Edit tour

Windows Analysis Report
h2TTyq9R7h.exe

Overview

General Information

Sample name:	h2TTyq9R7h.exe renamed because original name is a hash value
Original sample name:	9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133.exe
Analysis ID:	1571561
MD5:	396b829cf9e2e9ff8dd029a418d1f383
SHA1:	a4a555781f284f90fcb2342e2f25bdbf85902b64
SHA256:	9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133
Tags:	213-21-220-222exeuser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected potential unwanted application

Injects a PE file into a foreign processes

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables security privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

h2TTyq9R7h.exe (PID: 2720 cmdline: "C:\Users\user\Desktop\h2TTyq9R7h.exe" MD5: 396B829CF9E2E9FF8DD029A418D1F383)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AppLaunch.exe (PID: 3628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["213.21.220.222:8080"], "Bot Id": "FANTOMAS", "Authorization Header": "eedd2d3d70bb441348bd0b41eea2b7df"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3f8c4:$v2_1: ListOfProcesses 0x3f408:$v4_3: base64str 0x415ca:$v4_4: stringKey 0x3b16e:$v4_5: BytesToStringConverted 0x3a520:$v4_6: FromBase64 0x3bdd6:$v4_8: procName 0x3acff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 3628	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3f8c4:$v2_1: ListOfProcesses 0x3f408:$v4_3: base64str 0x415ca:$v4_4: stringKey 0x3b16e:$v4_5: BytesToStringConverted 0x3a520:$v4_6: FromBase64 0x3bdd6:$v4_8: procName 0x3acff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.h2TTyq9R7h.exe.8b1000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.h2TTyq9R7h.exe.8b1000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3dac4:$v2_1: ListOfProcesses 0x3d608:$v4_3: base64str 0x3f7ca:$v4_4: stringKey 0x3936e:$v4_5: BytesToStringConverted 0x38720:$v4_6: FromBase64 0x39fd6:$v4_8: procName 0x38eff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
3.2.AppLaunch.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3f8c4:$v2_1: ListOfProcesses 0x3f408:$v4_3: base64str 0x415ca:$v4_4: stringKey 0x3b16e:$v4_5: BytesToStringConverted 0x3a520:$v4_6: FromBase64 0x3bdd6:$v4_8: procName 0x3acff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.h2TTyq9R7h.exe.700000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.h2TTyq9R7h.exe.700000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18aac4:$s5: delete[] 0x1ec4c4:$v2_1: ListOfProcesses 0x1ec008:$v4_3: base64str 0x1ee1ca:$v4_4: stringKey 0x1e7d6e:$v4_5: BytesToStringConverted 0x1e7120:$v4_6: FromBase64 0x1e89d6:$v4_8: procName 0x1e78ff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 213.21.220.222, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, Initiated: true, ProcessId: 3628, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": ["213.21.220.222:8080"], "Bot Id": "FANTOMAS", "Authorization Header": "eedd2d3d70bb441348bd0b41eea2b7df"}

Multi AV Scanner detection for submitted file

Source: h2TTyq9R7h.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: h2TTyq9R7h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: h2TTyq9R7h.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\XsO773WsaBoO1vF1grgiMyzp2iYTWqeU\Eternal.pdb source: h2TTyq9R7h.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb' source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2742974302.0000000005007000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2744419969.0000000009232000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 213.21.220.222:8080

Source: global traffic

TCP traffic: 192.168.2.11:49706 -> 213.21.220.222:8080

Source: Joe Sandbox View

IP Address: 213.21.220.222 213.21.220.222

Source: Joe Sandbox View

ASN Name: VERSIALV VERSIALV

Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222

Source: h2TTyq9R7h.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: h2TTyq9R7h.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: h2TTyq9R7h.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: h2TTyq9R7h.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: h2TTyq9R7h.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: h2TTyq9R7h.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: h2TTyq9R7h.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1LReqHa
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1LReqx
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1Response
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2LReq(
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2LReqdj
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2Response
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3LReqF
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3Response
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: h2TTyq9R7h.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: h2TTyq9R7h.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Detected potential unwanted application

Source: h2TTyq9R7h.exe

PE Siganture Subject Chain: CN=Valve, O=Valve, L=Bellevue, S=WA, C=US

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070770C	0_2_0070770C
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702D2E	0_2_00702D2E
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070641F	0_2_0070641F
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007021CB	0_2_007021CB
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00704093	0_2_00704093
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703738	0_2_00703738
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00701D61	0_2_00701D61
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007021EE	0_2_007021EE
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703738	0_2_00703738
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070295A	0_2_0070295A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007063E8	0_2_007063E8
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070362A	0_2_0070362A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00701492	0_2_00701492
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070295A	0_2_0070295A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703D91	0_2_00703D91
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00705DB2	0_2_00705DB2
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00706433	0_2_00706433
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702B5D	0_2_00702B5D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703346	0_2_00703346
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702757	0_2_00702757
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703DBE	0_2_00703DBE
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00705367	0_2_00705367
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702DEC	0_2_00702DEC
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0070143D	0_2_0070143D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007C3D29	0_2_007C3D29
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00707617	0_2_00707617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_04ED0848	3_2_04ED0848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_04ED140F	3_2_04ED140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_091D1E18	3_2_091D1E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_091D1E08	3_2_091D1E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_091D1458	3_2_091D1458

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: String function: 00706262 appears 54 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: String function: 007B070F appears 33 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: String function: 0070267B appears 61 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: String function: 007061B3 appears 47 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: String function: 007037E2 appears 62 times

Source: h2TTyq9R7h.exe

Static PE information: invalid certificate

Source: h2TTyq9R7h.exe	Binary or memory string: OriginalFilename vs h2TTyq9R7h.exe
Source: h2TTyq9R7h.exe, 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBrown.exe" vs h2TTyq9R7h.exe

Source: h2TTyq9R7h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03

Source: h2TTyq9R7h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h2TTyq9R7h.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\h2TTyq9R7h.exe "C:\Users\user\Desktop\h2TTyq9R7h.exe"
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: h2TTyq9R7h.exe

Static file information: File size 2222368 > 1048576

Source: h2TTyq9R7h.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: h2TTyq9R7h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\XsO773WsaBoO1vF1grgiMyzp2iYTWqeU\Eternal.pdb source: h2TTyq9R7h.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb' source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2742974302.0000000005007000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2744419969.0000000009232000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, SystemExt.cs

.Net Code: RaiseEvent

Source: h2TTyq9R7h.exe	Static PE information: section name: .dmm
Source: h2TTyq9R7h.exe	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007025F4 push ecx; ret	0_2_0072C433
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_008B6004 push es; ret	0_2_008B605E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_04ED42C8 push ebx; ret	3_2_04ED42DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 8C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 92F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: A2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: A420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: B420000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

API coverage: 4.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL,

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_007069FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007069FB

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0077D14E mov ecx, dword ptr fs:[00000030h]	0_2_0077D14E
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00705867 mov eax, dword ptr fs:[00000030h]	0_2_00705867
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00703913 mov eax, dword ptr fs:[00000030h]	0_2_00703913
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00701D4D mov eax, dword ptr fs:[00000030h]	0_2_00701D4D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00701A96 mov edi, dword ptr fs:[00000030h]	0_2_00701A96

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_00707455 GetProcessHeap,

0_2_00707455

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_007069FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007069FB
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_0072C61C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0072C61C
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: 0_2_00706C9E SetUnhandledExceptionFilter,	0_2_00706C9E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_007035E4 CreateProcessW,VirtualAllocEx,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_007035E4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 44E000	Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 458000	Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4B86008	Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_0072C161 cpuid

0_2_0072C161

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: GetLocaleInfoW,	0_2_00702EAA
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: GetLocaleInfoW,	0_2_00702EAA
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_0070178A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00703E6D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe	Code function: EnumSystemLocalesW,	0_2_007AFFA6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_0072C439 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0072C439

Source: C:\Users\user\Desktop\h2TTyq9R7h.exe

Code function: 0_2_007C5EE0 GetTimeZoneInformation,

0_2_007C5EE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 3628, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 3628, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h2TTyq9R7h.exe	55%	ReversingLabs	Win32.Trojan.Injuke

Source	Detection	Scanner	Label	Link
213.21.220.222:8080	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
213.21.220.222:8080	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://tempuri.org/Contract/MSValue1LReqHa	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue2LReqdj	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.thawte.com0	h2TTyq9R7h.exe	false	high
http://tempuri.org/Contract/MSValue1LReqx	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue1LReq	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue2Response	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue3Response	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue3LReqF	AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue2LReq	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	h2TTyq9R7h.exe	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue2LReq(	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue3LReq	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Contract/MSValue1Response	AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/actor/next	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.21.220.222	unknown	Latvia		8285	VERSIALV	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571561
Start date and time:	2024-12-09 14:52:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h2TTyq9R7h.exe renamed because original name is a hash value
Original Sample Name:	9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 35 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: h2TTyq9R7h.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
213.21.220.222	1iYCBTo5tf.exe	Get hash	malicious	RedLine	Browse
	DTOmEgnQPL.exe	Get hash	malicious	RedLine	Browse
	O6QBxoK4Gf.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.8926.894.exe	Get hash	malicious	RedLine, zgRAT	Browse
	I2kX6f0yTr.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.19212.12665.exe	Get hash	malicious	RedLine, zgRAT	Browse
	3aH5fWewHY.exe	Get hash	malicious	RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VERSIALV	1iYCBTo5tf.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	DTOmEgnQPL.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	O6QBxoK4Gf.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	SecuriteInfo.com.Win32.CrypterX-gen.8926.894.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	I2kX6f0yTr.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	SecuriteInfo.com.Win32.TrojanX-gen.19212.12665.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	3aH5fWewHY.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	file.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	CX2tVQoETY.elf	Get hash	malicious	Mirai	Browse	213.21.196.8
	https://peyg.ir/429#cl/27574_md/3/27/661/20/46354	Get hash	malicious	Phisher	Browse	193.68.89.24

