00a8fb6e5218061ab7d19de644dd51d94bbd142e
Instruction ID: b61dbdc22c738f98b24778489a8fce7f0b28817b9d99c1b8e36cd2c0486c5a31
Opcode Fuzzy Hash: caa64affb6f4974c5f02a56e00a8fb6e5218061ab7d19de644dd51d94bbd142e
Instruction Fuzzy Hash: A3B0128935D203AD360493885C43CBF014CD0C5F143B0B53BF848F4242E4402C010131

Function 00E906DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8f98b7adbc4c63dc46b7225102b20d4b7ed5b712fc4b9ee542334c81d8bdb3f0
Instruction ID: 31d77eecb3efde0ef81d73206cf0341be04eb944bb9454972dbf62dd91c65e4b
Opcode Fuzzy Hash: 8f98b7adbc4c63dc46b7225102b20d4b7ed5b712fc4b9ee542334c81d8bdb3f0
Instruction Fuzzy Hash: 12B0128536D242AD374893885C03CBF015CC0C4F143B0F63BF848F4241E4402C450031

Function 00E906D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 099b9a4ff825900e69855715d03c9d67bec348d2fba90cc45b424eb4436dd383
Instruction ID: f5bdd0aea13af3183fe92fb964f1dc3ae34c0178475bebdd48b65c1926e92287
Opcode Fuzzy Hash: 099b9a4ff825900e69855715d03c9d67bec348d2fba90cc45b424eb4436dd383
Instruction Fuzzy Hash: B8B0128536D103AD360897885C03CBF015CC0C5F14370F53BFC48F4241E4402C050031

Function 00E906AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45b67120afd2ecc0907ed0841ca226ab073f76f4b72d2d9d1834c62366cc6b0c
Instruction ID: 9ce3d2d7184c78a04a5dd229407a358bae7d1ffb827737c5695aff8517fece7c
Opcode Fuzzy Hash: 45b67120afd2ecc0907ed0841ca226ab073f76f4b72d2d9d1834c62366cc6b0c
Instruction Fuzzy Hash: CCB0128935D202AD3604A3885C43CBF014CC0C5F14370F53BFC48F4242E4403C010031

Function 00E906A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55ecfbef7effaf0f3cf0c57da93a69207b78b17474f66fff43f01bb8affcfe86
Instruction ID: eff03e450c98111065d229c7412a8fe499c4a24ac11936d8a2d1b7ded9f83351
Opcode Fuzzy Hash: 55ecfbef7effaf0f3cf0c57da93a69207b78b17474f66fff43f01bb8affcfe86
Instruction Fuzzy Hash: BAB0128536D203ED360493889C03CBF015CD0C4F143B0B63BF848F4141E4402C010031

Function 00E906B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d0d9047af494463310da984089ec2890ef8f801b932c73462c4e52b937081f3b
Instruction ID: 8f9ee2be99e904accfb70c36f86e85b0975d0cf821c4f911d09a9f6fd7f9c77c
Opcode Fuzzy Hash: d0d9047af494463310da984089ec2890ef8f801b932c73462c4e52b937081f3b
Instruction Fuzzy Hash: 56B0128935D302AD3B4493885C43CBF014CC0C4F14370B63BF848F4242E4402C414031

Function 00E90697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42bb671fbb7d9e302125ba25da7400aa50252a51b264ef369c63772add9cdd3e
Instruction ID: ca83ea0e7d7579ad1ff1f475fa6d04f61ddd58c13f57f3369ed1a7d36e38d8a2
Opcode Fuzzy Hash: 42bb671fbb7d9e302125ba25da7400aa50252a51b264ef369c63772add9cdd3e
Instruction Fuzzy Hash: 0DB0128535D102ED360493889D03CBF015CC0C4F143B0B73BFC48F4141E4412C020031

Function 00E9067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3387d4a7a3b9da372aa6f5ba9ea4c2686cfa2e42718be77ecbc68b40d1c37330
Instruction ID: 54f2c8d889de6747e27b12ed98e5176d0f76e1d6cd3de15e0770dd7fb046f727
Opcode Fuzzy Hash: 3387d4a7a3b9da372aa6f5ba9ea4c2686cfa2e42718be77ecbc68b40d1c37330
Instruction Fuzzy Hash: 9BB0128535D103BE361453845C03CBF010CD4C0F143B0B63BF844F8041A4502C010031

Function 00E9075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63ea1fab34eb25cf7617e5ea030d81f41aa47b43f95e66778bfbd514d7c04d8e
Instruction ID: 024c55efc228432acea66dd2d7904e2fa095a99e4492a2a5bdf31cb484b2c98e
Opcode Fuzzy Hash: 63ea1fab34eb25cf7617e5ea030d81f41aa47b43f95e66778bfbd514d7c04d8e
Instruction Fuzzy Hash: 97B0129535D102AD360493885E03CBF01CCC0C5F14770B53BFC48F4141E4412C020031

Function 00E9072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 881d2b1d6c791e90928fd1627ea0bfb15f9990b8b2e1533d35a779d7acd49abe
Instruction ID: 010fc7061df5a94e496c9cf2ced5c1e09e8fd9ed72ee41f4dd024dadb84ea335
Opcode Fuzzy Hash: 881d2b1d6c791e90928fd1627ea0bfb15f9990b8b2e1533d35a779d7acd49abe
Instruction Fuzzy Hash: 6DB0129535E202AD374493C85C03CBF014CC0C4F14770B63BFC48F4141E4402C410031

Function 00E9070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d5f36441a5de20cb9de027aef6d9831a7e59db56b08a81faefe2fae136ded00c
Instruction ID: fe91bd9753814efc2152da13a1ef5974c5ff3e0a3d41c8ef3dae09b3442c824a
Opcode Fuzzy Hash: d5f36441a5de20cb9de027aef6d9831a7e59db56b08a81faefe2fae136ded00c
Instruction Fuzzy Hash: C0B0129535D102AD360493885D03CBF014CC0C4F18370B53BFC48F4141E4412D420031

Function 00E90719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 31974361cb59381ccb2efd84f75a5d603ade05ffa302541ba0ec0a6cc9e069a6
Instruction ID: bfc21175cb5133a4f3329c0d4753ca6b38ac32bdcf01a7b9d2599a80f5d31f46
Opcode Fuzzy Hash: 31974361cb59381ccb2efd84f75a5d603ade05ffa302541ba0ec0a6cc9e069a6
Instruction Fuzzy Hash: ADB0129535D103AD360493899C03CBF014CD0C4F183B0B53BF848F4141E4402C410031

Function 00E908F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2368fd6819387aaeda43d7cde38cdcb497786d41f6b0abf51dcfb91ed503d24
Instruction ID: 81511c6bc649fb85e04ee6737e33eaa5acea85935ca70842df4880e4e5be1029
Opcode Fuzzy Hash: b2368fd6819387aaeda43d7cde38cdcb497786d41f6b0abf51dcfb91ed503d24
Instruction Fuzzy Hash: 69B0129236C100AD360C63889C03D7A024CD0C4B143B0F62FF448F4181E4402C410031

Function 00E908CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2410bb37cafd1b81a402d3a7dfe8758f2ed7c5f423091b0ef57c91dd0f83ef38
Instruction ID: 76b0e7ffeefef3f315b11e17848574d5c22a7d99295ac0b1ca067cacf84abb60
Opcode Fuzzy Hash: 2410bb37cafd1b81a402d3a7dfe8758f2ed7c5f423091b0ef57c91dd0f83ef38
Instruction Fuzzy Hash: EBB0129239C200AE360C63885C03D7E024CD0C5B143B0F42FF448F4281E4402C411131

Function 00E908C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30f96dfd09878a20937cd91cd523cb5c6bfb5b8a50b31722ba027c38ffdbc950
Instruction ID: 6018e6e65567cf8d06fbad5a9dd4f62976e77349aa7838ed9e1648dfca6311d0
Opcode Fuzzy Hash: 30f96dfd09878a20937cd91cd523cb5c6bfb5b8a50b31722ba027c38ffdbc950
Instruction Fuzzy Hash: 03B0129235C310AE3B0C63885C03C7E024CC0C4B14370B52FF448F42C1E4402C855031

Function 00E909EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9c1f28930a8bd05d7cc0131d60a7eab91b1c78038423571f4dbe49b1f6efa2a
Instruction ID: 949343ab3113401e07ec9b5c36835c555eeb05435f559f2ac54832232c0802ce
Opcode Fuzzy Hash: c9c1f28930a8bd05d7cc0131d60a7eab91b1c78038423571f4dbe49b1f6efa2a
Instruction Fuzzy Hash: F5B012C639C101BD39041389AD03C76011CCDC0B1C370F53BF580F40C2A8626C820031

Function 00E90A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9a02e75a73f28b6f5b228dcd61004ba6eaec15266a25d33e40869ae8a9b66d7
Instruction ID: 66b57535f95135b593d98d78028cf3dedd8cd82f10d7ae08fd1aca77f4576e44
Opcode Fuzzy Hash: b9a02e75a73f28b6f5b228dcd61004ba6eaec15266a25d33e40869ae8a9b66d7
Instruction Fuzzy Hash: CEB012D139D200FD360453D89C13C3E019CD0C5B14370F66BF884F9140E8912C061031

Function 00E90A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d435bc698b150f502b3f48ad3495b2020ada873ce5589348984e268bf789403
Instruction ID: 72df97a66df98307634327f1d8d9a226b21349d2cd1a64582705207f4a2ed0f6
Opcode Fuzzy Hash: 8d435bc698b150f502b3f48ad3495b2020ada873ce5589348984e268bf789403
Instruction Fuzzy Hash: 93B012D13AD300FD374453D89C13C3E019CD0C4B14370B72BF484F8140E8912C421031

Function 00E90A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: abf9871e0002021abf795a3d1242c746af3b9df80822ae9003948a1eabaa5267
Instruction ID: 6158eab1417a9ed49ffc6392b26677b40575619ba397a0f9294ed6b1829c584f
Opcode Fuzzy Hash: abf9871e0002021abf795a3d1242c746af3b9df80822ae9003948a1eabaa5267
Instruction Fuzzy Hash: 6CB012D139D200ED360453D89D13C3F019CD0C4B14370B63BF884F4140E8822C031031

Function 00E90A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a757ade36ce17cb80593edc25554d6aa98af8c3b7ce6a80ee8e808c56c98f4f4
Instruction ID: f0553b92cd1c6a4b6e506da17df21deef3acbb05f2865b06c7fbc41cd7e7718c
Opcode Fuzzy Hash: a757ade36ce17cb80593edc25554d6aa98af8c3b7ce6a80ee8e808c56c98f4f4
Instruction Fuzzy Hash: D4B012C139C100ED3A046389AC03D77016CC4C4B14370F53BF844F9181E4A16C850131

Function 00E90A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 474f7ab67ba5541e1216b90814551daa697c341800b5995a3e10de3e428b679e
Instruction ID: 3f81cee6a3563b670f7b99c0d5f0723717c51165af28e7831adf99a832ce2e07
Opcode Fuzzy Hash: 474f7ab67ba5541e1216b90814551daa697c341800b5995a3e10de3e428b679e
Instruction Fuzzy Hash: A6B012C139C100AD39045399AD03D77015CC4C4B14370F53BF544F4181E4526C860131

Function 00E90A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 68dfb8e77c74e6dc05478c02f8d46f38cf94895086b67f15523eab324255d924
Instruction ID: 9b2f6014fc11771b35cecaad78d01de103fa6bc78885f6dec48ee45c4a7d3acc
Opcode Fuzzy Hash: 68dfb8e77c74e6dc05478c02f8d46f38cf94895086b67f15523eab324255d924
Instruction Fuzzy Hash: 86B012C139C200AD3A045399AC03D76015CC4C4B14370B63BF444F42C1E4526CC90131

Function 00E906C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e4013fb5845c979ccae99610ee73d3b9db6ee47a42bfdaf6960c3fa931f8f242
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: e4013fb5845c979ccae99610ee73d3b9db6ee47a42bfdaf6960c3fa931f8f242
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E90782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c806d4d4ccae974597459f7f8834b9d0053f69a35c14debf8da4fe0fdabfc5db
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: c806d4d4ccae974597459f7f8834b9d0053f69a35c14debf8da4fe0fdabfc5db
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E9076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 62bc664f973c8fd8fc3b1406ca097a01f766869cedb17d993952cd2fb1955e1c
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 62bc664f973c8fd8fc3b1406ca097a01f766869cedb17d993952cd2fb1955e1c
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E90778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 091a8fd102895b8cb449f2a220917babae66afcbae0620164e3cb0e2b70b0a74
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 091a8fd102895b8cb449f2a220917babae66afcbae0620164e3cb0e2b70b0a74
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E90746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1615cb1a4b749d80e81d455aa3753f61e79180bd73de1544e4b167b950e73f67
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 1615cb1a4b749d80e81d455aa3753f61e79180bd73de1544e4b167b950e73f67
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E9075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c770e1c82f9ad0925ee4fdeed0e89f96c80ea35b78a1e2e9f6ef25f2bfe61fb
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 5c770e1c82f9ad0925ee4fdeed0e89f96c80ea35b78a1e2e9f6ef25f2bfe61fb
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E90750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 845d1aa761dc12c4b2a5d6df84beb7c7b65df8ba37a8b2566673a82098481b15
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 845d1aa761dc12c4b2a5d6df84beb7c7b65df8ba37a8b2566673a82098481b15
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E90728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e44aa998a336a1b9bc12681c592818b3e80d7d10dec183dfa65fc68aa4eb7f18
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: e44aa998a336a1b9bc12681c592818b3e80d7d10dec183dfa65fc68aa4eb7f18
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E9073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7286339c9ec20962f3c5e2e4481f0ebe668cc14ca6050fed06ac2ba46f5cae2f
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: 7286339c9ec20962f3c5e2e4481f0ebe668cc14ca6050fed06ac2ba46f5cae2f
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E9070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9068E

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0066c4a1de89af8199d7ce6d93b0536e371a57715cf308bd3596e38b74df82e
Instruction ID: 4b1c328c6efc0e4148db6a0c28ca6f7e5c911cd3ab7fc84142a0eb0ef00df1ec
Opcode Fuzzy Hash: a0066c4a1de89af8199d7ce6d93b0536e371a57715cf308bd3596e38b74df82e
Instruction Fuzzy Hash: F9A0118A2A8203BC3A08A280AC02CBF020CC0C8F283B0A82AF80AE8082A88028000030

Function 00E908E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98b49f0470cae2b46f07ac313f34ed312948abfe170932ad22e6b3f5f25c14b5
Instruction ID: bda814f4cd0a3e1e6f13a3f3ac27e02ef3b4176140565ad34f92ab8c39dbcabf
Opcode Fuzzy Hash: 98b49f0470cae2b46f07ac313f34ed312948abfe170932ad22e6b3f5f25c14b5
Instruction Fuzzy Hash: 11A00296359511BD351D62955D06C7A125CD4C5B55370A91DF455E404194512C455071

Function 00E908F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c223f88e69476dfc3802346b916fcc3d1680962e2c460f72c7bc332a1384be9
Instruction ID: bda814f4cd0a3e1e6f13a3f3ac27e02ef3b4176140565ad34f92ab8c39dbcabf
Opcode Fuzzy Hash: 6c223f88e69476dfc3802346b916fcc3d1680962e2c460f72c7bc332a1384be9
Instruction Fuzzy Hash: 11A00296359511BD351D62955D06C7A125CD4C5B55370A91DF455E404194512C455071