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.655980522506031
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	h2TTyq9R7h.exe
File size:	2'222'368 bytes
MD5:	396b829cf9e2e9ff8dd029a418d1f383
SHA1:	a4a555781f284f90fcb2342e2f25bdbf85902b64
SHA256:	9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133
SHA512:	d6283ac089476b81a651890ef6e2c9e5bb853110b1d922c1165750c02d74fd3f32758ce63f5c6df79c7fdd8b6f8eda3ca59c759d6df5375f5e7d6a1218f5bce6
SSDEEP:	24576:65KWm2JAR0Y13tn/mcL+LLnxVF6a9Dhvh1zk4VOxO:65Kf0Y13tn/Z+x6a3vHnVOk
TLSH:	30A5700272F91B59F5F30FB956BAA211483AFC698F11C3EF1261649E0C61AD38971B37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.5...[...[...[...X...[...^...[..._...[...Z...[...Z...[.L.^.^.[.L._...[.L.X...[...[...[...[...[...Y...[.Rich..[................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40121c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65577B48 [Fri Nov 17 14:40:08 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4e4a6bcb0a4d906241efada3b9ef82b0

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	24/09/2015 20:00:00 03/10/2018 08:00:00
Subject Chain	CN=Valve, O=Valve, L=Bellevue, S=WA, C=US
Version:	3
Thumbprint MD5:	A838A6307A958DEE97EBA2CC9CAE6234
Thumbprint SHA-1:	FA71189A8BD9FDF62DE757A3FC2978B24A0275DD
Thumbprint SHA-256:	99FC7F7F0F20DB32F9E9021C1B3442210CB7B867AE4F10B3333D73940E474164
Serial:	084CAF4DF499141D404B7199AA2C2131

Entrypoint Preview

Instruction
jmp 00007FD5B0BF4F3Fh
jmp 00007FD5B0C57F88h
jmp 00007FD5B0BEA59Ah
jmp 00007FD5B0C2B0C5h
jmp 00007FD5B0C17A84h
jmp 00007FD5B0BEC22Bh
jmp 00007FD5B0C02524h
jmp 00007FD5B0C95851h
jmp 00007FD5B0C17FDFh
jmp 00007FD5B0C58D01h
jmp 00007FD5B0C34FF2h
jmp 00007FD5B0C92317h
jmp 00007FD5B0BFDBCBh
jmp 00007FD5B0BF67B0h
jmp 00007FD5B0BF58ACh
jmp 00007FD5B0C33A20h
jmp 00007FD5B0C0DA6Fh
jmp 00007FD5B0C346C9h
jmp 00007FD5B0BFE7B5h
jmp 00007FD5B0BF8ED7h
jmp 00007FD5B0C7D2ADh
jmp 00007FD5B0BDB10Bh
jmp 00007FD5B0C53462h
jmp 00007FD5B0C3BCDEh
jmp 00007FD5B0C6FE2Eh
jmp 00007FD5B0C149E8h
jmp 00007FD5B0BE8312h
jmp 00007FD5B0BE0DBDh
jmp 00007FD5B0C61479h
jmp 00007FD5B0C41410h
jmp 00007FD5B0C1F633h
jmp 00007FD5B0BE9CA9h
jmp 00007FD5B0BE3694h
jmp 00007FD5B0C2BC67h
jmp 00007FD5B0BDA35Ah
jmp 00007FD5B0C3BDC4h
jmp 00007FD5B0C6BC1Fh
jmp 00007FD5B0C90A6Bh
jmp 00007FD5B0C0B9B3h
jmp 00007FD5B0C25B6Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1a4cd0	0x162	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1af354	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21ce00	0x1b20	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21a000	0x70dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1987b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x19aa4c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1986c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1af000	0x354	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd8d49	0xd8e00	b3d24ca39a8359e42bff8ce5164722df	False	0.32452607168587894	data	5.770884390750814	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xda000	0xcae32	0xcb000	2361af25e2c87130bdd4fa66c0a7d597	False	0.17529296875	data	3.6209582825069004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a5000	0x92f8	0x7400	f75e9e638db5058cc82cdd27e5a69ab6	False	0.3120959051724138	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.899555971571674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1af000	0x1484	0x1600	106a550af8d55d2058fcdbc952c05dc0	False	0.3213778409090909	data	4.628840558138595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dmm	0x1b1000	0x66f6b	0x67000	3f48e44e8534fdaab12bbfb6281a8d63	False	0.316553208434466	data	5.564503523856693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x218000	0x309	0x400	c573bd7cea296a9c5d230ca6b5aee1a6	False	0.021484375	data	0.011173818721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x219000	0x10e	0x200	9bd0bb20f1c0c7e2abdf194b5a880337	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21a000	0x8bc9	0x8c00	2a4bdc3b309cbae8f3fa7c68b93e75af	False	0.4953125	data	5.855302308952348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	ValidateRgn
ole32.dll	CoGetApartmentType, CoGetObjectContext
ADVAPI32.dll	NotifyChangeEventLog, SetServiceStatus
KERNEL32.dll	HeapReAlloc, GetTimeZoneInformation, HeapSize, CreateFileW, CreateSemaphoreExW, CloseHandle, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, GetStringTypeW, WideCharToMultiByte, MultiByteToWideChar, FormatMessageA, RaiseException, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, RtlCaptureStackBackTrace, InitOnceBeginInitialize, InitOnceComplete, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, EncodePointer, DecodePointer, QueryPerformanceFrequency, InitializeCriticalSectionEx, LCMapStringEx, LocalFree, GetLocaleInfoEx, SetFileInformationByHandle, GetTempPathW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitOnceExecuteOnce, SleepConditionVariableCS, CreateEventExW, WriteConsoleW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetTickCount64, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetFileInformationByHandleEx, CreateSymbolicLinkW, CompareStringEx, GetCPInfo, ReadConsoleW, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, CreateThread, ExitThread, ResumeThread, FreeLibraryAndExitThread, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, OutputDebugStringW, SetStdHandle, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile

Exports

Name	Ordinal	Address
_GetPhysicalSize@12	1	0x4069e7

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 14:53:31.430447102 CET	49706	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:31.549817085 CET	8080	49706	213.21.220.222	192.168.2.11
Dec 9, 2024 14:53:31.549981117 CET	49706	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:31.560137987 CET	49706	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:31.679477930 CET	8080	49706	213.21.220.222	192.168.2.11
Dec 9, 2024 14:53:53.450583935 CET	8080	49706	213.21.220.222	192.168.2.11
Dec 9, 2024 14:53:53.450722933 CET	49706	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:53.518455982 CET	49706	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:53.531956911 CET	49711	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:53.651573896 CET	8080	49711	213.21.220.222	192.168.2.11
Dec 9, 2024 14:53:53.651716948 CET	49711	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:53.652062893 CET	49711	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:53:53.771327972 CET	8080	49711	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:15.544625044 CET	8080	49711	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:15.544789076 CET	49711	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:15.545392990 CET	49711	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:15.546408892 CET	49712	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:15.665780067 CET	8080	49712	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:15.665884018 CET	49712	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:15.666229963 CET	49712	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:15.785937071 CET	8080	49712	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:37.576314926 CET	8080	49712	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:37.576456070 CET	49712	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:37.576807022 CET	49712	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:37.577959061 CET	49714	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:37.699126959 CET	8080	49714	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:37.699317932 CET	49714	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:37.699667931 CET	49714	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:37.819441080 CET	8080	49714	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:59.607875109 CET	8080	49714	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:59.607980967 CET	49714	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:59.608786106 CET	49714	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:59.610090017 CET	49749	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:59.729357958 CET	8080	49749	213.21.220.222	192.168.2.11
Dec 9, 2024 14:54:59.729465008 CET	49749	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:59.732338905 CET	49749	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:54:59.851607084 CET	8080	49749	213.21.220.222	192.168.2.11
Dec 9, 2024 14:55:21.608632088 CET	8080	49749	213.21.220.222	192.168.2.11
Dec 9, 2024 14:55:21.608695984 CET	49749	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:55:21.608987093 CET	49749	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:55:21.610208035 CET	49799	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:55:21.729567051 CET	8080	49799	213.21.220.222	192.168.2.11
Dec 9, 2024 14:55:21.729708910 CET	49799	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:55:21.741092920 CET	49799	8080	192.168.2.11	213.21.220.222
Dec 9, 2024 14:55:21.860658884 CET	8080	49799	213.21.220.222	192.168.2.11