Function 00E908DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e1dc09999a936974045d335550dd014269eb5b43f184e99fe423de52e6fbdd4
Instruction ID: bda814f4cd0a3e1e6f13a3f3ac27e02ef3b4176140565ad34f92ab8c39dbcabf
Opcode Fuzzy Hash: 4e1dc09999a936974045d335550dd014269eb5b43f184e99fe423de52e6fbdd4
Instruction Fuzzy Hash: 11A00296359511BD351D62955D06C7A125CD4C5B55370A91DF455E404194512C455071

Function 00E908BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12d1379255f79088663aaf2281a6fcf081a1b971a0a08a187eeb227d42bfd5a2
Instruction ID: bda814f4cd0a3e1e6f13a3f3ac27e02ef3b4176140565ad34f92ab8c39dbcabf
Opcode Fuzzy Hash: 12d1379255f79088663aaf2281a6fcf081a1b971a0a08a187eeb227d42bfd5a2
Instruction Fuzzy Hash: 11A00296359511BD351D62955D06C7A125CD4C5B55370A91DF455E404194512C455071

Function 00E908B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d815e008ba1916ddf4ac699e6376d64039cec6ffdc9fa569703948ef3ffaedec
Instruction ID: bda814f4cd0a3e1e6f13a3f3ac27e02ef3b4176140565ad34f92ab8c39dbcabf
Opcode Fuzzy Hash: d815e008ba1916ddf4ac699e6376d64039cec6ffdc9fa569703948ef3ffaedec
Instruction Fuzzy Hash: 11A00296359511BD351D62955D06C7A125CD4C5B55370A91DF455E404194512C455071

Function 00E9089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E908A7

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c965b40e858b6e8d48e3fe873366e77f7455f67b1bdad3c1fcf8e5ada160638
Instruction ID: b1a3e468ae01f22c0a9dbc886c6744e52e87909a9cbe0d708e2362bf787c8e78
Opcode Fuzzy Hash: 3c965b40e858b6e8d48e3fe873366e77f7455f67b1bdad3c1fcf8e5ada160638
Instruction Fuzzy Hash: B0A011A23A8200BC3A0C22A0AC02CBA220CC0C0B283B0A82EF808F8082A8802C800030

Function 00E90A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41c280ea8f68bfd52e0b905cbde5ab8e029ae8575750ab68e6e3c9347242dbd1
Instruction ID: 02201cb5fda9f42666409293f515db1825c9113f6c60dc50d0312d0d3db8a847
Opcode Fuzzy Hash: 41c280ea8f68bfd52e0b905cbde5ab8e029ae8575750ab68e6e3c9347242dbd1
Instruction Fuzzy Hash: 02A002D5299201FD350552D59D16C7E115CD4C5B55770B919F445E4441589128455071

Function 00E90A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c7f54346b976bce3944cf8f45c98f7b6e3f5b267e4b462f0179a8c60e0f17622
Instruction ID: 02201cb5fda9f42666409293f515db1825c9113f6c60dc50d0312d0d3db8a847
Opcode Fuzzy Hash: c7f54346b976bce3944cf8f45c98f7b6e3f5b267e4b462f0179a8c60e0f17622
Instruction Fuzzy Hash: 02A002D5299201FD350552D59D16C7E115CD4C5B55770B919F445E4441589128455071

Function 00E90A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26809db98057f0d734322fa3496796c7e3fc0f80c461d9aacf72274998206649
Instruction ID: 144987bb7a81056f3b6bbdf8e08cc0fb1f684fb9de277c0e92c67b2627d9da17
Opcode Fuzzy Hash: 26809db98057f0d734322fa3496796c7e3fc0f80c461d9aacf72274998206649
Instruction Fuzzy Hash: 45A002D5399101BD39055295AD16D76015CD4C5B55370A929F545E404154516C855135

Function 00E90A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E90A5D

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3859dab8a11d4424104cef2e3c1dbddef62a25e9f5f8190da46452db8a69eb7
Instruction ID: cd1f9530e1383c3b0fffacecfa3b2ab757be1028fc34dc67ae9945c928a80f1c
Opcode Fuzzy Hash: f3859dab8a11d4424104cef2e3c1dbddef62a25e9f5f8190da46452db8a69eb7
Instruction Fuzzy Hash: F5A002D5295201BD350552D59D16D7E129CD4C5B15770B519F545F4441689128455071

Function 00E90A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc5b22dbd011100ee53fab5e814e841e6fb66f95b207783c57bae0c4e3355320
Instruction ID: 144987bb7a81056f3b6bbdf8e08cc0fb1f684fb9de277c0e92c67b2627d9da17
Opcode Fuzzy Hash: bc5b22dbd011100ee53fab5e814e841e6fb66f95b207783c57bae0c4e3355320
Instruction Fuzzy Hash: 45A002D5399101BD39055295AD16D76015CD4C5B55370A929F545E404154516C855135

Function 00E90A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2684e4187d1de208034d00c1088ce9ca9a86dff6b8ac20cf89c8f4a6a21947ba
Instruction ID: 144987bb7a81056f3b6bbdf8e08cc0fb1f684fb9de277c0e92c67b2627d9da17
Opcode Fuzzy Hash: 2684e4187d1de208034d00c1088ce9ca9a86dff6b8ac20cf89c8f4a6a21947ba
Instruction Fuzzy Hash: 45A002D5399101BD39055295AD16D76015CD4C5B55370A929F545E404154516C855135

Function 00E90A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E909FC

Part of subcall function 00E90D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E90DAD
Part of subcall function 00E90D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E90DBE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 405393a390cf51f2f481b21a36b41b75c45b70183ad8eb94adde52c061010387
Instruction ID: 144987bb7a81056f3b6bbdf8e08cc0fb1f684fb9de277c0e92c67b2627d9da17
Opcode Fuzzy Hash: 405393a390cf51f2f481b21a36b41b75c45b70183ad8eb94adde52c061010387
Instruction Fuzzy Hash: 45A002D5399101BD39055295AD16D76015CD4C5B55370A929F545E404154516C855135

Function 00E7AFD0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00E7AF75,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?,?), ref: 00E7AFEB

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6ffd1f064db0bb8944637efd81e73dc880637d91a5212c140b7ec191950d7fe7
Instruction ID: 478c7f3e62ea50ea8e10577a0b24c8fb47bd788f97481c6de105410ec02f9461
Opcode Fuzzy Hash: 6ffd1f064db0bb8944637efd81e73dc880637d91a5212c140b7ec191950d7fe7
Instruction Fuzzy Hash: 52F0E971182B068FDB349B20C448797B3E46B12329F08BB2DC0FB634E0D36065CDD641

Non-executed Functions

Function 00E8EA07 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 453fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E8D6C7

Part of subcall function 00E8C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E8C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,2D272A92,?,00000000,00000001), ref: 00E8EB53
_wcslen.LIBCMT ref: 00E8EB8D
_wcslen.LIBCMT ref: 00E8EBA1
_wcslen.LIBCMT ref: 00E8EBC6
GetFileAttributesW.KERNEL32(?), ref: 00E8EC0C
DeleteFileW.KERNEL32(?), ref: 00E8EC1E
_swprintf.LIBCMT ref: 00E8EC43
GetFileAttributesW.KERNEL32(?), ref: 00E8EC52
MoveFileW.KERNEL32(?,?), ref: 00E8EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00E8EC7F
_wcslen.LIBCMT ref: 00E8ECFA
_wcslen.LIBCMT ref: 00E8ED03
SetWindowTextW.USER32(?,?), ref: 00E8ED62

Strings

ProgramFilesDir, xrefs: 00E8EE36
%s.%d.tmp, xrefs: 00E8EC36
Software\Microsoft\Windows\CurrentVersion, xrefs: 00E8EE0B
<br>, xrefs: 00E8ECC4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: 5a3c6ff2f86c480d55a86c134e4a4318053d70a9b4cf4cfc3f6b29579d5ac4ea
Instruction ID: e0b5df8c23a17067bea5c2ae0a1ced410b212ab58d949917031302935fa9a13f
Opcode Fuzzy Hash: 5a3c6ff2f86c480d55a86c134e4a4318053d70a9b4cf4cfc3f6b29579d5ac4ea
Instruction Fuzzy Hash: 7BF13E72904259AADB31FBA0DC95EEF33BCFB09314F14152AE90DF7190EB749A498B50

Function 00E8E560 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71366: GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
Part of subcall function 00E71366: SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E8E602
EndDialog.USER32(?,00000006), ref: 00E8E615
GetDlgItem.USER32(?,0000006C), ref: 00E8E631
SetFocus.USER32(00000000), ref: 00E8E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 00E8E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E8E69F
FindFirstFileW.KERNEL32(?,?), ref: 00E8E6B5

Part of subcall function 00E8CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8CBEE
Part of subcall function 00E8CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E8CC05
Part of subcall function 00E8CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 00E8CC19
Part of subcall function 00E8CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8CC2A
Part of subcall function 00E8CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E8CC42
Part of subcall function 00E8CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00E8CC66
Part of subcall function 00E8CBC8: _swprintf.LIBCMT ref: 00E8CC85

_swprintf.LIBCMT ref: 00E8E704

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E8E717
FindClose.KERNEL32(00000000), ref: 00E8E71E
_swprintf.LIBCMT ref: 00E8E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 00E8E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E8E7A0
_swprintf.LIBCMT ref: 00E8E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E8E7EC
_swprintf.LIBCMT ref: 00E8E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00E8E84F

Part of subcall function 00E8D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E8D0E1
Part of subcall function 00E8D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,00EB272C,?,?), ref: 00E8D12A

Strings

REPLACEFILEDLG, xrefs: 00E8E59C
-, xrefs: 00E8E68C
%s %s, xrefs: 00E8E6F1, 00E8E6FD, 00E8E769, 00E8E7CF, 00E8E832

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$-$REPLACEFILEDLG
API String ID: 3464475507-3135309196
Opcode ID: 4370863082000cb45e057b7c14f5eb4dc7cde5ca0ef5647186693155244eaeb2
Instruction ID: d1ddafb999c4cfbaab48ef17ca692721fe50a70f8874ddc6822f8db2c74c630c
Opcode Fuzzy Hash: 4370863082000cb45e057b7c14f5eb4dc7cde5ca0ef5647186693155244eaeb2
Instruction Fuzzy Hash: C271C2B2649314BFE231AB64EC49FFF779CEB89704F041819B68DF21C1E67199088762

Function 00E91FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E91FD6
IsDebuggerPresent.KERNEL32 ref: 00E920A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E920C2
UnhandledExceptionFilter.KERNEL32(?), ref: 00E920CC

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e14b9595ddf22e541817873bbd9764440cda09f7fa26670c2baf74a8bc73281e
Instruction ID: 3d8de65d175f4da8807857de747e5c66d2ff3ce79247702e5ec0f2f6e27fec49
Opcode Fuzzy Hash: e14b9595ddf22e541817873bbd9764440cda09f7fa26670c2baf74a8bc73281e
Instruction Fuzzy Hash: 68311A75D062289FDF20DFA5D9897CCBBF8AF18304F10409AE50DA7251EB715A88CF04

Function 00E77FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E7807F
_wcslen.LIBCMT ref: 00E78112

Part of subcall function 00E78C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E78CB2
Part of subcall function 00E78C95: GetLastError.KERNEL32 ref: 00E78CF6
Part of subcall function 00E78C95: CloseHandle.KERNEL32(?), ref: 00E78D05

Part of subcall function 00E7BC65: DeleteFileW.KERNEL32(?,?,?,?,00E7B14B,?,00000000,00E7AF6E,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?,?), ref: 00E7BC82
Part of subcall function 00E7BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,00E7B14B,?,00000000,00E7AF6E,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?), ref: 00E7BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00E781C1
CloseHandle.KERNEL32(00000000), ref: 00E781DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,2D272A92,00000000), ref: 00E78329

Part of subcall function 00E7B7E2: FlushFileBuffers.KERNEL32(?), ref: 00E7B7FC
Part of subcall function 00E7B7E2: SetFileTime.KERNEL32(?,?,?,?), ref: 00E7B8B0

Part of subcall function 00E7AFD0: CloseHandle.KERNEL32(?,?,?,00E7AF75,2D272A92,00000000,00EA517A,000000FF,?,00E78882,?,?), ref: 00E7AFEB

Part of subcall function 00E7C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,00000001,?,00E7BF5E,?,?), ref: 00E7C305
Part of subcall function 00E7C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E7BF5E,?,?), ref: 00E7C334

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00E7803E
SeRestorePrivilege, xrefs: 00E78034
\??\, xrefs: 00E780A1
UNC\, xrefs: 00E780D2

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 374897892-3508440684
Opcode ID: 77cff22a8bcb388448328551e8953d82a3b43a389d44af4dd22dfc30679bb235
Instruction ID: 4aa7d04dc84f837147e37ec4399725ccf9921d85279cc0c82cf0e36d6adcee50
Opcode Fuzzy Hash: 77cff22a8bcb388448328551e8953d82a3b43a389d44af4dd22dfc30679bb235
Instruction Fuzzy Hash: DBD1E3B1900249AFDB20DB64CD85BEEB3E8BF15304F04951AFA59F7141EB74AA44CBA0

Function 00E9F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E9F1B6

Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9ED6E
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9ED80
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9ED92
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDA4
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDB6
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDC8
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDDA
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDEC
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EDFE
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EE10
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EE22
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EE34
Part of subcall function 00E9ED51: _free.LIBCMT ref: 00E9EE46

_free.LIBCMT ref: 00E9F1AB

Part of subcall function 00E9BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?), ref: 00E9BB10
Part of subcall function 00E9BAFA: GetLastError.KERNEL32(?,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?,?), ref: 00E9BB22

_free.LIBCMT ref: 00E9F1CD
_free.LIBCMT ref: 00E9F1E2
_free.LIBCMT ref: 00E9F1ED
_free.LIBCMT ref: 00E9F20F
_free.LIBCMT ref: 00E9F222
_free.LIBCMT ref: 00E9F230
_free.LIBCMT ref: 00E9F23B
_free.LIBCMT ref: 00E9F273
_free.LIBCMT ref: 00E9F27A
_free.LIBCMT ref: 00E9F297
_free.LIBCMT ref: 00E9F2AF

Strings

h), xrefs: 00E9F25E

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h)
API String ID: 161543041-3328819710
Opcode ID: 63d43cebe6e8b033949d61f62710a2e1287f21ca592bdadee40b880bd7cc2b56
Instruction ID: 188f47190c3640926eda42ae522e721fa635641315f5a76298a75c46a1a6f4f3
Opcode Fuzzy Hash: 63d43cebe6e8b033949d61f62710a2e1287f21ca592bdadee40b880bd7cc2b56
Instruction Fuzzy Hash: E3311931600705DFEF21EB7AE945B9A73E9FF40314F246529E44AF71A1DFB1AD808A50

Function 00E7CE64 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E7CE6B
VariantClear.OLEAUT32(?), ref: 00E7D015

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00E7CF2C
ROOT\CIMV2, xrefs: 00E7CE99
K, xrefs: 00E7CF0D
WQL, xrefs: 00E7CF3E
f, xrefs: 00E7CE88
Name, xrefs: 00E7CFE9
Windows 10, xrefs: 00E7CFFB

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: K$Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$f
API String ID: 3629354427-107462878
Opcode ID: 8530a5b7d511ce5e47f523abd74370d0bf0dfd9bab9cc68738e84f6ee19ef4cf
Instruction ID: 2278ee87539e6e9a03c37c558185817b5705051e610159892a30c0ff36ba1ac3
Opcode Fuzzy Hash: 8530a5b7d511ce5e47f523abd74370d0bf0dfd9bab9cc68738e84f6ee19ef4cf
Instruction Fuzzy Hash: 96714B70A002199FDB14DFA5CC94EBEB7B9FF4A714B24516DE51ABB2A0CB346D01CB60