Target ID:	0
Start time:	08:53:29
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\h2TTyq9R7h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h2TTyq9R7h.exe"
Imagebase:	0x700000
File size:	2'222'368 bytes
MD5 hash:	396B829CF9E2E9FF8DD029A418D1F383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:53:29
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:53:29
Start date:	09/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0x6a0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	52%
Signature Coverage:	11.6%
Total number of Nodes:	173
Total number of Limit Nodes:	8

Executed Functions

Function 007035E4 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 291
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 0070F151

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 0070F100
D, xrefs: 0070F0EF
ridding, xrefs: 0070F2F7
'&e{, xrefs: 0070F179
D, xrefs: 0070F0AD

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: '&e{$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe$D$D$ridding
API String ID: 963392458-4294493744
Opcode ID: 41388761e3da459ff8022dad9c3be3461fc5dbe6a439f51d96fed76abc143d42
Instruction ID: ceab3b54b9af9df693a0ddb1d8cc330904531db46cb356d338d1b2f54876299b
Opcode Fuzzy Hash: 41388761e3da459ff8022dad9c3be3461fc5dbe6a439f51d96fed76abc143d42
Instruction Fuzzy Hash: B9E1E1B4908218CFDB14DF68C98479DBBF0BF48318F1186ADE489A7381D779A985CF52

Function 0077D14E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e18848afb70fb37f9ccbed4fbade7e65d1ffddb82f553cf39ff083e82a8ee4
Instruction ID: 59946ce083e5d4f5718c3120e22987bc2d9de8d16fa3f33a765bc7fbd7ba1e9c
Opcode Fuzzy Hash: f0e18848afb70fb37f9ccbed4fbade7e65d1ffddb82f553cf39ff083e82a8ee4
Instruction Fuzzy Hash: E7C08C3410090486CE3989148A713AA33A4AB91BC6FC8448CC81A0B783C91EAC82D610

Function 007B0612 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,83655FEA,?,007B0751,?,?), ref: 007B06D3

Strings

api-ms-, xrefs: 007B0669
ext-ms-, xrefs: 007B067D

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e81b45c3aadb8fbde30b5eed36fbdaa68d4b2ccf8ccd78626ef51698aeae9a20
Instruction ID: dadd7da970881d8eafa9fe6bb60a523c49e845854e412ee625b2a88653f2a410
Opcode Fuzzy Hash: e81b45c3aadb8fbde30b5eed36fbdaa68d4b2ccf8ccd78626ef51698aeae9a20
Instruction Fuzzy Hash: 1921DD31A01311EFE721AB64DC45BAB3759FB82764F144120F917E7691EB78ED20C6E0

Function 0077D0B5 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0077D08A,?,?,?,?,83655FEA), ref: 0077D0C6
TerminateProcess.KERNEL32(00000000,?,0077D08A,?,?,?,?,83655FEA), ref: 0077D0CD
ExitProcess.KERNEL32 ref: 0077D0DF

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bed035e86f674dcd68c127c832e87d8471ee36bcfed83330d9a118abab8f879d
Instruction ID: b9add092d6f275496b633f1c2f338324ea276269c438bd3aabf2f743e3526143
Opcode Fuzzy Hash: bed035e86f674dcd68c127c832e87d8471ee36bcfed83330d9a118abab8f879d
Instruction Fuzzy Hash: 64D06731000508EFDF212FA0DC0D9593F2ABE41391B85C020BA0945432DB359D52DA50

Function 0070F376 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 0070F151
WriteProcessMemory.KERNELBASE ref: 0070F449
WriteProcessMemory.KERNELBASE ref: 0070F49D
Wow64SetThreadContext.KERNEL32 ref: 0070F4CA
ResumeThread.KERNELBASE ref: 0070F4F6

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 0070F100

Memory Dump Source

Source File: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: Process$MemoryThreadWrite$ContextCreateResumeWow64
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
API String ID: 2015093061-448403072
Opcode ID: 69bdf988559c1e73cb0dcaf26d2b289a340ded3c88b38fee20c655c52f68903f
Instruction ID: a7bee7f54f9ae876815671bc231d849d337f7e8aef9d5407fbd8ddc2dc2339ae
Opcode Fuzzy Hash: 69bdf988559c1e73cb0dcaf26d2b289a340ded3c88b38fee20c655c52f68903f
Instruction Fuzzy Hash: FE01C8B0809309DBDB24DF64D85835EBBF0FB84318F118A6DE499967C0D7798689CF86

Function 007020B3 Relevance: 3.2, APIs: 2, Instructions: 192
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007BDFF0: GetConsoleOutputCP.KERNEL32(83655FEA,?,00000000,?), ref: 007BE053

WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 007BEC93
GetLastError.KERNEL32 ref: 007BEC9D

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 8cc01f5c96defdbe18f4290349f272a431298d7c1dfc5430a7bbfce5698aece5
Instruction ID: b439c00d9ec6fda971b32241abcfb8cced1ca8006d77ab0c4247065eb71d6986
Opcode Fuzzy Hash: 8cc01f5c96defdbe18f4290349f272a431298d7c1dfc5430a7bbfce5698aece5
Instruction Fuzzy Hash: 506180B1D04149AFDF158FA8C888FEEBFB9AF09308F144195E811AB352D379D941CB60

Function 007BE5D5 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,?,007BEC79,?,?,?,?), ref: 007BE671
GetLastError.KERNEL32(?,007BEC79,?,?,?,?), ref: 007BE697

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: f9951eb9ac186707fce378614e2dfbb062e6e7dd91e6a29bb4c9ec60a792c4f0
Instruction ID: 7ca165f9c03d33fed940db605e43122f2afd08257cb9395466dad5dd0330d0b0
Opcode Fuzzy Hash: f9951eb9ac186707fce378614e2dfbb062e6e7dd91e6a29bb4c9ec60a792c4f0
Instruction Fuzzy Hash: 7121BF35A00219DBDF19CF29CC80AE9B7F9EB5D305F2440A9EA06D7352E630DE42CB60

Function 007B1663 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,007B1770,008A3B98,0000000C), ref: 007B16AF
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,007B1770,008A3B98,0000000C), ref: 007B16C1

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 1399c02bdd67d7a1b3915ae968856b977a8b2efaff3ab5f473917177dc00fbfe
Instruction ID: 4a7bf2adad4c5dcb6267eebd00797bc050276131da5bda91fe470752e77e894b
Opcode Fuzzy Hash: 1399c02bdd67d7a1b3915ae968856b977a8b2efaff3ab5f473917177dc00fbfe
Instruction Fuzzy Hash: F711AF226047418AC7304E3E8CA87A2BB94AB57339BFD071AD0B6C75F1DA39D882D240

Function 007064C4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c83c7b15654aad0aaf2695d6ae51bf04fdf1c26aa240425b739492376ebe1a
Instruction ID: ac016ff65290fcf5b039cbc9cba4906c21845a14e07ed7c7466b5d2de947f07c
Opcode Fuzzy Hash: 34c83c7b15654aad0aaf2695d6ae51bf04fdf1c26aa240425b739492376ebe1a
Instruction Fuzzy Hash: DE2103B1904208CBDB14EFA8D8497DDBBF0FB48324F00432AE426AB7E1D77C55048BA6

Function 007B070F Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c74045dc2d086ff6513ecbb5878c231b2e0fe4604c9e06f7a414f6d830d7a
Instruction ID: fb038fc35dbb50bc109e3e6896a045e8fe232f41dd1fc6b02c053731546c1c91
Opcode Fuzzy Hash: 201c74045dc2d086ff6513ecbb5878c231b2e0fe4604c9e06f7a414f6d830d7a
Instruction Fuzzy Hash: 1B01F1336002159FAF128E7AEC84B9B77D6BBC53603288220F911CB589EF34EC118AD0

Function 0070277F Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 0070F016

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 0f5ad3f2e9d0ca70d1f05e8faecac289e29058255c4036f683b255df0e6b9040
Instruction ID: a5490251abe93d93f2aee11bed6c5fec0fc5cd3ab1a40b2f43fcf7704511776f
Opcode Fuzzy Hash: 0f5ad3f2e9d0ca70d1f05e8faecac289e29058255c4036f683b255df0e6b9040
Instruction Fuzzy Hash: F8D05EB094C209EFC700FBA8D84211D77E4AE40300F528674E48D87242EA38B4118B52

Non-executed Functions

Function 0070641F Relevance: 7.4, Strings: 4, Instructions: 2438COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 007CC75B
1#QNAN, xrefs: 007CC762
1#IND, xrefs: 007CC754
1#INF, xrefs: 007CC785

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: e91e3f214230a1d8ac8d8ff5564108c434057293fa31e18e53131e2c39380097
Instruction ID: fbbb86d237a7c1d31aaa17dbda91b4bdaa580cb485544bbe7d6a5611be6b079e
Opcode Fuzzy Hash: e91e3f214230a1d8ac8d8ff5564108c434057293fa31e18e53131e2c39380097
Instruction Fuzzy Hash: A2D2F572E086298BDB75CE28DD44BEAB7B5EB48344F1441EED44DE7240E778AE818F41

Function 00703E6D Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 378COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 007BACDB
IsValidCodePage.KERNEL32(00000000), ref: 007BAD06
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 007BAEE7

Strings

utf8, xrefs: 007BADD8

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: 928326114664ae82e6e8fc082adfcae7e07bc43e14e97fe477b54963c7db9003
Instruction ID: d012fe6f9f5fc6f52526dd02a55e5de789685176abad30a5f00fae0b8987c908
Opcode Fuzzy Hash: 928326114664ae82e6e8fc082adfcae7e07bc43e14e97fe477b54963c7db9003
Instruction Fuzzy Hash: 9071B171600206FBEB24BB74CC4ABEB77E8EF54700F14452AF645DB581EA79E94087A2

Function 0070178A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 00739AB6
FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 00739AD8

Strings

!x-sys-default-locale, xrefs: 00739AB1

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: a7def1b3d5472a31a2cb234e26a1a09c2f469e27e783c175e8299f2693e1b777
Instruction ID: 21f6c3c19ad36b163db709c1211992e44207723093d455121e2f3a88b76eb9db
Opcode Fuzzy Hash: a7def1b3d5472a31a2cb234e26a1a09c2f469e27e783c175e8299f2693e1b777
Instruction Fuzzy Hash: 18E03076550108FFFB049BA0CC0BDBB7AADFB45755F104115BA01D2181E2B56E00D661

Function 007069FB Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0077C539
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0077C543
UnhandledExceptionFilter.KERNEL32(?), ref: 0077C550

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 18570d098d357a6eee2edac5960c2cd2f99e303bb67ade9ea6620cc331c7b03b
Instruction ID: 388cb38116a1f21951fa3b7d4b2a0ded31c7b2165c78cb882082f5adc187697d
Opcode Fuzzy Hash: 18570d098d357a6eee2edac5960c2cd2f99e303bb67ade9ea6620cc331c7b03b
Instruction Fuzzy Hash: 9831D674901218DBCB21DF64D88978DBBF8BF08750F6082EAE50CA7291E7349B818F44

Function 007C5EE0 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 658COMMON

Download Yara Rule

Strings

'd|, xrefs: 007C625E, 007C6356, 007C6261

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 'd|
API String ID: 0-2590055107
Opcode ID: 1a1b0c8eccd7456fe4d362102992448006e523baac49f5d8b7b1dd5fabe9d901
Instruction ID: e3ccdff3f280d090f5dfeed5423b66022da31bfa672271ae518f1d092b672dff
Opcode Fuzzy Hash: 1a1b0c8eccd7456fe4d362102992448006e523baac49f5d8b7b1dd5fabe9d901
Instruction Fuzzy Hash: 6FC105B2900125EBDB24AB64CC46FBE7BB9EF05710F14456EF901AB291E7399F41C790

Function 00702EAA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

GetEnabledXStateFeatures, xrefs: 007B0CBC

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: GetEnabledXStateFeatures
API String ID: 0-1068256093
Opcode ID: c7598e8dd0389b833c66d8369ca4946d7550e328c1e073cb0df7cdbc63f8749d
Instruction ID: 73ce718356747af15d98112d2b91da0fe878d9b24614935e4a855d3bf77227de
Opcode Fuzzy Hash: c7598e8dd0389b833c66d8369ca4946d7550e328c1e073cb0df7cdbc63f8749d
Instruction Fuzzy Hash: 48F0C231A50228B7CB113B609C09FEF3E56FF80B50F154510FD1566291DB694D21DBD0

Function 00701492 Relevance: 1.9, Strings: 1, Instructions: 662COMMON

Download Yara Rule

Strings

&& , xrefs: 00765939

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: &&
API String ID: 0-993083564
Opcode ID: 84f53a0cbcbc4668c7a9fb3bf0b11dd55ea48a8552cf363f0cb51eaffefd4b46
Instruction ID: 0de74032a652bb0451a91ae9a43d02c3dabe4089b03e66861da4b15a9e017f7c
Opcode Fuzzy Hash: 84f53a0cbcbc4668c7a9fb3bf0b11dd55ea48a8552cf363f0cb51eaffefd4b46
Instruction Fuzzy Hash: 1E427F71D00609DFDF19DFA4C895AEEBBF9EF08300F14815AE916A7281DB789A44DB90

Function 00706433 Relevance: 1.8, APIs: 1, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 007C232C

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c6e2b8b821f8fbaaac9d36f42ff473aa64d1c79e44c05be1a9295daf877e3b9c
Instruction ID: 518abffeff449127ce4d675d390556c69617ea53bd122c37454adf6deda256ee
Opcode Fuzzy Hash: c6e2b8b821f8fbaaac9d36f42ff473aa64d1c79e44c05be1a9295daf877e3b9c
Instruction Fuzzy Hash: F6B12B31610609DFD719CF28C48AF657BA0FF45365F29865CE999CF2A2C339E992CB40

Function 0072C161 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0072C177

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e02f7c0189785c12fcef5628521c0623deb701f8c9f896181bbed14a5430ea58
Instruction ID: d06af3561e84bf207da77ae5a211049f193036051c93169fa5002e4e51c512d3
Opcode Fuzzy Hash: e02f7c0189785c12fcef5628521c0623deb701f8c9f896181bbed14a5430ea58
Instruction Fuzzy Hash: 01519DB1E01215CBEB15CF95E8817AEBBF0FB5A310F24842AC401EB658D3799E40CF91

Function 00705DB2 Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

0, xrefs: 007A1EB3

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f01e3a45954fad9955dc3b47944febcfc0e46232f21887469a0c49a1d95611ab
Instruction ID: eb78cab2eb5178d14a5e9d151d899f3fbe2571a2970caec06bb098248471c66b
Opcode Fuzzy Hash: f01e3a45954fad9955dc3b47944febcfc0e46232f21887469a0c49a1d95611ab
Instruction Fuzzy Hash: 74E1C074600A05CFEB24CF68C580AAEB7F1FF86310FA48759D4569B391D738AD42CB51

Function 00702B5D Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0, xrefs: 007A23E0

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 64df4cdf88e5600fb1c588f7fd78c8b56acd54c2c63728ba587db6b554641585
Instruction ID: 2037e317927d38d6adc85143bceeaadd559ba395ad24895d735ec0edb12d0aee
Opcode Fuzzy Hash: 64df4cdf88e5600fb1c588f7fd78c8b56acd54c2c63728ba587db6b554641585
Instruction Fuzzy Hash: E5E1AB30A00605CFCB28CF6CC594AAEB7F1BF8B314B248759D4569B692D738AD43CB61

Function 00703D91 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0, xrefs: 007A197B

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cee5c9d6f210f6210a202c08a8b9f6e043291af3cfd27a6881e7029b591d8b8a
Instruction ID: 5ff1d18f4f39989567047f15e2c7a148425d3253e5b56a37a3296289c68e916d
Opcode Fuzzy Hash: cee5c9d6f210f6210a202c08a8b9f6e043291af3cfd27a6881e7029b591d8b8a
Instruction Fuzzy Hash: 9CE1CF74A00605CFEB24CF68C590AAEB7F1FF86320FA4875DD4569B290D738AD42CB61

Function 00703346 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

ValidateRgn.USER32 ref: 0070ECBF

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: Validate
String ID:
API String ID: 3143913474-0
Opcode ID: b7499afaace798cf523154f68028a07c25dcd0b2fa8d6e8adec10540ff09ef57
Instruction ID: 7fa975cb5e0a810c43f8f2f0ea6e713ab044d76ad71474053decc9e5395908ce
Opcode Fuzzy Hash: b7499afaace798cf523154f68028a07c25dcd0b2fa8d6e8adec10540ff09ef57
Instruction Fuzzy Hash: F3516DB4E14209DFCB44DFA9C595AEEBBF0FB49300F10859AD869EB250D739AA01CF54

Function 0070770C Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

0, xrefs: 007A03C1

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b611720be4b5983b51c389e5795051c75c654b8c4c2a65b6eb0d628afff9d0c3
Instruction ID: 1aa1225994b0c5fbf2972709670c6f3b3b935eb2ce4aae36ca5f89f55b68a1a1
Opcode Fuzzy Hash: b611720be4b5983b51c389e5795051c75c654b8c4c2a65b6eb0d628afff9d0c3
Instruction Fuzzy Hash: A6C1BD70A00746CFCB248E68C498A7EB7E1BB8B310F244F1DD9569B291D739AD45CBD1

Function 007021CB Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

0, xrefs: 007A0836

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 59e45b8025567cb66540eef58bf0bf2672c5cef724859b0dcc4c1c4d1f2988ac
Instruction ID: 6c191cef1c91efc815797878e62d68d6ff4cc68f9f1651f97a65e4006f9a2cdd
Opcode Fuzzy Hash: 59e45b8025567cb66540eef58bf0bf2672c5cef724859b0dcc4c1c4d1f2988ac
Instruction Fuzzy Hash: 28C1AC74A00606CFDB29CF28C494AAAB7E5BB87310F244B19D4969B292C73DBD45CFD1