Function 00E8B631 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E8B656
_wcslen.LIBCMT ref: 00E8B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00E8B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E8B726
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E8B74D

Strings

utf-8"></head>, xrefs: 00E8B68B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00E8B680
</html>, xrefs: 00E8B6D7
<html>, xrefs: 00E8B675, 00E8B6AE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 2491627b03748d6041df4b4ff1632cac90234cf0dde25e7d788384bd03ab650b
Instruction ID: 68cf19fa40519d8158d7c8e01da340245a38fad9f96783b40960465035172216
Opcode Fuzzy Hash: 2491627b03748d6041df4b4ff1632cac90234cf0dde25e7d788384bd03ab650b
Instruction Fuzzy Hash: F93129722093117EEB29BB349C06F6F779CDF96310F14211EF409B61D2FB64A94983A5

Function 00E8F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00E8FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 00E8FA4C

Part of subcall function 00E84168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E7E084,00000000,.exe,?,?,00000800,?,?,?,00E8AD5D), ref: 00E8417E

GetWindowLongW.USER32(00000000,000000F0), ref: 00E8FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E8FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 00E8FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E8FABC
DeleteObject.GDI32(00000000), ref: 00E8FAC3
GetWindow.USER32(00000000,00000002), ref: 00E8FACC

Strings

STATIC, xrefs: 00E8FA52

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 14c60d301b64e0f7647fd42caada6f8c839e5693708f966c81f2f6669fc8da6b
Instruction ID: 6e0e5e1d633cd23c42834fb98ff4354543d83276464b55344a09add27c6a2263
Opcode Fuzzy Hash: 14c60d301b64e0f7647fd42caada6f8c839e5693708f966c81f2f6669fc8da6b
Instruction Fuzzy Hash: C72136325467117FE620BB709C4AFAF37DCEF48710F001526F98CB61D1EA74984587A1

Function 00E9B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9B8C5

Part of subcall function 00E9BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?), ref: 00E9BB10
Part of subcall function 00E9BAFA: GetLastError.KERNEL32(?,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?,?), ref: 00E9BB22

_free.LIBCMT ref: 00E9B8D1
_free.LIBCMT ref: 00E9B8DC
_free.LIBCMT ref: 00E9B8E7
_free.LIBCMT ref: 00E9B8F2
_free.LIBCMT ref: 00E9B8FD
_free.LIBCMT ref: 00E9B908
_free.LIBCMT ref: 00E9B913
_free.LIBCMT ref: 00E9B91E
_free.LIBCMT ref: 00E9B92C

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 03ac16ccfce414214243dbbec411cf42fe42e17f6c4c70fb404d715b3d99f631
Instruction ID: db0de8e87924d0e1aa11c9bd23a1f4b949a57a8c5f5406138ed9fef41702b1ec
Opcode Fuzzy Hash: 03ac16ccfce414214243dbbec411cf42fe42e17f6c4c70fb404d715b3d99f631
Instruction Fuzzy Hash: 4111AA7910014CAFCF01EF59EA92CD93BB5EF04350B019265F9095F122D7B1EA91DB80

Function 00E95451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E95570
___TypeMatch.LIBVCRUNTIME ref: 00E9567E
_UnwindNestedFrames.LIBCMT ref: 00E957D0
CallUnexpected.LIBVCRUNTIME ref: 00E957EB
_abort.LIBCMT ref: 00E957F0

Strings

csm, xrefs: 00E954FB
csm, xrefs: 00E955A7
csm, xrefs: 00E9548E

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 33f64c81c027c81a06be1fe07c0750dbc59bdad17adcc50380717b22ae8e3d67
Instruction ID: ae39323e479d4026aa2adeb09e69ac256287ebdb4ee243eff5785e8ae135ac12
Opcode Fuzzy Hash: 33f64c81c027c81a06be1fe07c0750dbc59bdad17adcc50380717b22ae8e3d67
Instruction Fuzzy Hash: 4FB179B2800A09EFCF26DFA4C8819AEBBB5FF04318F15655AE8117B212D731DA51CF91

Function 00EA1CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00EA2452,00000000,00000000,00000000,00000000,00000000,?), ref: 00EA1D1F
__fassign.LIBCMT ref: 00EA1D9A
__fassign.LIBCMT ref: 00EA1DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00EA1DDB
WriteFile.KERNEL32(?,00000000,00000000,R$,00000000,?,?,?,?,?,?,?,?,?,00EA2452,00000000), ref: 00EA1DFA
WriteFile.KERNEL32(?,00000000,00000001,R$,00000000,?,?,?,?,?,?,?,?,?,00EA2452,00000000), ref: 00EA1E33

Strings

R$, xrefs: 00EA1DEE, 00EA1E26, 00EA1DF1, 00EA1E29

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: R$
API String ID: 1324828854-3750934788
Opcode ID: 84fca6c4f8f18ebc9bfc63eeef8bf343176e34c50740753664ecb00d4def1971
Instruction ID: 7805d554ee2d51d80b3cf7550b2b47b606db47411425bb53ec9609b7389eaaf6
Opcode Fuzzy Hash: 84fca6c4f8f18ebc9bfc63eeef8bf343176e34c50740753664ecb00d4def1971
Instruction Fuzzy Hash: 88516371A002499FDB10CFA8D885AEEBBF8FF0E310F14955AE955FB291D730A945CB60

Function 00E8D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71366: GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
Part of subcall function 00E71366: SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

EndDialog.USER32(?,00000001), ref: 00E8D910
SendMessageW.USER32(?,00000080,00000001,000303CD), ref: 00E8D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E8D950
SetWindowTextW.USER32(?,?), ref: 00E8D961
GetDlgItem.USER32(?,00000065), ref: 00E8D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E8D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E8D994

Strings

LICENSEDLG, xrefs: 00E8D8D4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 5040b643a34c75f6b4a9705563f75d8fd3821c13b5e70048e24fdd26560c0c93
Instruction ID: 57684c3e274d51cb3dd815b20bd623ae3d1bfc8029e63696b9247407694ab5a1
Opcode Fuzzy Hash: 5040b643a34c75f6b4a9705563f75d8fd3821c13b5e70048e24fdd26560c0c93
Instruction Fuzzy Hash: 9A21B13220A214BFE7116F76FC49F7B7BACEB86B45F00511AF648B20E0DA9299059731

Function 00E7BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E7BFA3

Part of subcall function 00E834D7: GetSystemTime.KERNEL32(?,00000000), ref: 00E834EF
Part of subcall function 00E834D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00E834FD

Part of subcall function 00E83480: __aulldiv.LIBCMT ref: 00E83489

__aulldiv.LIBCMT ref: 00E7BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 00E7BFD6
_swprintf.LIBCMT ref: 00E7C001

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

_wcslen.LIBCMT ref: 00E7C00B
_swprintf.LIBCMT ref: 00E7C061
_wcslen.LIBCMT ref: 00E7C06B

Strings

%u.%03u, xrefs: 00E7BFF1, 00E7C055

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: 91b55a03fd3b493b8e6b8c6eb12f43449cb53d0b109a5cbd5badea382e349e31
Instruction ID: 8da2c9eafb6beeb2141d1ab452bff384676a2838e219d82e37f2f1a4bddce518
Opcode Fuzzy Hash: 91b55a03fd3b493b8e6b8c6eb12f43449cb53d0b109a5cbd5badea382e349e31
Instruction Fuzzy Hash: 8D216172A043419FC625EF75CC85EAFB7DCEB89740F54991EF548E3252DA30D9088BA2

Function 00E8CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E8CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E8CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E8CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00E8CC66
_swprintf.LIBCMT ref: 00E8CC85

Strings

%s %s, xrefs: 00E8CC7C

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 59519d3f9a0513bc5aec0a2285612050c0425b6c465d402746ac106dc90cd9ec
Instruction ID: bacbaf8b8c405492d153abab0f4705fe0b2704ceecbff422e20d9c16cd7271b6
Opcode Fuzzy Hash: 59519d3f9a0513bc5aec0a2285612050c0425b6c465d402746ac106dc90cd9ec
Instruction Fuzzy Hash: 58212DB250024CAFDF11DFA1DD44EEF77BCEB1A304F114566B619E7052E630AA09CB60

Function 00E92360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00E7CEA9,00E7CEAB,00000000,00000000,2D272A92,00000001,00000000,00000000,?,00E7CD87,?,00000004,00E7CEA9,ROOT\CIMV2), ref: 00E923E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00E7CEA9,?,00000000,00000000,?,?,00E7CD87,?,00000004,00E7CEA9), ref: 00E92464
SysAllocString.OLEAUT32(00000000), ref: 00E9246F
_com_issue_error.COMSUPP ref: 00E92498
_com_issue_error.COMSUPP ref: 00E924A2
GetLastError.KERNEL32(80070057,2D272A92,00000001,00000000,00000000,?,00E7CD87,?,00000004,00E7CEA9,ROOT\CIMV2), ref: 00E924A7
_com_issue_error.COMSUPP ref: 00E924BA
GetLastError.KERNEL32(00000000,?,00E7CD87,?,00000004,00E7CEA9,ROOT\CIMV2), ref: 00E924D0
_com_issue_error.COMSUPP ref: 00E924E3

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: a079b7f9bf11f1f3f3e1e68b7c2e45bd5c00027b0cc2946f20ebe16c63b9da08
Instruction ID: 7823a178dbc7e228df9f726f097dfe6d9e0b3cbc2ba161ded74acd4967e41522
Opcode Fuzzy Hash: a079b7f9bf11f1f3f3e1e68b7c2e45bd5c00027b0cc2946f20ebe16c63b9da08
Instruction Fuzzy Hash: 1141F3B1A00305BBDF10DF69DC45BAEBBE8EB49714F14522EF619F7291D734A8008BA5

Function 00E9C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E9C0F5
__alldvrm.LIBCMT ref: 00E9C2F6
__alldvrm.LIBCMT ref: 00E9C318

Strings

=z, xrefs: 00E9C080, 00E9C0DB, 00E9C0F4, 00E9C27A
=z, xrefs: 00E9C2B7
=z, xrefs: 00E9C074

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: =z$=z$=z
API String ID: 1036877536-137230230
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: b38073ca89c9b80a7d555bf5539a802e1ca0301faf348e17655954a880caebed
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: A8A18A729007869FEF15EF68C8917AEBBE4EF56344F3851ADE485BB282C2389D41C750

Function 00E94F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E94F57
___except_validate_context_record.LIBVCRUNTIME ref: 00E94F5F
_ValidateLocalCookies.LIBCMT ref: 00E94FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E95013
_ValidateLocalCookies.LIBCMT ref: 00E95068

Strings

csm, xrefs: 00E94FFD
M, xrefs: 00E95005, 00E9500E, 00E9501F

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: M$csm
API String ID: 1170836740-3563121880
Opcode ID: f727d04b2644ec071f95139b9c5506a6d039ad21ae9f3a4ae883b64ac026d57e
Instruction ID: 119a0b79ceb734661aaaaf970972be51655616f2c840592ea8e062e40640f336
Opcode Fuzzy Hash: f727d04b2644ec071f95139b9c5506a6d039ad21ae9f3a4ae883b64ac026d57e
Instruction Fuzzy Hash: DE41F575A002199FCF10DF28C884E9EBBF5BF49318F14A156E9187B392C731AD06CB90

Function 00E832F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E8331D

Part of subcall function 00E7D076: GetVersionExW.KERNEL32(?), ref: 00E7D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E83340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E83352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E83363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E83373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E83383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00E833BE
__aullrem.LIBCMT ref: 00E83464

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 65e4cf867decf45560e21da46e24804384dfeef9e2434390d1656b31c0d07af8
Instruction ID: 7e7c02e32607bf21bb6903c0dae8f24fb26333f178078d2dab50691eec75ed36
Opcode Fuzzy Hash: 65e4cf867decf45560e21da46e24804384dfeef9e2434390d1656b31c0d07af8
Instruction Fuzzy Hash: E75117B15083459FCB10DF65C88096BFBE9FF88714F018A2EF5AAD2210E735E949CB52

Function 00E8BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E8BC8A

Strings

</style>, xrefs: 00E8BDD2
<style>, xrefs: 00E8BDB0
</p>, xrefs: 00E8BD68
<br>, xrefs: 00E8BD7E
>, xrefs: 00E8BCCB

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: e9b0f94f6688c551ce32401bf314f09ade336b31c99bd6457fbff7087a8a93ef
Instruction ID: b02ad84d00cb7cdf6c48cd719b3e55a2077aab889c888e9eadba9544a8f2e3ac
Opcode Fuzzy Hash: e9b0f94f6688c551ce32401bf314f09ade336b31c99bd6457fbff7087a8a93ef
Instruction Fuzzy Hash: E2510856640357A6DB307E19581277763D0DFA5798F68242BFDCCBB2D0FB648C818351

Function 00E8D41C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 00E8D4E1
EndDialog.USER32(?,00000001), ref: 00E8D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 00E8D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 00E8D5B9

Strings

Software\WinRAR SFX, xrefs: 00E8D466
GETPASSWORD1, xrefs: 00E8D548

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ItemText$CloseDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 3946143710-1315819833
Opcode ID: 6acc1492b13f8efb137b7221873f93c6e92111c5d253ee1f5b7dcabfd7c52609
Instruction ID: 8e9771cfa114c4a30d99fe8b51dd5a30bc071d19079a9e6af5e55b5412902276
Opcode Fuzzy Hash: 6acc1492b13f8efb137b7221873f93c6e92111c5d253ee1f5b7dcabfd7c52609
Instruction Fuzzy Hash: C841B072A08209ABEB30AB65DC45FFE77ACEB48304F10443AF64DF7181DB70A9448B65

Function 00E7ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E7AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00E7AD4A

Part of subcall function 00E7E208: _wcslen.LIBCMT ref: 00E7E210

Part of subcall function 00E84168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E7E084,00000000,.exe,?,?,00000800,?,?,?,00E8AD5D), ref: 00E8417E

_swprintf.LIBCMT ref: 00E7ADEC

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

MoveFileW.KERNEL32(?,?), ref: 00E7AE5E
MoveFileW.KERNEL32(?,?), ref: 00E7AE9E

Strings

rtmp%d, xrefs: 00E7ADD5

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: 985a3e4eb0d60a3d5e34fcc478ad62b742504c442f2001f351924c6996a74b1f
Instruction ID: fd2dd7f8a9ab12c15f6c1567e37dd5617c3a75cc20c05acc20c009ad9b1403a4
Opcode Fuzzy Hash: 985a3e4eb0d60a3d5e34fcc478ad62b742504c442f2001f351924c6996a74b1f
Instruction Fuzzy Hash: A4516E71901658AACF20EB60CC85EEF73BCEF45344F0898A9B55DB3151EB34AAC49F61

Function 00E8BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00E8BE8A
GetWindowRect.USER32(?,?), ref: 00E8BED1
ShowWindow.USER32(?,00000005,00000000), ref: 00E8BF6C
SetWindowTextW.USER32(?,00000000), ref: 00E8BF74
ShowWindow.USER32(00000000,00000005), ref: 00E8BF8A

Strings

RarHtmlClassName, xrefs: 00E8BF31

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 9688aa9243895269273a4021ace008e971faf0cdf62226179564133aeecd9c1c
Instruction ID: 7739890da5a3ee38640045d33efbffbfa9bb8238d2ec9fbdee5c53b3f99d5b41
Opcode Fuzzy Hash: 9688aa9243895269273a4021ace008e971faf0cdf62226179564133aeecd9c1c
Instruction Fuzzy Hash: 6541C37210A315AFCB10AF64DC49B6B7BE8EF48700F15565AFA8DBA152DB30D804CFA1

Function 00E8B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E8B8DE
_wcslen.LIBCMT ref: 00E8B913

Strings

 , xrefs: 00E8B9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00E8B907
, xrefs: 00E8B930
<br>, xrefs: 00E8B95F

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: ab317eea38339678f30a47e03c612f39260013e9185602e700514eab9dd55338
Instruction ID: be3867b63c6d9bf7ab3ce6265372f59557afc87e2edf159d9ce55b77d768289f
Opcode Fuzzy Hash: ab317eea38339678f30a47e03c612f39260013e9185602e700514eab9dd55338
Instruction Fuzzy Hash: 4D313B2264470556DA34FB949C42B77B3E4EBD0324F60542FFA9DB72D0FB51AC4483A1

Function 00E9EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9EEB8: _free.LIBCMT ref: 00E9EEE1

_free.LIBCMT ref: 00E9EF42

Part of subcall function 00E9BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?), ref: 00E9BB10
Part of subcall function 00E9BAFA: GetLastError.KERNEL32(?,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?,?), ref: 00E9BB22

_free.LIBCMT ref: 00E9EF4D
_free.LIBCMT ref: 00E9EF58
_free.LIBCMT ref: 00E9EFAC
_free.LIBCMT ref: 00E9EFB7
_free.LIBCMT ref: 00E9EFC2
_free.LIBCMT ref: 00E9EFCD

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 992467620dadb4833face8e112ff20c9e74e1262562d2a474ba81bbf5dec74fd
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: 7A11FC72940B08BAED20F7B2CC06FCB77EC6F04700F445D16F29A76292DBB5A5454654

Function 00E78C95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00E78CB2
GetLastError.KERNEL32 ref: 00E78CF6
CloseHandle.KERNEL32(?), ref: 00E78D05

Strings

^, xrefs: 00E78CD7
J, xrefs: 00E78CEC
@, xrefs: 00E78CB9

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CloseCurrentErrorHandleLastProcess
String ID: @$J$^
API String ID: 1009092642-3858163224
Opcode ID: 74a3c87fc41bc0def50419988de2eb139683f93178a59336a58e85064b8d7d45
Instruction ID: 7682cf30ee04a5663a27f0ded610e678bbcb1660954c02ca8192c3a3f3cff784
Opcode Fuzzy Hash: 74a3c87fc41bc0def50419988de2eb139683f93178a59336a58e85064b8d7d45
Instruction Fuzzy Hash: BF0100B0601219AFDF109FA5ED89ABFBBBCEB15344F44541AB905F2190EA319D489B70

Function 00E90ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E90B46,00E90AA9,00E90D4A), ref: 00E90AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E90AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E90B0D

Strings

AcquireSRWLockExclusive, xrefs: 00E90AF2
KERNEL32.DLL, xrefs: 00E90ADD
ReleaseSRWLockExclusive, xrefs: 00E90B02

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: f07abc9e57753335d170e1ba4740131a0ff1c3d50a247bc43af9352c2b402ea5
Instruction ID: 5f1ec52f9273efb95c233ab1eeb58735c1c19036550fcbdea70020c33fc4a47f
Opcode Fuzzy Hash: f07abc9e57753335d170e1ba4740131a0ff1c3d50a247bc43af9352c2b402ea5
Instruction Fuzzy Hash: 1AF0AF327537229F4F709FA59D8596B228DDB1A35D3B4243AA901F6280FA909C85C2E0

Function 00E8418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E84192
_wcslen.LIBCMT ref: 00E841A3
_wcslen.LIBCMT ref: 00E841B3
_wcslen.LIBCMT ref: 00E841C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E7D2D3,?,?,00000000,?,?,?), ref: 00E841DC

Strings

<, xrefs: 00E841DC

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 2760f5fd4db19419fdec01d1290a8c2a3be83772e2496be007c4affe6c5c4ad0
Instruction ID: ee78104b6469921b2be9d633c586be730afce844b8348653d222b5702e54d29d
Opcode Fuzzy Hash: 2760f5fd4db19419fdec01d1290a8c2a3be83772e2496be007c4affe6c5c4ad0
Instruction Fuzzy Hash: 3FF03032048165BFCF126F91EC09DCE3F66EF55770B119016FA2D7A0A1CA3295959BD0

Function 00E9B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9B17E

Part of subcall function 00E9BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?), ref: 00E9BB10
Part of subcall function 00E9BAFA: GetLastError.KERNEL32(?,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?,?), ref: 00E9BB22

_free.LIBCMT ref: 00E9B190
_free.LIBCMT ref: 00E9B1A3
_free.LIBCMT ref: 00E9B1B4
_free.LIBCMT ref: 00E9B1C5

Strings

p,, xrefs: 00E9B174

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p,
API String ID: 776569668-2703748495
Opcode ID: 83c9b967401128e4fb88595fd9d0de14894926853ce6470746f11eb8fc0cc608
Instruction ID: acf402baa41b9da1c6622e5529410ad14e43f28632d0973da0297211a6883026
Opcode Fuzzy Hash: 83c9b967401128e4fb88595fd9d0de14894926853ce6470746f11eb8fc0cc608
Instruction Fuzzy Hash: 8DF0B2708122289F8F42AB2BFD024C93BB5FB14725301634BF616B6275CBB658898F90

Function 00E83583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00E835E6

Part of subcall function 00E7D076: GetVersionExW.KERNEL32(?), ref: 00E7D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E8360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E83624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E83637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E83647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E83657

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 4cebcd37f10128089081456cf711d7026c7a7bad93d105114efd2a83b7bb2033
Instruction ID: bf1d7c1b1cbb5ce37b01c1aede23388d7568b511f8f052208930b42ca3cf299e
Opcode Fuzzy Hash: 4cebcd37f10128089081456cf711d7026c7a7bad93d105114efd2a83b7bb2033
Instruction Fuzzy Hash: 2D4115761083059FCB04DFA9C88499BBBE8BF98704F05591EF999D7210E730D909CBA6

Function 00E9511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E95111,00E94ECC,00E921B4), ref: 00E95128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E95136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E9514F
SetLastError.KERNEL32(00000000,00E95111,00E94ECC,00E921B4), ref: 00E951A1

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0a3d6d4bb7f8d1b7cd62e2479ec8bbe571927d0f772a68ac44654620bbe0966f
Instruction ID: 0174887ce5d6e71fc9124aac4fea22221dc7c4e2ebc91a9f36d87d3dc985c128
Opcode Fuzzy Hash: 0a3d6d4bb7f8d1b7cd62e2479ec8bbe571927d0f772a68ac44654620bbe0966f
Instruction Fuzzy Hash: 4401D83310AF216EAE261777BC8576B2A94EF42374BA0332FF210B50E1EF515C459348

Function 00E9B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00EB50C4,00E96E12,00EB50C4,?,?,00E9688D,?,?,00EB50C4), ref: 00E9B9A9
_free.LIBCMT ref: 00E9B9DC
_free.LIBCMT ref: 00E9BA04
SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BA11
SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BA1D
_abort.LIBCMT ref: 00E9BA23

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f91f6c3020884ea19bd81115939cd41037884e29b5373029e6c14979a1fb7b9b
Instruction ID: cdfffeaf0196cc5cb7017143c9465469dacb151ccca78960b359b9089619d2fa
Opcode Fuzzy Hash: f91f6c3020884ea19bd81115939cd41037884e29b5373029e6c14979a1fb7b9b
Instruction Fuzzy Hash: 61F028321086116BCE2673367E8ABAB25AACFC2734F262519F619F2292EF658C454114

Function 00E9004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E90059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E90073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E90084
TranslateMessage.USER32(?), ref: 00E9008E
DispatchMessageW.USER32(?), ref: 00E90098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E900A3

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: b0eee2e5431c29d5e06e8c5e29261158b7f8a13ee6569c650645e1d7c00d516c
Instruction ID: d7e59a47db13d2d0ab308d6f14b171ce7cb5392cce719bdeb50422143722b7c2
Opcode Fuzzy Hash: b0eee2e5431c29d5e06e8c5e29261158b7f8a13ee6569c650645e1d7c00d516c
Instruction Fuzzy Hash: 1AF01972A01229AECB205BA2EC4CECF7F6DEB46791F048412F54AE2090E6249589C6A0

Function 00E83748 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E83910
_swprintf.LIBCMT ref: 00E839BF

Strings

%ls, xrefs: 00E83795, 00E837AB
%s: %s, xrefs: 00E8391F
{, xrefs: 00E83748

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s${
API String ID: 589789837-3648917259
Opcode ID: 1291e0fe82744ca3fdcf3018d997186f2cf90c56bd15dd12122feea2cf3c69ed
Instruction ID: f6c5ead96640b0ce71267e0ecb74611998fcd45b3758d909893ed58b26b4763f
Opcode Fuzzy Hash: 1291e0fe82744ca3fdcf3018d997186f2cf90c56bd15dd12122feea2cf3c69ed
Instruction Fuzzy Hash: 5B51EBB5248305FAF6253BB48D42FB676A5AB09F00F20A507F3CE740E1C6A2D7556B16

Function 00E7E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00E82663: _wcslen.LIBCMT ref: 00E82669

Part of subcall function 00E7D848: _wcsrchr.LIBVCRUNTIME ref: 00E7D85F

_wcslen.LIBCMT ref: 00E7E105
_wcslen.LIBCMT ref: 00E7E14D

Strings

.exe, xrefs: 00E7E079
.sfx, xrefs: 00E7E088
.rar, xrefs: 00E7E04F, 00E7E0A2

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: d2f59d136b7f77110d7c769d749f520e76f5a69a74864bc785542059c3592f58
Instruction ID: e01b7441218ba35408cebcdcc0da12e857fb32a924566d6c922cd3e3a12215f1
Opcode Fuzzy Hash: d2f59d136b7f77110d7c769d749f520e76f5a69a74864bc785542059c3592f58
Instruction Fuzzy Hash: 2A41563250175196C732AF30C846A7B77B8EF09708B14E88EF98DBB2C0E7A09D81D361

Function 00E7DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E7DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00E7BD19,?,?,00000800,?,?,?,00E7BCD4), ref: 00E7DB02
_wcslen.LIBCMT ref: 00E7DB70

Strings

\\?\, xrefs: 00E7DA90, 00E7DADC, 00E7DB38, 00E7DB87
UNC, xrefs: 00E7DAE8

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: ee0cb786f71ff3d89f757d48410258cab8f745b6f7d41ed72cb6af321434e177
Instruction ID: 5abdff9e8ce98ae867e3fc157afbf9f107fc3ef092bc6361865656d90a58d2c2
Opcode Fuzzy Hash: ee0cb786f71ff3d89f757d48410258cab8f745b6f7d41ed72cb6af321434e177
Instruction Fuzzy Hash: 8541B271508345AACA20AB608C81DFFB3FCAF4A744F05A85DF5CCB7141E7A4A884D772

Function 00E710E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E71136
_wcslen.LIBCMT ref: 00E7115A
_wcslen.LIBCMT ref: 00E71187
_wcslen.LIBCMT ref: 00E711AC

Strings

%, xrefs: 00E71227

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen
String ID: %
API String ID: 176396367-3325620792
Opcode ID: 006366e73ea8ea2d24618fc3d3964a9084edae9dd5062d5b5e3ebbd8c374c909
Instruction ID: 7f8b941f221c081ea4699765d385a08c840fbffde5ac29629cd1c1eb1534a73a
Opcode Fuzzy Hash: 006366e73ea8ea2d24618fc3d3964a9084edae9dd5062d5b5e3ebbd8c374c909
Instruction Fuzzy Hash: EB41A171A047529FC721DF38894599FBBE8EF85300F00492EF999E3251EB30A9098B92

Function 00E8D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00E8D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00E8DA12
DeleteObject.GDI32(00000000), ref: 00E8DA44
DeleteObject.GDI32(00000000), ref: 00E8DA67

Part of subcall function 00E8C652: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C665
Part of subcall function 00E8C652: SizeofResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C67C
Part of subcall function 00E8C652: LoadResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C693
Part of subcall function 00E8C652: LockResource.KERNEL32(00000000,?,?,?,00E8DA3D,00000066), ref: 00E8C6A2
Part of subcall function 00E8C652: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00E8DA3D,00000066), ref: 00E8C6BD
Part of subcall function 00E8C652: GlobalLock.KERNEL32(00000000), ref: 00E8C6CE
Part of subcall function 00E8C652: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E8C6F2
Part of subcall function 00E8C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E8C737
Part of subcall function 00E8C652: GlobalUnlock.KERNEL32(00000000), ref: 00E8C756
Part of subcall function 00E8C652: GlobalFree.KERNEL32(00000000), ref: 00E8C75D

Strings

], xrefs: 00E8DA1A

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: d778a39698edef9385d2218d14e7eede9ba6124ccf2dd319a29e80fe366de643
Instruction ID: a1905fc8b6380c323158c4355e945b71d542d04768ed3f325caed541783eb107
Opcode Fuzzy Hash: d778a39698edef9385d2218d14e7eede9ba6124ccf2dd319a29e80fe366de643
Instruction Fuzzy Hash: D601D6325082116BCB1277B59C05A7F3BBA9F82B65F341151B84CB72D1EF318C0997B1

Function 00E8F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E71366: GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
Part of subcall function 00E71366: SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

EndDialog.USER32(?,00000001), ref: 00E8F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E8F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E8F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 00E8F9D4

Strings

RENAMEDLG, xrefs: 00E8F968

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 65fedc5e1b3436c3427eb9bedc0377221031ebb28fa9e6b72602c90e97ddf3f5
Instruction ID: 5779183bc17ae2f771006ba83a247fef529bc2388ae1583e05ba8a0d1f690b1f
Opcode Fuzzy Hash: 65fedc5e1b3436c3427eb9bedc0377221031ebb28fa9e6b72602c90e97ddf3f5
Instruction Fuzzy Hash: EE0128333863107FD2126BA5AD08FABBB5CFB8A705F115523F24DB10D0C66299088771

Function 00E9A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E9A676,?,?,00E9A616,?,00EAF7B0,0000000C,00E9A76D,?,00000002), ref: 00E9A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E9A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,00E9A676,?,?,00E9A616,?,00EAF7B0,0000000C,00E9A76D,?,00000002,00000000), ref: 00E9A71B

Strings

CorExitProcess, xrefs: 00E9A6F0
mscoree.dll, xrefs: 00E9A6DE

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 667e252ad9287812adc720e397ad3cdb4fc3f270bc4fba8c54f758ed4b969894
Instruction ID: 53aacd38be0432c28b8a41450e2e24f8ed9665e404ac61b819d84ad67a06e4c8
Opcode Fuzzy Hash: 667e252ad9287812adc720e397ad3cdb4fc3f270bc4fba8c54f758ed4b969894
Instruction Fuzzy Hash: 4CF0A431500218BFCF109FA5DC89BAEBFB5EF09705F04016AF905B6160CB306D84CA90

Function 00E71366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00E80244: _swprintf.LIBCMT ref: 00E80284
Part of subcall function 00E80244: _strlen.LIBCMT ref: 00E802A5
Part of subcall function 00E80244: SetDlgItemTextW.USER32(?,00EB2274,?), ref: 00E802FE
Part of subcall function 00E80244: GetWindowRect.USER32(?,?), ref: 00E80334
Part of subcall function 00E80244: GetClientRect.USER32(?,?), ref: 00E80340

GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

Strings

0, xrefs: 00E71369
pP, xrefs: 00E713CB
pP, xrefs: 00E7137B

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$pP$pP
API String ID: 2622349952-623278422
Opcode ID: 2f828172361d68f7900013144c7394959850c4bd5d8c015e015da62a3cf3820e
Instruction ID: a1852ed76599265b36bd509569d4a788236f82ce6259cc406ed018418000b036
Opcode Fuzzy Hash: 2f828172361d68f7900013144c7394959850c4bd5d8c015e015da62a3cf3820e
Instruction Fuzzy Hash: ECF08130104348BADF151F269C0DBEA3BB8AB05318F05E196FD8D749A2D7B4C554DB50

Function 00E951FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E952C1
___AdjustPointer.LIBCMT ref: 00E952E4
_abort.LIBCMT ref: 00E95332
___AdjustPointer.LIBCMT ref: 00E95380

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 386af82b15cb2b2013f2b84b1fe4feedc62c554ac9067806854b30244e6ff353
Instruction ID: d2a0c845cc4bfdb309add7b14aeea7ccb5ab17167b8d9bc1795b00b4d5c7797b
Opcode Fuzzy Hash: 386af82b15cb2b2013f2b84b1fe4feedc62c554ac9067806854b30244e6ff353
Instruction Fuzzy Hash: 2551C1B3601B06AFDF2ACF51D841BAAB3A4EF44754F14542DEC057B2A5E771AC81CB90

Function 00E9E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E9E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9E5AC

Part of subcall function 00E9BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E96A24,?,0000015D,?,?,?,?,00E97F00,000000FF,00000000,?,?), ref: 00E9BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E9E5D2
_free.LIBCMT ref: 00E9E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E9E5F4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 28de2fd7e96f62a005227c2ae9746dd71f2223ef1b279920071055f4f490ab9d
Instruction ID: dc2636362959a5b30bbbf8ebe47e4770a96ec46d28353227313eaf5f29dfb88f
Opcode Fuzzy Hash: 28de2fd7e96f62a005227c2ae9746dd71f2223ef1b279920071055f4f490ab9d
Instruction Fuzzy Hash: 8A01D4726022157F6B2196776C49CBB6E6DEFC7B6831A012DFA09E2301FE608D02C1B0

Function 00E9BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E9BC80,00E9D7D8,?,00E9B9D3,00000001,00000364,?,00E9688D,?,?,00EB50C4), ref: 00E9BA2E
_free.LIBCMT ref: 00E9BA63
_free.LIBCMT ref: 00E9BA8A
SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BA97
SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BAA0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f4413f840b46f5ac29cf7c0520974ad7c9c2070508326ad77d39d271c478365b
Instruction ID: b23cdc7f29fdcadec8faf83889283bf04068806f715abdf8a9d0134639704fb0
Opcode Fuzzy Hash: f4413f840b46f5ac29cf7c0520974ad7c9c2070508326ad77d39d271c478365b
Instruction Fuzzy Hash: 34014932204A11BF8E15A7357FC699B21AEDFC23753222125F519B2291EFE18C055124

Function 00E82FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00E832AF: ResetEvent.KERNEL32(?), ref: 00E832C1
Part of subcall function 00E832AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E832D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,2D272A92,?,?,00000001,?,00EA52FF,000000FF,?,00E843C0,?,00000000,?,00E74766), ref: 00E83007
CloseHandle.KERNEL32(?,?,?,00E843C0,?,00000000,?,00E74766,?,?,?,00000000,?,?,?,00000001), ref: 00E83021
DeleteCriticalSection.KERNEL32(?,?,00E843C0,?,00000000,?,00E74766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E8303A
CloseHandle.KERNEL32(?,?,00E843C0,?,00000000,?,00E74766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E83046
CloseHandle.KERNEL32(?,?,00E843C0,?,00000000,?,00E74766,?,?,?,00000000,?,?,?,00000001,?), ref: 00E83052

Part of subcall function 00E830CA: WaitForSingleObject.KERNEL32(?,000000FF,00E831E7,?,?,00E8325F,?,?,?,?,?,00E83249), ref: 00E830D0
Part of subcall function 00E830CA: GetLastError.KERNEL32(?,?,00E8325F,?,?,?,?,?,00E83249), ref: 00E830DC

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 153bbfda74e3c5c4b3e611181055d84fa5ee812b97f70419d01db4d7071175c1
Instruction ID: b9120e7089a6f8d3d0b81127d77b6f3829f59a18c665a0d943d708cf583bd1c0
Opcode Fuzzy Hash: 153bbfda74e3c5c4b3e611181055d84fa5ee812b97f70419d01db4d7071175c1
Instruction Fuzzy Hash: BD116172500744EFC722AF65DC84BC6FBF9FB0E710F000929E26AA2160CB757A48CB50

Function 00E9EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9EE67

Part of subcall function 00E9BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?), ref: 00E9BB10
Part of subcall function 00E9BAFA: GetLastError.KERNEL32(?,?,00E9EEE6,?,00000000,?,00000000,?,00E9EF0D,?,00000007,?,?,00E9F30A,?,?), ref: 00E9BB22

_free.LIBCMT ref: 00E9EE79
_free.LIBCMT ref: 00E9EE8B
_free.LIBCMT ref: 00E9EE9D
_free.LIBCMT ref: 00E9EEAF

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2d4633806828226fcf12a73506e6ecad7d45151832549353516b504eba172dac
Instruction ID: cc9498e3744a60a22206c4ddda6c0ca50926a2f247d14cd5a0891608703e6c80
Opcode Fuzzy Hash: 2d4633806828226fcf12a73506e6ecad7d45151832549353516b504eba172dac
Instruction Fuzzy Hash: 63F0EC32504204AF8E65EB6BF585C9B77EABF007147582909F249F7641CBB0FC848A60

Function 00E8C79C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00E8C629: GetDC.USER32(00000000), ref: 00E8C62D
Part of subcall function 00E8C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8C638
Part of subcall function 00E8C629: ReleaseDC.USER32(00000000,00000000), ref: 00E8C643

GetObjectW.GDI32(?,00000018,?), ref: 00E8C7E0

Part of subcall function 00E8CA67: GetDC.USER32(00000000), ref: 00E8CA70
Part of subcall function 00E8CA67: GetObjectW.GDI32(?,00000018,?), ref: 00E8CA9F
Part of subcall function 00E8CA67: ReleaseDC.USER32(00000000,?), ref: 00E8CB37

Strings

(, xrefs: 00E8C935
f, xrefs: 00E8C82F

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: ($f
API String ID: 1061551593-4043270135
Opcode ID: 12b6385be53b5c1555ff1e61498b37a3c42baf72c4fa48d572b6cd17f41c78a1
Instruction ID: eb620daaefd01ce6fd3009c8edbda61066dd4099c194c322f5e47fafb3fa46ab
Opcode Fuzzy Hash: 12b6385be53b5c1555ff1e61498b37a3c42baf72c4fa48d572b6cd17f41c78a1
Instruction Fuzzy Hash: BE9104716083549FD614DF26C844E2BBBE8FFCAB04F14495EF58AE7260DB70A805CB62

Function 00E9A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe,00000104), ref: 00E9A800
_free.LIBCMT ref: 00E9A8CB
_free.LIBCMT ref: 00E9A8D5

Strings

C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe, xrefs: 00E9A7F7, 00E9A7FE, 00E9A82D, 00E9A865

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe
API String ID: 2506810119-2347392529
Opcode ID: 102aa8c354842f5ed3ec6f93abf61879721def558aa68e22d5711893a966527c
Instruction ID: b60d464e8a6261eeb3719f62a4b117ea2dd50e1825c04eae29eeceb077ed6b4a
Opcode Fuzzy Hash: 102aa8c354842f5ed3ec6f93abf61879721def558aa68e22d5711893a966527c
Instruction Fuzzy Hash: AF31AE71A00208EFDF25DB9AD88999EBBFCEF84304B185077E904B7211D6704A41CBA1

Function 00E957F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E9581B
_abort.LIBCMT ref: 00E95926

Strings

MOC, xrefs: 00E9582D
RCC, xrefs: 00E95835

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 1f8eddfd42e4a12d879af8329932a36d18994a9a1fccc58a56eb633bbfbef419
Instruction ID: 8617e3309602a0777e1049191abf72e6254d3806b9f95d219e7eade55673d775
Opcode Fuzzy Hash: 1f8eddfd42e4a12d879af8329932a36d18994a9a1fccc58a56eb633bbfbef419
Instruction Fuzzy Hash: A6414872900609EFDF16DFA4DC81AAEBBB5FF48318F189069F914B7211D3359950DB50

Function 00E7F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00E7F82D
_strncpy.LIBCMT ref: 00E7F871

Part of subcall function 00E83F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00E7F801,00000000,00000000,?,00EB5070,?,00E7F801,?,?,00000050,?), ref: 00E83F64

Strings

$%s, xrefs: 00E7F822
@%s, xrefs: 00E7F817

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 3913819089b4a2c3efecd3cb1e6d031e413989b7450fffd0803f03458e2e346d
Instruction ID: cf31caede30c8bdc41bbb3ffbdd1f5e0c8462b4056186c8ff23ba994c99d4ad1
Opcode Fuzzy Hash: 3913819089b4a2c3efecd3cb1e6d031e413989b7450fffd0803f03458e2e346d
Instruction Fuzzy Hash: F92192729003489FEF24DFA4CC01BEE77E8BF16700F04552AFA29B61A1E771E9158B61

Function 00E8CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E71366: GetDlgItem.USER32(00000000,00003021), ref: 00E713AA
Part of subcall function 00E71366: SetWindowTextW.USER32(00000000,00EA65F4), ref: 00E713C0

EndDialog.USER32(?,00000001), ref: 00E8CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E8CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E8CE52

Strings

ASKNEXTVOL, xrefs: 00E8CDB8

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 1df91e3a7cf6d7cabb0f3fbba04fb705956f7e79c0065fc9ab6cc375d7554e97
Instruction ID: 6ac6a4519f14ef7fe2b5d93c3690b119a2b30698a9f1de4a76c4aef95bd6ad1d
Opcode Fuzzy Hash: 1df91e3a7cf6d7cabb0f3fbba04fb705956f7e79c0065fc9ab6cc375d7554e97
Instruction Fuzzy Hash: BA11D333246601AFD221AFA9ED04F767BA9FB4BB45F101011F24DBA1A4C77199098775

Function 00E82F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E7CAA0,00000008,00000004,00E7F1F0,?,00000000), ref: 00E82F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E7CAA0,00000008,00000004,00E7F1F0,?,00000000), ref: 00E82F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E7CAA0,00000008,00000004,00E7F1F0,?,00000000), ref: 00E82F7B

Strings

Thread pool initialization failed., xrefs: 00E82F93

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: fe76df2a25cab54d70510a2fe438576a5f87b58a70d47699de67124a65d7ae17
Instruction ID: cb64fa8484a0b84e91cc82ca987657bd36048162f1d04434e09c73be48867469
Opcode Fuzzy Hash: fe76df2a25cab54d70510a2fe438576a5f87b58a70d47699de67124a65d7ae17
Instruction Fuzzy Hash: 491182B1604708AFC3316F668C84A97FBEDFB99344F54582EF2DEA2200D6716940CB50

Function 00E900EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00E9012E, 00E90162
RENAMEDLG, xrefs: 00E90143

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: b8964faf54725d44ed58c78b2aa0e715254b16140f096c52e025ea6e93cdf5cf
Instruction ID: 446a8b4f24c10a4b1d1a4cf1598939577016a5465041cd275a151b8cf82b6ea1
Opcode Fuzzy Hash: b8964faf54725d44ed58c78b2aa0e715254b16140f096c52e025ea6e93cdf5cf
Instruction Fuzzy Hash: 0901B17260A204AFDB125F67FC44BA77BB4EB49754B501026FA45F3270D2328C58DBA0

Function 00E74B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00E74B42

Part of subcall function 00E9106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E91079
Part of subcall function 00E9106D: ___delayLoadHelper2@8.DELAYIMP ref: 00E9109F

std::_Xinvalid_argument.LIBCPMT ref: 00E74B4D

Strings

string too long, xrefs: 00E74B3D
vector too long, xrefs: 00E74B48

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: 078e373c1c75b97f06c189cdedf921d12505df5b6474354b4e9f8791a2f471c2
Instruction ID: ffbd3fc0c74fba9b1998bcc5d5734ac40f578125b8e75de107351a1bb62f7716
Opcode Fuzzy Hash: 078e373c1c75b97f06c189cdedf921d12505df5b6474354b4e9f8791a2f471c2
Instruction Fuzzy Hash: 79F0A071200304AB8B34AF99DC45C4AB7EDEFC9BA0710691AF989E7641C3B1FD448BB1

Function 00E7BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E7BD93
_wcslen.LIBCMT ref: 00E7BDB6
_wcslen.LIBCMT ref: 00E7BE4C
_wcslen.LIBCMT ref: 00E7BEB1

Part of subcall function 00E7C37A: FindClose.KERNEL32(00000000,000000FF,?,?,?,?,00E787BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00E7C3A5

Part of subcall function 00E7BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 00E7BC1C
Part of subcall function 00E7BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 00E7BC48

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: d82b1c7a46124e31265786b771704b0c97126ffc60395e3497e751b02338ded6
Instruction ID: b27bb833805fe8c21d2fd3063cea137fef81c728619d219e10eeb12c4c1863da
Opcode Fuzzy Hash: d82b1c7a46124e31265786b771704b0c97126ffc60395e3497e751b02338ded6
Instruction Fuzzy Hash: F241D97250479456CB30EB648C45AFBB3E9DF84304F44A81EEA9DB3241EB749D88C7A1

Function 00E7849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000800,?,?,2D272A92,00000000,?,00000000), ref: 00E78596

Part of subcall function 00E78C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E78CB2
Part of subcall function 00E78C95: GetLastError.KERNEL32 ref: 00E78CF6
Part of subcall function 00E78C95: CloseHandle.KERNEL32(?), ref: 00E78D05

Strings

SeRestorePrivilege, xrefs: 00E78531
T, xrefs: 00E78557, 00E7857A
SeSecurityPrivilege, xrefs: 00E7851C

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege$T
API String ID: 1245819386-1848529312
Opcode ID: 0ef9c4d899f22e94c876bcaf69d1f7bb24c124f5cb0802580f4427d0733cc227
Instruction ID: 347000e7d72e02d2a7cd3a053d46cbf3646e3c1dc3b18b2239843bf945b35992
Opcode Fuzzy Hash: 0ef9c4d899f22e94c876bcaf69d1f7bb24c124f5cb0802580f4427d0733cc227
Instruction Fuzzy Hash: 1A41FF71A44288AEDF20EFA49D05BFE77E8EB19304F04905EFA49F7281DB705A44CB21

Function 00E9EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E97F99,?,00E97F99,?,00000001,?,?,00000001,00E97F99,00E97F99), ref: 00E9F025
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9F0AE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E9F0C0
__freea.LIBCMT ref: 00E9F0C9

Part of subcall function 00E9BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E96A24,?,0000015D,?,?,?,?,00E97F00,000000FF,00000000,?,?), ref: 00E9BCC0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6c7c40ce4b482b2ee20d0219bf4fc3bce811599006e0871d84e0ebea611a66a8
Instruction ID: 72bb27093a043915daac08da6267786cbadd13c1cf0efba79f65e2ef0ccaaf1f
Opcode Fuzzy Hash: 6c7c40ce4b482b2ee20d0219bf4fc3bce811599006e0871d84e0ebea611a66a8
Instruction Fuzzy Hash: 4331F072A0021AAFCF249F64DC41DAE7BA9EB45310B044229FC04E7292E736DC94CBA0