Function 00707617 Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

0, xrefs: 0079FF41

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 949d38e1610a7395145ce2ec783e24a4ea6797371e4f573e39608afe2df6f1a4
Instruction ID: 2d1f7be0da3dcc089eed5be0c19306a4ed43c0364dee50e6092111209192ef99
Opcode Fuzzy Hash: 949d38e1610a7395145ce2ec783e24a4ea6797371e4f573e39608afe2df6f1a4
Instruction Fuzzy Hash: F1C1A270A0064ACFCF24CF28D4946BEB7F1AB46314F244A29E556D72A2C739ED45CB91

Function 0070362A Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

0, xrefs: 007A1540

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8339460c53dad8e9566a06e1da3ce67d63fcf35b206f55f0750f06dc9ec395e5
Instruction ID: 118628a1405f10dfb3623856ca611048a2c4150de25dccdc50321acf162b7b85
Opcode Fuzzy Hash: 8339460c53dad8e9566a06e1da3ce67d63fcf35b206f55f0750f06dc9ec395e5
Instruction Fuzzy Hash: B0B1D270A0064ACBEB24DF68C584ABEB7F1AFCA304F94471DD456E7690DA38ED42CB51

Function 00701D61 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

0, xrefs: 007A0CB1

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7fac7db5c3a5a77f88c0cbab8036df999b95bf7874942c451f11c9410aa4a72c
Instruction ID: ecd33c685198e7415397fb49747ec3d72bca0a5e20a6cd3aa9b9c7114878b6ec
Opcode Fuzzy Hash: 7fac7db5c3a5a77f88c0cbab8036df999b95bf7874942c451f11c9410aa4a72c
Instruction Fuzzy Hash: E7B1E270A00609CFCB24DFA8C9946BEB7F1AF86714F144F1DE452A7290D638AD45CBE1

Function 00703DBE Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

0, xrefs: 0079F706

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3cd171c4b17b81b207b1584981d5cded9f32ea4a3b613d93090d7d0768e4b201
Instruction ID: b4952f97e39687615d14cc4c90369d0ef0488880bf74605b0f6ea48d432b1604
Opcode Fuzzy Hash: 3cd171c4b17b81b207b1584981d5cded9f32ea4a3b613d93090d7d0768e4b201
Instruction Fuzzy Hash: D8B1A17090064ACBCF24DEA8E595ABEB7E1AF04304F24063ED552D7291DB3DEE52CB51

Function 00702757 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

0, xrefs: 0079F2DD

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1867c4c4c06bb01c02cddbc77711384ae87cbfc20f88aae926a5427e02bf5429
Instruction ID: a7bf35ed9e309074dc377e15312cc0f3ddaa4695bb208b00b3d2375e4ef536e7
Opcode Fuzzy Hash: 1867c4c4c06bb01c02cddbc77711384ae87cbfc20f88aae926a5427e02bf5429
Instruction Fuzzy Hash: F1B1C070900A4ACBCF24CF68E9957BEB7F1BB45314F24463AD852E7291C73CA942CB91

Function 00702DEC Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

0, xrefs: 0079FB23

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 295fb34e72f7a2e94c24b4cd2fef69655d532a6ce4346c07b9cdfee0e07cde2e
Instruction ID: eeefe1ac655a750d7871ec0d432598b80e1e6b16961d0c6b995a2554d2245c7c
Opcode Fuzzy Hash: 295fb34e72f7a2e94c24b4cd2fef69655d532a6ce4346c07b9cdfee0e07cde2e
Instruction Fuzzy Hash: 27B1C570904A0ADBCF24CF68E8A56BEB7F5EB06314F24863AD956D7281C73CAD41CB51

Function 007AFFA6 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(007AFF90,00000001,008A3B58,0000000C,007B0AED,?), ref: 007AFFDE

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: cbec1772263d356c37c49fe32d8d511f991c2b29ae86c261fd2a691ccf83730b
Instruction ID: fd03ed45dea9c9e4e556b19cdad1de513266f401c484aecb6129f6267631c11e
Opcode Fuzzy Hash: cbec1772263d356c37c49fe32d8d511f991c2b29ae86c261fd2a691ccf83730b
Instruction Fuzzy Hash: 9FF03776A00204EFE700EFA8E946B9D7BE0FB4A721F00412AF415DB6E1D7B95910CB50

Function 00706C9E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006B54), ref: 0072BF0A

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 13bc47f27376b8e4513e738ef0a4b5e748457e3549e6d04e9fd765645d535953
Instruction ID: 8cbf322b152919eab9fac1fbebbeeafd2cae836fbaee8f791c0677861f3fa412
Opcode Fuzzy Hash: 13bc47f27376b8e4513e738ef0a4b5e748457e3549e6d04e9fd765645d535953
Instruction Fuzzy Hash: 2A9002E0544911DA9D0057A07E5D6943BA0A55570172285906152D15AB67980454A925

Function 00707455 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007B7D3C

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9eb36723a90e00a072adaef9da0602c5dc4350c5d3b7e4ea883ce657b27df95d
Instruction ID: 268f8bdb63666904f1532c5ca6ca84c59d7d7aee1f56933def003985bf11759a
Opcode Fuzzy Hash: 9eb36723a90e00a072adaef9da0602c5dc4350c5d3b7e4ea883ce657b27df95d
Instruction Fuzzy Hash: 17B012B03011018B63104F716F0831837A87D432C170144649009C05A0D73440019F11

Function 00703738 Relevance: 1.1, Instructions: 1085COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452e9efad9a4b71e44a66135ff56c468cf8724af4f348747761618c40750b66b
Instruction ID: 7656ec3c7eb1d4c88932bc7653903603c3836a9424340abe086495ac1540adce
Opcode Fuzzy Hash: 452e9efad9a4b71e44a66135ff56c468cf8724af4f348747761618c40750b66b
Instruction Fuzzy Hash: E862CE74E00109DFCF28DFA8C985ABEB7B5EF85304F144268DD46A7755E639AE42CB80

Function 007C3D29 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fba16c9a25cb8ec9cdf1081268032db648d501f6eba6e227264e7151ad426
Instruction ID: 209839826df431765c2caf2ce61caa1332238451aef5715eed62e79bb66b2712
Opcode Fuzzy Hash: 693fba16c9a25cb8ec9cdf1081268032db648d501f6eba6e227264e7151ad426
Instruction Fuzzy Hash: DA320521D29F414DD7279634D832335A788BFB73D5F29D72BE81AB5DA6EB28C5834100

Function 0070143D Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a391b1dbb7f55848c9b15225bca1c6f3ba2937f6e773522271cf6b338a55d99
Instruction ID: 15ff16283fbdf75fd8a71b3017073f1365c7c3ba60118a5c08841d6e16839781
Opcode Fuzzy Hash: 6a391b1dbb7f55848c9b15225bca1c6f3ba2937f6e773522271cf6b338a55d99
Instruction Fuzzy Hash: 9D123E71A002299FDF26CF18CC80BAAB7B9BB49340F4481EAD54DEB245E7749E81CF51

Function 00705367 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54ac4e31c3e1fd5889827661380942d37e26c562dc87e8127f431e2a7deb238
Instruction ID: 5fda54e3b7a0d01e95333162eec550ef3f2931c5decb3f50ad042e96d0c3a83f
Opcode Fuzzy Hash: c54ac4e31c3e1fd5889827661380942d37e26c562dc87e8127f431e2a7deb238
Instruction Fuzzy Hash: BFF15071E052199FDF18CFA8C884AADB7B1FF88354F158269D919AB391D734AE01CF90

Function 00704093 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbf623d6fd78f5e5372cc0575964d3d528ab188aec2bcde819aec8fbb105c5e
Instruction ID: b4fc121aaf3cba15711cc2da2a56d489b0bfc1f608c262eeb47e956a13e65c74
Opcode Fuzzy Hash: 8fbf623d6fd78f5e5372cc0575964d3d528ab188aec2bcde819aec8fbb105c5e
Instruction Fuzzy Hash: 37E182B1A402288FDF65CF58C884BAAB7B9FF45344F1481EAD54DA7245EB349E808F52

Function 00702D2E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f86c41801168a67bcfb47c47b4dc21ef988da67c48ffab73261293cede7234
Instruction ID: f2c769dc34c031d2c5a557546daa3b5b8d9cbd68ca692f2a717a0157a06dc82e
Opcode Fuzzy Hash: 38f86c41801168a67bcfb47c47b4dc21ef988da67c48ffab73261293cede7234
Instruction Fuzzy Hash: BDA16F71A401698BCF64DF58C884BEDB7F5FB89344F1480EAD90DAB241EB749E818F81

Function 007021EE Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297144086987a91abe675736ee767284fadc118dcc1c1812eef49ce7e5bfe3a2
Instruction ID: c1b5694b2645365d0520d7fbb0103cddcb365c59d7c2f82e077b8cf656cd6138
Opcode Fuzzy Hash: 297144086987a91abe675736ee767284fadc118dcc1c1812eef49ce7e5bfe3a2
Instruction Fuzzy Hash: 2D519171E00119EFDF15CF99C941AAEBBB2EF88344F19C099E919AB241C734AE50DB60

Function 007063E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d353cd93d9fb586796c85bdc2aeb0824a33a05e7a4b5dbe2d81b93919f0537ae
Instruction ID: 783ded774cbb84ed9b4f8225afa383c7e7f56ab69ec6c3f93ead6d788a9d9c4e
Opcode Fuzzy Hash: d353cd93d9fb586796c85bdc2aeb0824a33a05e7a4b5dbe2d81b93919f0537ae
Instruction Fuzzy Hash: 7B113BB72013818FD606862DC8B47F6A397EAC632372C43BAD9468F7C4D1EA954D9500

Function 00701D4D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4435fa71bfc7c6caadfc2a864fb265e637148ff9abbd6e73c0bb0164623e8e
Instruction ID: ba685b42cbbe8dc49b647cc23f8fdfe830f21b34300c44b36acc386fa0c83aa0
Opcode Fuzzy Hash: bf4435fa71bfc7c6caadfc2a864fb265e637148ff9abbd6e73c0bb0164623e8e
Instruction Fuzzy Hash: F9F090726402A0EFE7269A9C9919BD973E8FB06B50F150552F602EB792C2B9DE0087C0

Function 00705867 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f625c6ac334509418c2199df67c52bf2eae3b3ad80980c60bcfd0197ade61d1
Instruction ID: 55fc737b3731c4e650927dafc5a81db64bfbe27599452975fff5e2d3a4feb4b8
Opcode Fuzzy Hash: 9f625c6ac334509418c2199df67c52bf2eae3b3ad80980c60bcfd0197ade61d1
Instruction Fuzzy Hash: B0F01572A10264EBDB26DB8C9849B89B2BCEB49B51F1544A7E501EB652C6B89E00C7C0

Function 00703913 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b68b4dedccab8fff5bc55d894848bca49dbc3ce5b69e8850085e08e4f249dd2
Instruction ID: 2a939aa8ea24f66eed9872558827c3b3c2bdc00b37944d751873042b18159132
Opcode Fuzzy Hash: 0b68b4dedccab8fff5bc55d894848bca49dbc3ce5b69e8850085e08e4f249dd2
Instruction Fuzzy Hash: 7EF0A031A10220EFCB22CB4CC449BA8B3ACEB06B21F214066F101DB242C774DE01CBD0

Function 00701A96 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eeb5486b1048baf0da9192e2c7676366ea6457ebc801418f139bb69d1b72c16
Instruction ID: b2a39c3ea83273137bd1e05c2fe488bb38a988a6b266db14caa45335f4d08cc4
Opcode Fuzzy Hash: 3eeb5486b1048baf0da9192e2c7676366ea6457ebc801418f139bb69d1b72c16
Instruction Fuzzy Hash: 8ED05E3A204614EFC200CF49D400D01F3B8FB8D7307124562EA4493710C330FC11CAD0

Function 0072B252 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(008AC410,00000FA0,?,?,0072B227), ref: 0072B25E
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0072B227), ref: 0072B269
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0072B227), ref: 0072B27A
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0072B28C
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0072B29A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0072B227), ref: 0072B2BD
DeleteCriticalSection.KERNEL32(008AC410,00000007,?,?,0072B227), ref: 0072B2F9
CloseHandle.KERNEL32(00000000,?,?,0072B227), ref: 0072B309

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0072B264
SleepConditionVariableCS, xrefs: 0072B286
WakeAllConditionVariable, xrefs: 0072B292
kernel32.dll, xrefs: 0072B275

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 853882ed699c4af2cbb026e12f92675ec611f534537772e5e19af0c6d03ca179
Instruction ID: 3912222bd914b7478d6ac1363c1ad1e306d695ad6f93ba02337649392f3ff02a
Opcode Fuzzy Hash: 853882ed699c4af2cbb026e12f92675ec611f534537772e5e19af0c6d03ca179
Instruction Fuzzy Hash: 8901B571A81B11DBF7215BB4BC09B2A3BA8FB4AB527054131FA04D2A52DBACC800C664

Function 00701497 Relevance: 19.6, APIs: 13, Instructions: 147COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32 ref: 0070EA10
SetServiceStatus.ADVAPI32 ref: 0070EA3D
SetServiceStatus.ADVAPI32 ref: 0070EA6A
SetServiceStatus.ADVAPI32 ref: 0070EA97
SetServiceStatus.ADVAPI32 ref: 0070EAC1
SetServiceStatus.ADVAPI32 ref: 0070EAEE
SetServiceStatus.ADVAPI32 ref: 0070EB1B
SetServiceStatus.ADVAPI32 ref: 0070EB45
SetServiceStatus.ADVAPI32 ref: 0070EB6F
SetServiceStatus.ADVAPI32 ref: 0070EB99
SetServiceStatus.ADVAPI32 ref: 0070EBC6
SetServiceStatus.ADVAPI32 ref: 0070EBF3
SetServiceStatus.ADVAPI32 ref: 0070EC1D

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: 882835af3a53f1ae9f406f83953e1c095b8d8872d4c5db778ecd7217aff5f2f3
Instruction ID: a4a00c1092022552f46d6ca2a2008f9db90df8441fe5e57ec18713059f94767e
Opcode Fuzzy Hash: 882835af3a53f1ae9f406f83953e1c095b8d8872d4c5db778ecd7217aff5f2f3
Instruction Fuzzy Hash: 7361E6345092449FD751EFB8C654B5D7FF1AF46301F0584ACE8C88B3A6CB789A18DB52

Function 007334B1 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007334D9
GetCurrentThreadId.KERNEL32 ref: 007334F6
GetCurrentThreadId.KERNEL32 ref: 00733517
GetCurrentThreadId.KERNEL32 ref: 0073359A
GetCurrentThreadId.KERNEL32 ref: 007335DE
GetCurrentThreadId.KERNEL32 ref: 00733624

Strings

y8s, xrefs: 007334C6
y8s, xrefs: 0073358E

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID: y8s$y8s
API String ID: 2882836952-405054098
Opcode ID: 9d78e3789f2af0f7663bd4039f8126dbb5aef21b57dcacb3704a111433c398a9
Instruction ID: a8b3c4a2d14b884faf227b68f876b2638ce4c812c836faeed4ded2d8f8729ef9
Opcode Fuzzy Hash: 9d78e3789f2af0f7663bd4039f8126dbb5aef21b57dcacb3704a111433c398a9
Instruction Fuzzy Hash: 62517C71A00515DFEF20DF78C9869A9B7B1FF08710F25456AE806AB293D738EE41CB51

Function 007048CC Relevance: 9.2, APIs: 6, Instructions: 225COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0075AA6C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0075AAFA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075AB6C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0075AB86
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075ABE9
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0075AC06

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 69a98cd9ddb9860873501ae451ef11cb1981d6ff738eafb19aba9fda270a544b
Instruction ID: 3ac6f55fdab4c067d31b4773e34dc265141acfb15b44ccb627ece98a2dbf3509
Opcode Fuzzy Hash: 69a98cd9ddb9860873501ae451ef11cb1981d6ff738eafb19aba9fda270a544b
Instruction Fuzzy Hash: 1771C472900149BFDF208F64DD45AEE7BB6EF45312F14423AED05A6151DBB98908CBA2

Function 007030E9 Relevance: 9.2, APIs: 6, Instructions: 176COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00739848
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 007398B3
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007398D0
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0073990F
LCMapStringEx.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0073996E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00739991

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: a89ff10aaab4921aad1918124d67682083c1d9cf3d6b8c6b3e019c3bf10420e3
Instruction ID: 1dc74858c74bf7c9a38bd8c373e231dbf7b3869fccc63dce1069cedf0ade1110
Opcode Fuzzy Hash: a89ff10aaab4921aad1918124d67682083c1d9cf3d6b8c6b3e019c3bf10420e3
Instruction Fuzzy Hash: B151E272500206EFFB208FA4CC45FAB7BA9EF81740F144129FA15E6192D7B9AD11CB60

Function 00704110 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,008AD4A2,00000104), ref: 0077F11E

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0077F1B3
Runtime Error!Program: , xrefs: 0077F0EA
<program name unknown>, xrefs: 0077F12D
..., xrefs: 0077F16C

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 05cd383504de24bc0a5490efd8e9bb303234a6366b24d78ea79aab0dad7dcffe
Instruction ID: 5bf36fcb33203953ef1434c6fa9e13d8df69b85038a32479041e294b401c5042
Opcode Fuzzy Hash: 05cd383504de24bc0a5490efd8e9bb303234a6366b24d78ea79aab0dad7dcffe
Instruction Fuzzy Hash: 8A217C72A40308F2EA20B624DE0AE6737DCEB95794F404432FD0DD3AD1F26DDA41C2A5

Function 0077D178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,83655FEA,?,?,00000000,007D7A82,000000FF,?,0077D0DB,?,?,0077D08A,?), ref: 0077D1AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0077D1BF
FreeLibrary.KERNEL32(00000000,?,?,00000000,007D7A82,000000FF,?,0077D0DB,?,?,0077D08A,?), ref: 0077D1E1

Strings

mscoree.dll, xrefs: 0077D1A6
CorExitProcess, xrefs: 0077D1B7

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 425175f411a42f02b0d526558da4cb01f426d11c71f5d043e9599126bebb43c0
Instruction ID: 3dc8a8947808784dd150dc1b88070d8e2d0e03011cdb8aa556c6cf6c7750d744
Opcode Fuzzy Hash: 425175f411a42f02b0d526558da4cb01f426d11c71f5d043e9599126bebb43c0
Instruction Fuzzy Hash: 98016231954619EFEB119B94DC05FAEBBB8FF09B51F044625E811E2AD0DB789900CB90