Function 00E8C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E8C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E8C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E8C613
ReleaseDC.USER32(00000000,00000000), ref: 00E8C621

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f7af7b9baa09ab92233e7dc94026737874d32235019240a64d3bb2b680e888a8
Instruction ID: a912eb81f6968ed6a8de692241da1605b7942b0b3a15dd307370f224c280ffc3
Opcode Fuzzy Hash: f7af7b9baa09ab92233e7dc94026737874d32235019240a64d3bb2b680e888a8
Instruction Fuzzy Hash: 21E0EC3198F660AFD3211B62BC1DF9B3B54EB1AB13F144216F645B62D0EA7044088FE0

Function 00E9D808 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9D974

Part of subcall function 00E96676: IsProcessorFeaturePresent.KERNEL32(00000017,00E96648,00000000,00E9B5F4,00000000,00000000,00000000,00000016,?,?,00E96655,00000000,00000000,00000000,00000000,00000000), ref: 00E96678
Part of subcall function 00E96676: GetCurrentProcess.KERNEL32(C0000417,00E9B5F4,00000000,?,00000003,00E9BA28), ref: 00E9669A
Part of subcall function 00E96676: TerminateProcess.KERNEL32(00000000,?,00000003,00E9BA28), ref: 00E966A1

Strings

*?, xrefs: 00E9D84B
., xrefs: 00E9DB2B

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction ID: 45a96c1de29c13530d672b13b7d916d8a651580d7661a3d510aff43cb809c219
Opcode Fuzzy Hash: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction Fuzzy Hash: 7351DE71E04219EFDF24DFA8CC81AADBBF5EF89314F24916AE844F7301E6719A018B50

Function 00E8D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E8D7D1
_wcslen.LIBCMT ref: 00E8D7EC

Strings

}, xrefs: 00E8D7C4

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: d96aad4d8e73067ffff5dce9fb03f791d998df9e47195d1cfd673e2953f04e02
Instruction ID: 2aa0f2b04e7869b3c9e6c9b597ca979179084d443501c6da75a9100fc9f9eb38
Opcode Fuzzy Hash: d96aad4d8e73067ffff5dce9fb03f791d998df9e47195d1cfd673e2953f04e02
Instruction Fuzzy Hash: 0621C13290834A5EDB35FB64CD45A6BB3E8EF85714F40142AF54CE3181EA71EC4887E2

Function 00E8CEBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E8D392: GetCurrentProcess.KERNEL32(00020008,?), ref: 00E8D3A1
Part of subcall function 00E8D392: GetLastError.KERNEL32 ref: 00E8D3CC

CreateDirectoryW.KERNEL32(?,?), ref: 00E8CF61
LocalFree.KERNEL32(?), ref: 00E8CF6F

Strings

, xrefs: 00E8CF20

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-1651818964
Opcode ID: 1aeedb64d97b3465d74c4f8a90296121833d319ffcd1395aa3b5b34a831b3dff
Instruction ID: eddec85bcc18f3353076663df9ba8f1446aa4b3594a9c502964caf87b258a57c
Opcode Fuzzy Hash: 1aeedb64d97b3465d74c4f8a90296121833d319ffcd1395aa3b5b34a831b3dff
Instruction Fuzzy Hash: 6F21DBB1900249AFDB10DF65D9449EF7BFCFF45304F50812AB919E2150E734DA59CB60

Function 00E7D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E7D8D3

Part of subcall function 00E74C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E74C13

Strings

%c:\, xrefs: 00E7D8C9

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 8f7cb306c5c249321e5dcb5cd96d5e1e2057ca6239a21b89f286817f3987675f
Instruction ID: d55c72da9803ebd2dd88f8a75113ba4c32a438ca1e3cdaf27fef2b42e38c9ba0
Opcode Fuzzy Hash: 8f7cb306c5c249321e5dcb5cd96d5e1e2057ca6239a21b89f286817f3987675f
Instruction Fuzzy Hash: 3F01286350831179DB346B799C46D6BA7FCEED6360744E41BF94CF6092EA60E840C2B1

Function 00E910F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E9130A
___raise_securityfailure.LIBCMT ref: 00E913F2

Strings

8], xrefs: 00E913ED

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]
API String ID: 3761405300-438778366
Opcode ID: 83fc38759321ec621a259eb3db65f4806966d171db06f395563779d4b26c20ca
Instruction ID: b4e2b3528adc49786353ccff649358000bf0e24df69c03cac8d208e7d30a4348
Opcode Fuzzy Hash: 83fc38759321ec621a259eb3db65f4806966d171db06f395563779d4b26c20ca
Instruction Fuzzy Hash: 022114B6502B00DFE710EF16F9896553BA5FB08314F50552BEA08AB3B0D3B09A88CF45

Function 00E8D392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 00E8D3A1
GetLastError.KERNEL32 ref: 00E8D3CC

Strings

@, xrefs: 00E8D3A8

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: CurrentErrorLastProcess
String ID: @
API String ID: 335030130-2548697605
Opcode ID: 065534935a3cf6179dac99189e01426993d916265342de06d1efa82ac30bf963
Instruction ID: 95e45a03ce1b1bfcd32a23685be93f37d458f3199df6279bff9fb8fb3556c6db
Opcode Fuzzy Hash: 065534935a3cf6179dac99189e01426993d916265342de06d1efa82ac30bf963
Instruction Fuzzy Hash: EA012D75505218FFDF116FA1AC89EEE7B7DEB05354F101066F509F1090E6719E84AB60

Function 00E90B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00E90AC5,0000001C,00E90CBA,00000000,?,?,?,?,?,?,?,00E90AC5,00000004,00ED5D24,00E90D4A), ref: 00E90B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E90AC5,00000004,00ED5D24,00E90D4A), ref: 00E90BAC

Strings

D, xrefs: 00E90BA0

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 9546ca3f093b8decf8509d89c59d1eda75176b39e30a7b28c5c06963b3d898d6
Instruction ID: fee98a7a1d20b9325a4add5bcb04b22b62bb58b59655ea107aeeec83c45e69d5
Opcode Fuzzy Hash: 9546ca3f093b8decf8509d89c59d1eda75176b39e30a7b28c5c06963b3d898d6
Instruction Fuzzy Hash: 5E0184726001096FDF14DF29DC05BDE7BAAAFC5328F0CC124AD59E7255E634E9158680

Function 00E9E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9B9A5: GetLastError.KERNEL32(?,00EB50C4,00E96E12,00EB50C4,?,?,00E9688D,?,?,00EB50C4), ref: 00E9B9A9
Part of subcall function 00E9B9A5: _free.LIBCMT ref: 00E9B9DC
Part of subcall function 00E9B9A5: SetLastError.KERNEL32(00000000,?,00EB50C4), ref: 00E9BA1D
Part of subcall function 00E9B9A5: _abort.LIBCMT ref: 00E9BA23

_abort.LIBCMT ref: 00E9E1D0
_free.LIBCMT ref: 00E9E204

Strings

p,, xrefs: 00E9E1FB

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p,
API String ID: 289325740-2703748495
Opcode ID: 46f92b7a1ac0024f840b12f7de3294bac72167335b0bf3731d091f20dabbd1d0
Instruction ID: c4e35ca8ace79f24d3f7cd66183ef0051ba02163a22754feba6b0fbafefaa782
Opcode Fuzzy Hash: 46f92b7a1ac0024f840b12f7de3294bac72167335b0bf3731d091f20dabbd1d0
Instruction Fuzzy Hash: 2B018471D01622DFCF25DF5AD80125DB3A4BF48B25B15221AEA6477390CB70BD418FC1

Function 00E91405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E91410
___raise_securityfailure.LIBCMT ref: 00E914CD

Strings

8], xrefs: 00E914C8

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]
API String ID: 3761405300-438778366
Opcode ID: bcec65b02cbffaba85ae308b5ef887ed216c62e3640a2df593203f6ff129fb82
Instruction ID: b8614cab0f26117fe38c2ccda2ed68e6ce082e39d480ee5ff7ef02f2e97e2c8c
Opcode Fuzzy Hash: bcec65b02cbffaba85ae308b5ef887ed216c62e3640a2df593203f6ff129fb82
Instruction Fuzzy Hash: 7D11E0B6512B04DFD710EF17F9856553BB5FB09301B10502BEC08AB3B0E3B09A498F56

Function 00E9AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E580: GetEnvironmentStringsW.KERNEL32 ref: 00E9E589
Part of subcall function 00E9E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9E5AC
Part of subcall function 00E9E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E9E5D2
Part of subcall function 00E9E580: _free.LIBCMT ref: 00E9E5E5
Part of subcall function 00E9E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E9E5F4

_free.LIBCMT ref: 00E9AB00
_free.LIBCMT ref: 00E9AB07

Strings

pb, xrefs: 00E9AAED

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: pb
API String ID: 400815659-3672949377
Opcode ID: 924c04d37d341a0b2f8b8d05c772404d400670893824dc77a5a38e4061df8e78
Instruction ID: 8d6174934f8abc1a8b15106b6fc32c76f4f818bb3d936dfe884d14cd377a76bc
Opcode Fuzzy Hash: 924c04d37d341a0b2f8b8d05c772404d400670893824dc77a5a38e4061df8e78
Instruction Fuzzy Hash: 6BE0E512A065105AAFB1B67F7D02ADA02958FC1338B253336F520BA2D2EED4884640D3

Function 00E830CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00E831E7,?,?,00E8325F,?,?,?,?,?,00E83249), ref: 00E830D0
GetLastError.KERNEL32(?,?,00E8325F,?,?,?,?,?,00E83249), ref: 00E830DC

Part of subcall function 00E77BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E77BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E830E5

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 0497e9626b75a49a7da2f056bf1f64268d3deefa62cb70ef4c50598ffd6e754a
Instruction ID: 47fb79eb3ada3f31f854041aa0de25260031bc64d660c0f4156444b498b8d23d
Opcode Fuzzy Hash: 0497e9626b75a49a7da2f056bf1f64268d3deefa62cb70ef4c50598ffd6e754a
Instruction Fuzzy Hash: 67D05E3290C5303ADA11B3245C0EEAF394A9F67731F669714F1BE791E5CA204D9146D1

Function 00E801FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00E7F951,?), ref: 00E801FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E7F951,?), ref: 00E8020D

Strings

RTL, xrefs: 00E80207

Memory Dump Source

Source File: 00000005.00000002.2155789514.0000000000E71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000005.00000002.2155774187.0000000000E70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155823147.0000000000EA6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB5000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000EB9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155856515.0000000000ED6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2155994226.0000000000ED7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e70000_Heart-Sender-V1.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: ffa0e8e92b406d5c93e8862b77297a22a4fa4e40dba424d642af0d9857426b13
Instruction ID: 3dd9ac6c5697fb1f186a997e227c6e8391c1ec291ee7afaf4e847ad670cb149c
Opcode Fuzzy Hash: ffa0e8e92b406d5c93e8862b77297a22a4fa4e40dba424d642af0d9857426b13
Instruction Fuzzy Hash: A6C012312407505AD73067726C4DB833E586B07715F091448B545FA1D1D6E6E8898760

Analysis Process: HeartSender.exePID: 3748, Parent PID: 6960COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	82

Executed Functions

Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

GetTempFileNameW.KERNEL32(?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020), ref: 00401B38

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

Strings

`A, xrefs: 00401AC8
`A, xrefs: 00401A20
`A, xrefs: 00401A73
`A, xrefs: 00401B2C

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: `A$ `A$ `A$ `A
API String ID: 368575804-2594752929
Opcode ID: d30ce261afac5ce3852bfbcc64f89f07c954c0fb097e7903f9b80452b807dfe3
Instruction ID: da94853b8b5bd26d1bd5120d1b9c906e5f4cf8f619d60ffb6644f8987c096960
Opcode Fuzzy Hash: d30ce261afac5ce3852bfbcc64f89f07c954c0fb097e7903f9b80452b807dfe3
Instruction Fuzzy Hash: 6651EEB59047006ED601BBB2DD42E7F7B7EEB98318F00883FB540690E2C63D9C559A6D

Function 00401000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DDD0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
Part of subcall function 0040DDD0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 00409AE0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Part of subcall function 00409609: InitializeCriticalSection.KERNEL32(004176C8,00000004,00000004,004095DC,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409631

Part of subcall function 00408D8E: memset.MSVCRT ref: 00408D9B
Part of subcall function 00408D8E: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
Part of subcall function 00408D8E: CoInitialize.OLE32(00000000), ref: 00408DBD

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004176A0,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409D9F
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DC5
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E22

Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A3B8
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3D1
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3DB

Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A2FB
Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A310

Part of subcall function 0040DB6A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
Part of subcall function 0040DB6A: memset.MSVCRT ref: 0040DBD5

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040), ref: 00401BF2

HeapDestroy.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011B5
ExitProcess.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011BA

Strings

*`A, xrefs: 00401085
6`A, xrefs: 0040112D

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonControlsDestroyEnumExitInitLoadModuleProcessResourceTypes
String ID: *`A$6`A
API String ID: 2062415080-4032199909
Opcode ID: d321d8028d6722669ed11f7fa1be113758f4e77c945287685f05025b2bbb5530
Instruction ID: 054f58a703c2077171097cea621e0c228d2d39f1c558e4fc4fd495567313132e
Opcode Fuzzy Hash: d321d8028d6722669ed11f7fa1be113758f4e77c945287685f05025b2bbb5530
Instruction Fuzzy Hash: 33311C30A84700A9E610B7F29C43FAE3A65AF1874DF11803FB649791E3DEBD55448A6F

Function 00403DF3 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,020B8F60,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(020B8F60,020B8F60,00002710), ref: 00402C34

Part of subcall function 0040E020: TlsGetValue.KERNEL32(0000000D,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E02A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00409860: SetEnvironmentVariableW.KERNEL32(020B8F60,020B8F60,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,020B8F60,020B8DC0,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,020B8E40,00000000,00000000,00000000,00000000,00000000,020B8F60,020B8DC0,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,00416026,00000000,00000000,00000000,00000001,020B8E40,00000000,00000000,00000000,00000000,00000000,020B8F60,020B8DC0), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020B8F60), ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

`A, xrefs: 00404090
&`A, xrefs: 004044BE
&`A, xrefs: 0040452C

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: &`A$&`A$`A
API String ID: 1881381519-2092548216
Opcode ID: d8bfe981472dcd7d93d567ac996c87e0102c3ae3209f1c8df4a41c7dce2c2386
Instruction ID: 95625e34f548e5502c8bb68b533fb61ff434c3c21d69ae2a44b2ba18bfe99ca0
Opcode Fuzzy Hash: d8bfe981472dcd7d93d567ac996c87e0102c3ae3209f1c8df4a41c7dce2c2386
Instruction Fuzzy Hash: 1822E9B5914700AED200BBF1DD8197F77BDEB98718F10D83FB540AA192CA3CD8465B69

Function 0040A6F6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: HeapReAlloc.KERNEL32(020B0000,00000000,?,?), ref: 0040E267

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A70D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A71A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A72C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A739
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A73E

Strings

GetLongPathNameW, xrefs: 0040A726
Kernel32.DLL, xrefs: 0040A713

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction ID: 764606bb569eff9aa2a854e4b0558f5753b22c8873abefb13c435e0df7790d1f
Opcode Fuzzy Hash: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction Fuzzy Hash: B4F0E9322012147FC2102BB6AC4CEEB3E6CDF95755701443AF904E2251DB69CC20C2BD

Function 0040AA60 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AAD1
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB12
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB5C
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040AB7E
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040ABB7
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC0A