Function 007612A4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 007612C9
CatchIt.LIBVCRUNTIME ref: 007613AF

Strings

MOC, xrefs: 007612DB
RCC, xrefs: 007612E3

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 7e986f6da76692c8edfc7ac1dd76aab22fbd63d16a86f2f376716a17b4093d52
Instruction ID: 9dc797c39f6ea0639b39f81dedb1b3e75c4068f69555635c7a54ebac97737132
Opcode Fuzzy Hash: 7e986f6da76692c8edfc7ac1dd76aab22fbd63d16a86f2f376716a17b4093d52
Instruction Fuzzy Hash: D0416871A00209EFCF15DF95CD89AEEBBB6FF48300F188159F906A7661D339AA50DB50

Function 0076AF02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0076ADAA,?,?,?,?,?,?,0076B054,00000003,FlsSetValue,0088C3B8,0088C3C0), ref: 0076AF0F
GetLastError.KERNEL32(?,0076ADAA,?,?,?,?,?,?,0076B054,00000003,FlsSetValue,0088C3B8,0088C3C0), ref: 0076AF19
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0076AF41

Strings

api-ms-, xrefs: 0076AF26

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8bf157c2ca3380b3b015f6099cd399724e856585100fe27454446d8c3a831a06
Instruction ID: 24cc3174bc29af48a20ad6c27279648260f142f9f8f6ecd9a31fe8f8a44a4d04
Opcode Fuzzy Hash: 8bf157c2ca3380b3b015f6099cd399724e856585100fe27454446d8c3a831a06
Instruction Fuzzy Hash: BBE01A71284244F6EB211BA0EC0AF583B59FB01B40F148070FE0DA84E3EBA5D9148E86

Function 007BDFF0 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(83655FEA,?,00000000,?), ref: 007BE053
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007BE2AE
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007BE2F6
GetLastError.KERNEL32 ref: 007BE399

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: d3743a417c67e783f462cd808b993b23201543f944fa53fdae6ef454981ea46c
Instruction ID: 74648ff6062c495025fef56af25fee37bcee54c33db30d09528542ba97dd630f
Opcode Fuzzy Hash: d3743a417c67e783f462cd808b993b23201543f944fa53fdae6ef454981ea46c
Instruction Fuzzy Hash: 8BD136B5D00258DFDB15CFA8D880AEDBBF9BF49304F28412AE956EB351E734A941CB50

Function 007BFB78 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 007BFB8E
GetLastError.KERNEL32(?,?,?,?), ref: 007BFB9B
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 007BFBC1
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 007BFBE7

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: ad4c6b2e5eda1ccb17fa6ac91a21ba55f94b58f8fdab1d95a2ab24f4df5b129c
Instruction ID: bcdc9a81126b73f26a74f943846680092da400085015de805442e27dd400a109
Opcode Fuzzy Hash: ad4c6b2e5eda1ccb17fa6ac91a21ba55f94b58f8fdab1d95a2ab24f4df5b129c
Instruction Fuzzy Hash: E51145B590011ABFDB209FA4CC48ADF7F79EB05B60F104124F925A21A1DB759A40DBA0

Function 007040C0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 007CF972
GetLastError.KERNEL32 ref: 007CF97E
___initconout.LIBCMT ref: 007CF98E

Part of subcall function 007CF8F3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007CF993), ref: 007CF906

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 007CF9A3

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: adb327ca54f6f31f6599743ea89b8e66803b5495a8a49c72c1fc4fe33a124d48
Instruction ID: 45debb0c1bea845d238f4e77ec9582d2853a9f9eb4fd11ae7c1e7fe2643066a4
Opcode Fuzzy Hash: adb327ca54f6f31f6599743ea89b8e66803b5495a8a49c72c1fc4fe33a124d48
Instruction Fuzzy Hash: AFF0F836400115FBDF221FD6DC08F9A3F66FB4B3A1B115128FB5985621C6329820DB91

Function 0070629E Relevance: 6.0, APIs: 4, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNEL32 ref: 0072B48A
LeaveCriticalSection.KERNEL32(008AC410), ref: 0072B494
WaitForSingleObjectEx.KERNEL32(?,00000000), ref: 0072B4A5
EnterCriticalSection.KERNEL32(008AC410), ref: 0072B4AC

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 967fc435d1a67acfc13e7da0b61959aceadc1916872442f8507cb5b5a6d70363
Instruction ID: 80f087045cd00c1457372e7bfdf38b1e2bc86b2d2f6f5068e42b51c809661740
Opcode Fuzzy Hash: 967fc435d1a67acfc13e7da0b61959aceadc1916872442f8507cb5b5a6d70363
Instruction Fuzzy Hash: D9E01232582534B7E7112BD0FC19EAD7F25FB0E751B048020FA45A6A63C76D18109BDD

Function 00701726 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 007B0E3D
InitializeCriticalSectionEx, xrefs: 007B0E8D

Memory Dump Source

Source File: 00000000.00000002.1488794021.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1488764660.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.000000000070E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.0000000000729000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488794021.00000000007D3000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488959696.000000000089A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489097873.00000000008A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489120329.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489142988.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489168153.00000000008A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489192719.00000000008AA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489209636.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489227895.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1489374694.000000000091A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_h2TTyq9R7h.jbxd

Yara matches

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: e096157ec76e908ec7c6a0e09244129125fbaed2b4ab38d2187c8c656ea549f5
Instruction ID: afec1d07a4b4c3a654a6b3f3adb7b805cba59a07023d46311fa96bab82e7ff81
Opcode Fuzzy Hash: e096157ec76e908ec7c6a0e09244129125fbaed2b4ab38d2187c8c656ea549f5
Instruction Fuzzy Hash: 2601A735680228B7CB113B95EC0AFDF7E15FF40BA0F048421FE28A5751DAB99910D7D0

Analysis Process: AppLaunch.exePID: 3628, Parent PID: 2720COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	67
Total number of Limit Nodes:	5

Executed Functions

Function 04EDEDD1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04EDEE5E
GetCurrentThread.KERNEL32 ref: 04EDEE9B
GetCurrentProcess.KERNEL32 ref: 04EDEED8
GetCurrentThreadId.KERNEL32 ref: 04EDEF31

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4989ade65f44a274c4b96f21acbeb2161d706a03414ebd4d150067dfe8fec16c
Instruction ID: 15db2f6fcaddfec90f26460f99782bdc3f59249001670a93151139cd33a69122
Opcode Fuzzy Hash: 4989ade65f44a274c4b96f21acbeb2161d706a03414ebd4d150067dfe8fec16c
Instruction Fuzzy Hash: D951A9B0D00649CFEB14DFA9D948B9EBFF1EF48314F208019E409AB2A0DB34A945CF65

Function 04EDEDE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04EDEE5E
GetCurrentThread.KERNEL32 ref: 04EDEE9B
GetCurrentProcess.KERNEL32 ref: 04EDEED8
GetCurrentThreadId.KERNEL32 ref: 04EDEF31

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1fbdc1654c1ac99c032d6382f9ee3cf06806e1ee4576728940cacc69df99c218
Instruction ID: c2c9193a2094d918b9204480ad5c150656b72cbb4607b7b08cac74f5b308de89
Opcode Fuzzy Hash: 1fbdc1654c1ac99c032d6382f9ee3cf06806e1ee4576728940cacc69df99c218
Instruction Fuzzy Hash: 965188B0900649CFEB14DFAAD948B9EBBF1EF48314F248419E419AB390DB34A945CF65

Function 04EDCB39 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EDCD9E

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cc594f1012858b03b4ff0146e1da2ccdecb282610929ebd2c7d815b0ff79b22c
Instruction ID: cbc9b92dbb254092993bd5bb096df211184b5e97e60f1b016613efa975da7dbb
Opcode Fuzzy Hash: cc594f1012858b03b4ff0146e1da2ccdecb282610929ebd2c7d815b0ff79b22c
Instruction Fuzzy Hash: EE8122B0A00B458FEB24DF2AD44175ABBF1FF88344F109929D58ADBA50D774F846CB91

Function 091D3A52 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2744355876.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_91d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f86628d0a10a681ca6c238130c79a16c826aba8901f5c0d0b944757e012caf
Instruction ID: f386464279161cda407e4812bb06ca61f378c3ea10bd7dd2730cb8d9190dd0db
Opcode Fuzzy Hash: e0f86628d0a10a681ca6c238130c79a16c826aba8901f5c0d0b944757e012caf
Instruction Fuzzy Hash: ED51F0B5D00209AFDF15CF99C980ADEBBB5FF48314F24812AE818AB220D7719951CF91

Function 091D3AD0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 091D3BE2

Memory Dump Source

Source File: 00000003.00000002.2744355876.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_91d0000_AppLaunch.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c25278fbb668013f98e6010069372db2a934ab2abad2ebd3ed5a38de8899ec43
Instruction ID: 6bbab1e59dfb819ff1dd8fdff90d3bb18142bef0fd0d7bdfba9ca966c19255ef
Opcode Fuzzy Hash: c25278fbb668013f98e6010069372db2a934ab2abad2ebd3ed5a38de8899ec43
Instruction Fuzzy Hash: 0A41CFB1D003499FDB14CF99C984ADEBBF5FF48314F64852AE818AB210D775A845CF91

Function 091D3044 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 091D6161

Memory Dump Source

Source File: 00000003.00000002.2744355876.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_91d0000_AppLaunch.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0eb5a555fa8e1948b1d5927b25d4e95dcb18a9beb9aa57f8033f33af86f1aa44
Instruction ID: 4247e528e3684afad62e690bb246e010954c6bb989cef4f94b212e60545d0e34
Opcode Fuzzy Hash: 0eb5a555fa8e1948b1d5927b25d4e95dcb18a9beb9aa57f8033f33af86f1aa44
Instruction Fuzzy Hash: 8D4118B4A00209DFDB14DF59C888AAEBBF5FB88314F24C459E519AB321D734A841CFA0

Function 04ED7664 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04ED7721

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 67c03bbc99e021e6065b16ebead8ec53c54d0e92e41013db602f5b1d8fdc10d6
Instruction ID: 21f1baa7fa9aac2f05827eb7e8f6b643ca037ba22818d84b7eb455a2cc00f0a4
Opcode Fuzzy Hash: 67c03bbc99e021e6065b16ebead8ec53c54d0e92e41013db602f5b1d8fdc10d6
Instruction Fuzzy Hash: DF41C0B0C00619CBDB24DFA9C885B9EBBF5FF48308F20856AD419AB251DB756946CF90

Function 04ED5F9C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04ED7721

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: da1c0d32b318469db4ac4228f82faf417f52459e5661b7f171f3a398b4b63d6d
Instruction ID: d56e0fb2afbd21298013c23a245d9416c84ed35882c7f301dd308d083c5d1dd8
Opcode Fuzzy Hash: da1c0d32b318469db4ac4228f82faf417f52459e5661b7f171f3a398b4b63d6d
Instruction Fuzzy Hash: A541C0B0C00619CBDB24DFA9C884B9EBBF5FF48308F20846AD419AB251DB756946CF90

Function 04EDF020 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EDF0AF

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4300d558b8a5a6d1814a4f23e3fcc8389537586a22a25ab1a69b8f5fbb6140f6
Instruction ID: 49eb69c31678f18f86b6b65b4098438c00de9fdc8e8df0ad547e0250a01256a2
Opcode Fuzzy Hash: 4300d558b8a5a6d1814a4f23e3fcc8389537586a22a25ab1a69b8f5fbb6140f6
Instruction Fuzzy Hash: 2621E5B5D002489FDB10CFA9D585AEEBFF4FB48310F14841AE915A7310C379A950CF61

Function 04EDF028 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EDF0AF

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 482cc03673b5ab0d6193603904e650034e18e5e99e980140cfdabc34d321d2b9
Instruction ID: b6889ac8434c17249b00b6a9e5be1e701803106acec9ede115587ac0b7d0e42a
Opcode Fuzzy Hash: 482cc03673b5ab0d6193603904e650034e18e5e99e980140cfdabc34d321d2b9
Instruction Fuzzy Hash: 7F21C4B59002499FDB10CF9AD984ADEBFF8FB48320F14841AE918A7350D379A954CFA5

Function 04EDCD38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EDCD9E

Memory Dump Source

Source File: 00000003.00000002.2742879229.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ed0000_AppLaunch.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bbf618af4ecbc771af767716fb8d9e566ba0786dd366f68e64e1127f6076bf51
Instruction ID: 4a478321081885d1fd4d7ba4dc92a7c659cd5e0c7372b8464f4d7333bae448d8
Opcode Fuzzy Hash: bbf618af4ecbc771af767716fb8d9e566ba0786dd366f68e64e1127f6076bf51
Instruction Fuzzy Hash: E611E0B5C006498FDB10CF9AC844ADEFBF8EF88324F24841AD859A7210C379A545CFA1

Function 04D9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742670453.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d9d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1243e77157bdf238be2cadf46b6442bd5087dda143b92d63310233b1a4ad4462
Instruction ID: b985e9fb1f359b8c1bda967e3455a577932303452c2de91e070e2896c8595d97
Opcode Fuzzy Hash: 1243e77157bdf238be2cadf46b6442bd5087dda143b92d63310233b1a4ad4462
Instruction Fuzzy Hash: C92137B1604240DFDF85DF14D9C4F26BFA6FB88318F24C569E9498B256C336E816CBA1

Function 04DAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742697384.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dad000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1ef55b78b1905b39e267d8dcf1e8d0c4a6c3ffe5c1a3d99f357d3b5a199c57
Instruction ID: e3e88f35ec6ff644a1fa2dd6d9d86e0a82340745b0e1b56f91d1a98132fc9737
Opcode Fuzzy Hash: 7a1ef55b78b1905b39e267d8dcf1e8d0c4a6c3ffe5c1a3d99f357d3b5a199c57
Instruction Fuzzy Hash: 27210771704240DFDB14DF14E9C0B16BBA7FB88314F24C96DE9494B656C33AE417CA65

Function 069E0205 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16dbe9c0c5cc498408273f8693494687b31992e22f9ac4cb49ed2a3fba4a803
Instruction ID: dbfab087351ff9bb2aa41f515fa78ff9ce09f5787de9ccdff346207bc85040fd
Opcode Fuzzy Hash: c16dbe9c0c5cc498408273f8693494687b31992e22f9ac4cb49ed2a3fba4a803
Instruction Fuzzy Hash: AD21C075B442448FDB45DBA4C894BADBBF1EF89314F244498E506EB3B1CB719D02CB90

Function 04DAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742697384.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dad000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf5a102faa6734821f8b160ef06c7541ea5fa157daae762b7eab3ad035ffb43
Instruction ID: cedf9d90e0d14a25067eae0461cd1ec0a89c54111557ac432b15ded118305cb6
Opcode Fuzzy Hash: 4bf5a102faa6734821f8b160ef06c7541ea5fa157daae762b7eab3ad035ffb43
Instruction Fuzzy Hash: 9B21A4755093C08FDB12CF24D594715BF72FB46214F28C5DAD8498F6A7C33A981ACB62

Function 04D9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742670453.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d9d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: b5c31bf25b585bcc7b24cf5eafa4e765b666d65dae1d9638d5e8880bf7b4f2fb
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: E9112676404280CFCF52CF10D5C4B16BFB2FB84314F24C6A9D8094B256C33AE85ACBA1

Function 069E02C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9613a49d40ccd8ba2789d9d0948d67d96e700a5b1a1941552d66713fed8a2d15
Instruction ID: a486da7c35fae9d13a179edecdbb6a2e99fa11f9eb010a1714db587a9c969db9
Opcode Fuzzy Hash: 9613a49d40ccd8ba2789d9d0948d67d96e700a5b1a1941552d66713fed8a2d15
Instruction Fuzzy Hash: 97111B78700104DFD744DBA4D594BAD77F1FB88304F244098E90AAB7A1CB71ED12CB90

Function 04D9D6CF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742670453.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d9d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e570ad0083e405f9473632379d7640f879d7f52cf88705f2f09e7892eb1768
Instruction ID: abddf3e7f96e3641f8fad0eecfbde97e1ad2d9dc803e7c0334c09b7874ef298e
Opcode Fuzzy Hash: 53e570ad0083e405f9473632379d7640f879d7f52cf88705f2f09e7892eb1768
Instruction Fuzzy Hash: 21F0F9B6600604AF97248F0AD985C27FBEDFBD4770715C59AE84A8B612C671FC41CAB0

Function 04D9D6C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2742670453.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d9d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade42714521e7e6afb30d08e799dfa346fe8829d1be38c326a6eba0bac54c9b0
Instruction ID: 6a06860e994aa031abec645f1171e3ae8d52916820ebc7bc1fb093d15d485628
Opcode Fuzzy Hash: ade42714521e7e6afb30d08e799dfa346fe8829d1be38c326a6eba0bac54c9b0
Instruction Fuzzy Hash: 1AF0EC75104680AFD7258F16C984C62BFF9EF896607198589E89A8B262C671FC42CBB0

Function 069E0120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41f202743bbac36c7eaabb0b0b14f8c753f68dee10b79e39f75e59a7ab80d39
Instruction ID: 0e9e466f4071ed72955cb463fa92ed2e1ed473515ac2e36388d6458fc6647f6d
Opcode Fuzzy Hash: d41f202743bbac36c7eaabb0b0b14f8c753f68dee10b79e39f75e59a7ab80d39
Instruction Fuzzy Hash: B6E092312605148FC710DF6CE885AE93B71EF85304F04029AE40597322DBB1EA128B95

Function 069E0130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdef97865ac5a8be9ac9b7f53cee161d935ca9b29f5180f495becd0f7980bd37
Instruction ID: 402bd814c7e729a19578afae185920a909d293bb1e2b9550c203850396d896f8
Opcode Fuzzy Hash: bdef97865ac5a8be9ac9b7f53cee161d935ca9b29f5