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction ID: 35cb0034da6faa60fecaa9fe6ab12df6337e8788845343623408397181d4bc5b
Opcode Fuzzy Hash: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction Fuzzy Hash: E451B171204300ABE3218E28DC44B57BAE5EB44764F614A3AFA51A62E0D779EC55CB1E

Function 0040D7B9 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0041761C,00417614,0040D982,00000000,FFFFFFED,00000200,77355E70,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D7FA
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D831
LeaveCriticalSection.KERNEL32(0041761C,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D88A
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77355E70,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D89B
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8D7

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction ID: 1c1621ef8b81eb37d3c39fa836f306ed5b79470d652240547c7f2301dbf87725
Opcode Fuzzy Hash: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction Fuzzy Hash: DE31A2B2D007019BC3209F99D844A57BBF4FB44760B15C53EE465A7390D738E908CB98

Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction ID: f63886f370766692049a8ab09fc70fe74b01992a8596c344147a8d3c31b217da
Opcode Fuzzy Hash: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction Fuzzy Hash: E9218971008309AFD700EF64C845A9FBBE9EF44308F10882EF198A6291DB79D905DB96

Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00409638: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
Part of subcall function 00409638: wcscmp.MSVCRT ref: 00409662
Part of subcall function 00409638: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 0040967A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040), ref: 00401BF2

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 0063aafd9020792fbe265351b06ea94fb08b9e32f4b7edb8fab04e6c2952d322
Instruction ID: 3462f3606e8cbb1e1a4d79c74de0940f317b4d1ea5cf6404f74aab9d4bf66b3f
Opcode Fuzzy Hash: 0063aafd9020792fbe265351b06ea94fb08b9e32f4b7edb8fab04e6c2952d322
Instruction Fuzzy Hash: 4251F7B59047006AE6007BF2DD86E7F66AEDBD4718F10883FB5407D0D2CA3C8C5966AD

Function 0040AFC0 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AFF8
memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B032

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction ID: ace082a42c8b9570e8fa48c2980c6e4681abbcae92d9a1b023345ff456592002
Opcode Fuzzy Hash: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction Fuzzy Hash: 4B313A392007009FC220DF29D844E5BB7E5EFD8714F04882EE59A97750D335E919CFA6

Function 0040DE60 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99
RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction ID: e6d91f3b09335801e5746b2964150cf116aaa33277573073d0b775b4e860d931
Opcode Fuzzy Hash: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction Fuzzy Hash: E511B974A00208EFCB04DF98D894EAABBB6FF88315F10C559E9099B354D735AA41CB94

Function 0040A665 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040A683
wcslen.MSVCRT ref: 0040A695
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction ID: 630a5c6db6187271ae83db4eaeb36511880b8bdc4cdf20ec5a399f16e344c0a7
Opcode Fuzzy Hash: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction Fuzzy Hash: 0F01DBB08113189BCB24DB64CC8DABA7378DF00300F6446BBE455E21D1E77A9AA4DB4A

Function 00408D8E Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408D9B
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
CoInitialize.OLE32(00000000), ref: 00408DBD

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction ID: 781e80edae316a95334d3837f50a89f25f26191aceb080d9ad1fe250ea93eb12
Opcode Fuzzy Hash: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction Fuzzy Hash: 3AE0E6B594030CBBDB409FD0DC0EF9D7B7CE704705F404565F50496181EBB596048B95

Function 0040AD60 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D438: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
Part of subcall function 0040D438: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040AD93
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040ADB5

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID:
API String ID: 3705299215-0
Opcode ID: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction ID: cb55299900a1a52b407eca00395bc400cfc912b247b49f0a026709af4e8a3faf
Opcode Fuzzy Hash: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction Fuzzy Hash: 0411D031100300ABC2305F5AEC48F57BBAAEFC5761F11863EF5A5A26E0C77698558B69

Function 0040DB6A Relevance: 3.1, APIs: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DCBD: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DB7B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 0040DCFE

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
memset.MSVCRT ref: 0040DBD5

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction ID: 4684dd51efb4be1c7f6cbbcd141334eab977ef2b41965c3d3424e441a95aa271
Opcode Fuzzy Hash: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction Fuzzy Hash: 8C117C729047149BC320DF49D840A4BBBE8FF98B50F05452EF989A7351D774EC04CBA5

Function 0040A759 Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A792,020B8F60,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A770
DeleteFileW.KERNELBASE(00000000,0040A792,020B8F60,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A77A

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction ID: 32816558c3505e2600197b6aa1c8e1867431839d95d1f98e5f62e5383a3a81ae
Opcode Fuzzy Hash: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction Fuzzy Hash: ECD06730148301A6D2555B20D90D79A7AB16B80786F15C829B485510F5C778C865E60B

Function 0040DDD0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 0040E600: HeapAlloc.KERNEL32(020B0000,00000000,0000000C,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E60E
Part of subcall function 0040E600: HeapAlloc.KERNEL32(020B0000,00000000,00000010,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E622
Part of subcall function 0040E600: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E64B

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction ID: 18e5a0edc7d50c2b567692700943758183887443e0587578baab4a09ae3a6d99
Opcode Fuzzy Hash: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction Fuzzy Hash: C9D0127454430467D6002FB1BC0E7843B68B708B46F514C35F619962D1DBB5A000C51C

Function 0040A970 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A9B3
CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040A9BB

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction ID: 4b594e9f44d889535f58429decad5894e80191ff52abe98a3990b8650259e3e7
Opcode Fuzzy Hash: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction Fuzzy Hash: 45F08272505700ABC7222B99FC05F8BBB72EB91764F12893AF610210F8C7355861DB5D

Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

GetShortPathNameW.KERNEL32(020B8F60,020B8F60,00002710), ref: 00402C34

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 00409B20: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B2C

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(020B0000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 2774ac9e5f7b38b0d256ed50f2b4cc7e54260e45ca4d121d23d8bc05adf22050
Instruction ID: acf91f0b192621483340f6d99b68dad878881d8e8b7377b9fd1201c82249adf8
Opcode Fuzzy Hash: 2774ac9e5f7b38b0d256ed50f2b4cc7e54260e45ca4d121d23d8bc05adf22050
Instruction Fuzzy Hash: E10140755086017AD5007BB1DD06D3F7669EFD0718F10C83FB444B90E2CA3C9C55AA5E

Function 0040A9E0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A9A8,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA07

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction ID: 14d3056ca1924aee99cb04667f0b380ac70d83ad29f9bf771d01894620e497e9
Opcode Fuzzy Hash: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction Fuzzy Hash: CBF09276105700AFD720DF58D948B87B7E8EB58721F10C82EE59AD2690C770E854DB55

Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction ID: 8a645f6298b96527a3a9e5c011dcec852996ed75ec820e929ccd6a5cacf3a2a4
Opcode Fuzzy Hash: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction Fuzzy Hash: 5FD0126081824986D750BE75850979BB3ECE704304F60887AE085565C1F7FCE9D99657

Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction ID: 0e995b311a0039e38a6c1dd281e12789fe5386c316f45d3f47623ba04496a456
Opcode Fuzzy Hash: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction Fuzzy Hash: 7FC04C713542007AD6519B24AE49F5776A9BB70B42F01C8357655E21A5DB30EC10D728

Function 00409AE0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction ID: 76b444b78102f1190b75b28dd56e974357e96cc3189ac6b4b6122ebffb005697
Opcode Fuzzy Hash: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction Fuzzy Hash: ACB0127038434056E2110B109C06B803520B304F83F104420F211581D4C7E02000C60C

Non-executed Functions

Function 00408F09 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408DF8: wcslen.MSVCRT ref: 00408E04
Part of subcall function 00408DF8: HeapAlloc.KERNEL32(00000000,00000000,?,00408F21,?), ref: 00408E1A
Part of subcall function 00408DF8: wcscpy.MSVCRT ref: 00408E2B

GetStockObject.GDI32(00000011), ref: 00408F52
LoadIconW.USER32 ref: 00408F89
LoadCursorW.USER32(00000000,00007F00), ref: 00408F99
RegisterClassExW.USER32 ref: 00408FC1
IsWindowEnabled.USER32(00000000), ref: 00408FE8
EnableWindow.USER32(00000000), ref: 00408FF9
GetSystemMetrics.USER32(00000001), ref: 00409031
GetSystemMetrics.USER32(00000000), ref: 0040903E
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 0040905F
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00409073
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 004090A1
SendMessageW.USER32(00000000,00000030,00000001), ref: 004090B9
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 004090F7
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409109
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409111
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409126
wcslen.MSVCRT ref: 00409129
wcslen.MSVCRT ref: 00409131
SendMessageW.USER32(000000B1,00000000,00000000), ref: 00409143
CreateWindowExW.USER32(00000000,BUTTON,00412080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 0040916D
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040917F
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091B6
SetForegroundWindow.USER32(00000000), ref: 004091BF
BringWindowToTop.USER32(00000000), ref: 004091C6
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004091D9
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 004091EA
TranslateMessage.USER32(?), ref: 004091F9
DispatchMessageW.USER32(?), ref: 00409204
DestroyAcceleratorTable.USER32(00000000), ref: 00409218
wcslen.MSVCRT ref: 00409229
wcscpy.MSVCRT ref: 00409241
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409254

Strings

STATIC, xrefs: 0040909B
EDIT, xrefs: 004090ED
0, xrefs: 00408F65
BUTTON, xrefs: 00409166
D A, xrefs: 00408FA3

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D A$EDIT$STATIC
API String ID: 54849019-3594934238
Opcode ID: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction ID: 4016936b5c3c7f784b3cc7a4ee05ecee8f5df5742f345e72c0c18d3b3e823eb4
Opcode Fuzzy Hash: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction Fuzzy Hash: 1E917F70648300BFE7219F61DC4AF9B7FA9FB48B44F01893EF644A61E1C7B998408B59

Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00416020), ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 00405920: wcsstr.MSVCRT ref: 00405961

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

Part of subcall function 0040A665: wcsncpy.MSVCRT ref: 0040A683
Part of subcall function 0040A665: wcslen.MSVCRT ref: 0040A695
Part of subcall function 0040A665: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Strings

b`A, xrefs: 00401835
`A, xrefs: 00401645
b`A, xrefs: 0040158A
2`A, xrefs: 00401784
.`A, xrefs: 004016C5
2`A, xrefs: 00401861
.`A, xrefs: 004016F3
b`A, xrefs: 004015ED
.`A, xrefs: 0040169B
b`A, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
*`A, xrefs: 0040167C
2`A, xrefs: 004017CD
"`A, xrefs: 0040154F
b`A, xrefs: 004018F7

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmpwcsstr
String ID: `A$"`A$*`A$.`A$.`A$.`A$2`A$2`A$2`A$b`A$b`A$b`A$b`A$b`A
API String ID: 4088865958-588743708
Opcode ID: 3205e27709590908737becba6e2f407843fa08291c61041918eba4dc29fd7f9d
Instruction ID: ee34c1dc759ec8b9afbcc9474be159e29596370e2cc13c49719891b07a5b0ef3
Opcode Fuzzy Hash: 3205e27709590908737becba6e2f407843fa08291c61041918eba4dc29fd7f9d
Instruction Fuzzy Hash: 53B13FB5504701AED600FBA1DD8197F76A9EB98708F10C83FB044BA1E2CA3CDD599B6D

Function 004092F5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00409313

Part of subcall function 0040E350: TlsGetValue.KERNEL32(0000000D,\\?\,?,0040968D,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E35A

memset.MSVCRT ref: 00409321
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
wcsncpy.MSVCRT ref: 0040937D
wcslen.MSVCRT ref: 00409391
CoTaskMemFree.OLE32(?), ref: 0040941A
wcslen.MSVCRT ref: 00409421
FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Strings

$ A, xrefs: 0040936D
SHELL32.DLL, xrefs: 00409329
SHBrowseForFolderW, xrefs: 0040934A
P, xrefs: 004093C9
SHGetPathFromIDListW, xrefs: 00409352

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $ A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-128120239
Opcode ID: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction ID: 1392e4e60208b56ee8b10dacf4ca704cd47aacd570b2ed0dd50540f2d7556013
Opcode Fuzzy Hash: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction Fuzzy Hash: 81418571504300AAC720EF759C49A9FBBE8EF88744F00483FF945E3292D779D9458B6A

Function 004062B0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 004063A5

Part of subcall function 0040E180: TlsGetValue.KERNEL32(0000000D,?,?,00405E65,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E18A

_wcsdup.MSVCRT ref: 004063EE
_wcsdup.MSVCRT ref: 00406409
_wcsdup.MSVCRT ref: 0040642C
wcsncpy.MSVCRT ref: 00406518
free.MSVCRT ref: 0040657C
free.MSVCRT ref: 0040658F
free.MSVCRT ref: 004065A2
wcsncpy.MSVCRT ref: 004065CE

Strings

$ A, xrefs: 004062CF
$ A, xrefs: 004062BF
$ A, xrefs: 004062DE

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $ A$$ A$$ A
API String ID: 1554701960-2077024048
Opcode ID: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction ID: ef8ff848e519ff80595976f88fda9aa54c27a9e0628953f57c1371388918df2b
Opcode Fuzzy Hash: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction Fuzzy Hash: 70A1BD71504301AFCB209F18C88166BB7B1EF94348F05093EFD86A7395E77AD925CB9A

Function 0040A7DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: HeapReAlloc.KERNEL32(020B0000,00000000,?,?), ref: 0040E267

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A803
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A815
wcscpy.MSVCRT ref: 0040A83B
wcscat.MSVCRT ref: 0040A846
wcslen.MSVCRT ref: 0040A84C
CoTaskMemFree.OLE32(?,00000000,00000000,?,020B8F60,00000000,00000000), ref: 0040A85A
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A861
wcscat.MSVCRT ref: 0040A879
wcslen.MSVCRT ref: 0040A87F

Strings

SHGetKnownFolderPath, xrefs: 0040A80F
Downloads\, xrefs: 0040A873
Shell32.DLL, xrefs: 0040A7FE

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1740785346-287042676
Opcode ID: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction ID: a59125e26d23ccb30f5fa0f47659a7dbf798ada992acc4f36018911529e702ca
Opcode Fuzzy Hash: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction Fuzzy Hash: 0D210A32244301B6E11037A2AD4AF6B3A68CB41B94F10843BFD01B51C1D6BC897696AF

Function 00411D62 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D72
InitializeCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411D7E
TlsGetValue.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D94
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DAE
EnterCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411DBF
LeaveCriticalSection.KERNEL32(00417680,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DDB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00411DF4
GetCurrentThread.KERNEL32 ref: 00411DF7
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DFE
DuplicateHandle.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E01
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,00411E5A,00000000,000000FF,00000008), ref: 00411E17
TlsSetValue.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E24
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E35

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction ID: 8d0ee0ed933d17ffb5573716605f6a27c21e7768710c452de208be154d108613
Opcode Fuzzy Hash: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction Fuzzy Hash: 91210770645301EFDB109FA4FC88B963B7AFB08761F11C43AFA059A2A5DB74D840CB68

Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: f02d473fc1ac19e5e85722fd277aba96ca7fe706b47e575be1252422ce4be597
Instruction ID: 120ea7a7f831b7b3701c46aacaf1f8b25255709322070768e577057f0a501d54
Opcode Fuzzy Hash: f02d473fc1ac19e5e85722fd277aba96ca7fe706b47e575be1252422ce4be597
Instruction Fuzzy Hash: 39512075518701AAD600BBB1CD82F2F66A9EFD0708F10C83FB144791D2CA3CD9595BAE

Function 0040D9E3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D7F5,00417614,0040D982,00000000,FFFFFFED,00000200,77355E70,00409E16,FFFFFFED,00000010), ref: 0040D9F1
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA06
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA21
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA30
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA42
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DA55

Strings

Kernel32.dll, xrefs: 0040D9EA
InitOnceExecuteOnce, xrefs: 0040DA00

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction ID: 78d57fd6bf002b5b6c2ef9560121a390c40c5b5e23dd256736785be4ed7191ec
Opcode Fuzzy Hash: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction Fuzzy Hash: 0E01D431B14204BBD7102FE4AC49FEB3B29EB86B12F11803AF505A11C4DB788909CA6D

Function 004094A7 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 004094B1
GetCurrentThreadId.KERNEL32 ref: 004094BF
IsWindowVisible.USER32(?), ref: 004094C6

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

GetCurrentThreadId.KERNEL32 ref: 004094E3
GetWindowLongW.USER32(?,000000EC), ref: 004094F0
GetForegroundWindow.USER32 ref: 004094FE
IsWindowEnabled.USER32(?), ref: 00409509
EnableWindow.USER32(?,00000000), ref: 00409519

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction ID: d72cecd996af7503d4a55556d0eaf5d1fe8b6ec4fae3718c35eb9c11583601b7
Opcode Fuzzy Hash: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction Fuzzy Hash: B10175312043016ED3215B79AC88AAB7AE8EF95754B15803EF545E31A6DB74DC01C669

Function 00408E54 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408E8D
GetWindowLongW.USER32(?,000000EB), ref: 00408E9C
GetWindowTextLengthW.USER32 ref: 00408EAA
HeapAlloc.KERNEL32(00000000), ref: 00408EBF
GetWindowTextW.USER32(00000000,00000001), ref: 00408ECF
DestroyWindow.USER32(?), ref: 00408EDD
UnregisterClassW.USER32 ref: 00408EF3

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction ID: f973f4e0a74c58c8f3dc6b35f62902cd2ce24d79b6cf0357400b1c80f0f6dd69
Opcode Fuzzy Hash: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction Fuzzy Hash: 5011CE3100821AFBCB116F64FD0C9AA3F66EB18395B11C03AF949A22F4DA799951DB58

Function 00409528 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(004094A7,?), ref: 0040953B
GetCurrentThreadId.KERNEL32 ref: 00409553
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040956F
GetCurrentThreadId.KERNEL32 ref: 0040958F
EnableWindow.USER32(?,00000001), ref: 004095A5
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095BC

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction ID: f5bff55c5df6c6442a3445df2da52706b8c810d9f19cb65a9eb7b3fa66b57753
Opcode Fuzzy Hash: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction Fuzzy Hash: 6A11AC32609351BBD7324B17EC08F53BBA9AB81B21F15863EF456221E1DB759D00C618

Function 0040D2F3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D318
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D32C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D339
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D350
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D35F
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D36E

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction ID: 9f859b01fecb640b0c0eeeefa64339d4fa0418cdbc8b4e3825918bdf59145f1e
Opcode Fuzzy Hash: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction Fuzzy Hash: 76116072B44710AFD7119FA9EC48AA67BB9FB48760B05843AFA04D33A0D7359C048B6C

Function 00411CE4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 00411CEE
CloseHandle.KERNEL32(?,?,?,?,00411E6A,?), ref: 00411CF7
EnterCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D03
LeaveCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D28
HeapFree.KERNEL32(00000000,00000000,?,?,?,00411E6A,?), ref: 00411D46
HeapFree.KERNEL32(?,?,?,?,?,00411E6A,?), ref: 00411D58

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction ID: 8f9f96d7996d446dd79b7cbdc6e3cce5d3da35cfe841f16b8799e142d118698f
Opcode Fuzzy Hash: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction Fuzzy Hash: 6B012574202601BFCB119F15FD88A96BB79FF493513118139E61A87630C735AC51CB98

Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

RtlGetVersion, xrefs: 0040557B
ntdll.dll, xrefs: 0040556C

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction ID: d7b210edb93dcdeb2ccead98f224fd87bedff0db37ff7f51e22340fec2856e60
Opcode Fuzzy Hash: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction Fuzzy Hash: E0E0DF317606127AD6202B32AC09FCB2F9DDFCAB00B15043AB109F21C4E67CC5018ABD

Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020B8F60), ref: 004054AB
EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction ID: c80a9bd37122c97109a10f206962e584b77ac8964ddc4e7c45fa9607085a50ae
Opcode Fuzzy Hash: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction Fuzzy Hash: 1111A336204710BFC2115F59EC05E97BB69EB45762722802AF80197294EB75E9508F6D

Function 0040D8E6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D968
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D977

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction ID: 7b35f574515ae906377effd3f95b136c975bcdd302f3c0dc89a566dd6d791b35
Opcode Fuzzy Hash: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction Fuzzy Hash: BB1158B5502601EFC320AF59EC08F97BBB5FF44311F11843AA44AA36A1C734E849CF98

Function 00409638 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: HeapReAlloc.KERNEL32(020B0000,00000000,?,?), ref: 0040E267

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
wcscmp.MSVCRT ref: 00409662
memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 0040967A

Strings

\\?\, xrefs: 0040965A, 00409674

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 3734239354-4282027825
Opcode ID: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction ID: d9f8f264266041fd0450fbf5fddac35174bfa4872681c7093a6bedb058d4d6d6
Opcode Fuzzy Hash: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction Fuzzy Hash: 36F082B31007017BD2106777EC89CAB7F6CEB953B47500A3FF915D25D1EA39982486B8

Function 0040B1D6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B277
memset.MSVCRT ref: 0040B280
memset.MSVCRT ref: 0040B289
memset.MSVCRT ref: 0040B296
memset.MSVCRT ref: 0040B2A2

Part of subcall function 0040C5D6: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B215,?), ref: 0040C630
Part of subcall function 0040C5D6: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B215,?), ref: 0040C67F

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction ID: d1c0989406727a65e9950a574f083ae989d166c781cac5fdd553c274dd2af307
Opcode Fuzzy Hash: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction Fuzzy Hash: D821F1317507082BE124AA29DC86F9F738CDB81708F40063EF201FA1C1CAB9F54546AE

Function 00405B40 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C0A
wcsncpy.MSVCRT ref: 00405C60

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction ID: cb064e81f22c81d64e764a7bfd7558cc4db0c0b6a5bd9f26a61017110445664c
Opcode Fuzzy Hash: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction Fuzzy Hash: 2151DE305087059BDB209F28D844A6BB7F4FF84348F544A2EFC45A72D0E778E915CB9A

Function 00406610 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 00406636
CharLowerW.USER32(00000000), ref: 00406670
CharLowerW.USER32(?), ref: 0040669F
CharLowerW.USER32(?), ref: 004066A5

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction ID: 85927fc96f9716e1d1e6d5b1ddc4ac0db90fb70db8c0b3b43891102a4ed5054c
Opcode Fuzzy Hash: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction Fuzzy Hash: 3A215775A043198BC710EF59A840477B7E4EB80761F46087AFC85A3380D63AEE199BB9

Function 00411E80 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D058,00000000), ref: 00411EB4
malloc.MSVCRT ref: 00411EC4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411EE1
malloc.MSVCRT ref: 00411EF6

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction ID: da1f4c5307a9808d3c7f8614f95932c7effa64efca2e052dfed00f08d58b5d3d
Opcode Fuzzy Hash: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction Fuzzy Hash: FE012E3734030227E32066A6AC02FE77B49CB85B95F19407AFF005E2C1CAA3A8008A79

Function 00411F20 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F51
malloc.MSVCRT ref: 00411F61
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F7B
malloc.MSVCRT ref: 00411F90

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction ID: 2143df0fa8f9e7073c9e362d0ea50869445b156f554053f4d5fb65981249776a
Opcode Fuzzy Hash: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction Fuzzy Hash: AE01643738030037E3204A95AC02FA77B4DCBC5B95F19407AFB005E2C6CBB3A8018AB8

Function 0040A90C Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,020B8F60,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?), ref: 0040A91E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A92F
wcslen.MSVCRT ref: 0040A93A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A958

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction ID: e8765f26a12464aff5057ee3a7a78408a7749531e725ecdfcc70520e35881baf
Opcode Fuzzy Hash: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction Fuzzy Hash: 70F08136600615BBC7206F66DC0AEAB7F78EF16660B424136F805E6250E7319920C7E5

Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction ID: e82d31de5584acb3c1822b09e6e690cbeb5bd259d621742d6e77904c892493b9
Opcode Fuzzy Hash: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction Fuzzy Hash: D4F0BE36904710EBC2205F60AC48BEB7B68EB44763726843BF80273190C738AC808E6E

Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405E50: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405EA1

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(020B0000,00000000,?,?), ref: 0040DEBC

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5

Part of subcall function 004092F5: CoInitialize.OLE32(00000000), ref: 00409313
Part of subcall function 004092F5: memset.MSVCRT ref: 00409321
Part of subcall function 004092F5: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
Part of subcall function 004092F5: wcsncpy.MSVCRT ref: 0040937D
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409391
Part of subcall function 004092F5: CoTaskMemFree.OLE32(?), ref: 0040941A
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409421
Part of subcall function 004092F5: FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,020B7EC0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

`A, xrefs: 004030CC

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUppermemsetwcsncpy
String ID: `A
API String ID: 2009453447-2737472851
Opcode ID: ca0bdc55cb743a91e515f50c3eb5c47eb136c2babfee0e4cd57d064459771e3e
Instruction ID: e0b9ffac2fcbd3cac9e210611f46d13d34f6da227652cecd82e9aee9d1240e54
Opcode Fuzzy Hash: ca0bdc55cb743a91e515f50c3eb5c47eb136c2babfee0e4cd57d064459771e3e
Instruction Fuzzy Hash: 2551C4B9A04B047EE500BBF2DD82E7F666EDAD4718B10983FB440BD0D2C93C9D49666D

Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(020B0000,00000000,?), ref: 0040DE99

Part of subcall function 00409860: SetEnvironmentVariableW.KERNEL32(020B8F60,020B8F60,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000D), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(020B0000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Strings

&`A, xrefs: 004025FF

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: &`A
API String ID: 1199808876-2812803553
Opcode ID: a92ba5b68848cb68a32a4b278cce747947c7e4c0d884cd5ed3ad8e38ee2fe2e7
Instruction ID: f63cb6ba6756906bb1a885948d3e935d11b840abb1ca4822bfa7626acd848ba7
Opcode Fuzzy Hash: a92ba5b68848cb68a32a4b278cce747947c7e4c0d884cd5ed3ad8e38ee2fe2e7
Instruction Fuzzy Hash: 0341EEB59047016ED600BBB2DD8193F77ADEBD4718F10983FB040AA1D2CA3CD8595A6D

Function 004096DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040D288: TlsGetValue.KERNEL32(?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D28F
Part of subcall function 0040D288: HeapAlloc.KERNEL32(00000008,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2AA
Part of subcall function 0040D288: TlsSetValue.KERNEL32(00000000,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2B9

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409810,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 004096F4

Strings

", xrefs: 00409716
, xrefs: 0040970E

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction ID: 4c648ba0253d95f00ea60fdf00931512a06ba22242bcbe44c620df30a2d3858e
Opcode Fuzzy Hash: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction Fuzzy Hash: 6031A473525221CADB749F24981137772A1EBB1B60F18817FE8926B3C2F37D8D419359

Function 00409F58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409F8D
wcscmp.MSVCRT ref: 00409FC6

Strings

$ A, xrefs: 00409F64

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: _wcsicmpwcscmp
String ID: $ A
API String ID: 3419221977-1415209610
Opcode ID: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction ID: a733317a4b81313ba419c318017c22e6bf29b3e2c3e1e122568c9b8a7727cdd0
Opcode Fuzzy Hash: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction Fuzzy Hash: 1111BFB2108B028FD3209F16D440923B3E9EFC8360324843FE849A3792DB79FC118A69

Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$ A, xrefs: 0040570B

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: $ A
API String ID: 626452242-1415209610
Opcode ID: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction ID: 51e3e9442c1b14bfca279b8410f0cbc31bbd530ab1d9b24216a3048053e00ad1
Opcode Fuzzy Hash: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction Fuzzy Hash: FFF0303638522176E231215A5C06F576A59C785F70F264236BB24BF2C585A1680059AC

Function 0040D51F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?), ref: 0040D533
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?), ref: 0040D5E8
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000), ref: 0040D60B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?,?), ref: 0040D663

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction ID: c75203acf5dbc6b13cd53f4330a4279d02754d6c9a51f963ab4d277c9f4d2c3e
Opcode Fuzzy Hash: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction Fuzzy Hash: 67510570900B02AFC324CF69D980922B7F4FF587147108A3EE8AA97A94D335F959CB94

Function 0040E0D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040E0E5
HeapAlloc.KERNEL32(020B0000,00000000,0000000A), ref: 0040E109
HeapReAlloc.KERNEL32(020B0000,00000000,00000000,0000000A), ref: 0040E12D
HeapFree.KERNEL32(020B0000,00000000,00000000,?,?,0040506F,?,0041602A,00401095,00000000), ref: 0040E164

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction ID: 5c25edb19946727406606906c76980e1d10e687976c030b77a126e3da493f9c6
Opcode Fuzzy Hash: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction Fuzzy Hash: BD212774604209EFDB04CF94D884FAAB7BAFB48354F108569F9099F390D735EA41CB94

Function 0040D438 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D483
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction ID: a304a92e3806a45bcf6d327fe86cdfb5e6d5534298f9acb62e815e22c79c963c
Opcode Fuzzy Hash: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction Fuzzy Hash: 30112B32604700AFC3208FA8EC40D56B7FAFF58765B15892AE996E36A0C734F804CB65

Function 0040D67D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D68F
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6A6
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6C2
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D6DF

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction ID: ccb09d183470463af25dc63fc94d1cebb037c249e32c06969674a21ae1653042
Opcode Fuzzy Hash: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction Fuzzy Hash: BF017C75A0261AEFC7108F95E904967BBBCFF08750301843AE80897654C731E864CFE8

Function 00409E6F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0BA: memset.MSVCRT ref: 0040A122

Part of subcall function 0040D8E6: EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948
Part of subcall function 0040D8E6: LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409E9A
HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0

Memory Dump Source

Source File: 00000006.00000002.4600451396.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4600400899.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600535471.0000000000412000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600604905.0000000000416000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.4600670320.0000000000418000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_HeartSender.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction ID: bfb960cb52ae9f1737c5edf5dab89cb24d0a80b98fb865d44a1203debf2c4dae
Opcode Fuzzy Hash: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction Fuzzy Hash: 40F0FF31205609BFC6126F5AED40D57BF7DFF5A7983464136B404626B0C732EC619AA8

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hKgrI6tqYx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A1.exe

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\HtmlAgilityPack.dll

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Settings.ini

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\license.txt

C:\Users\user\AppData\Local\Temp\Config\File0.exe

C:\Users\user\AppData\Local\Temp\Config\File00.exe

C:\Users\user\AppData\Local\Temp\EDAB.tmp\EDAC.tmp\EDAD.bat

C:\Users\user\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat

C:\Users\user\AppData\Local\Temp\Heart-Sender-V1.2.exe

C:\Users\user\AppData\Local\Temp\Heart-Senders-Crackeado.exe

C:\Users\user\AppData\Local\Temp\HeartSender.exe

C:\Users\user\AppData\Local\Temp\HtmlAgilityPack.dll

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Crypto\Cipher\_Salsa20.pyd

Windows Analysis Report
hKgrI6tqYx.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre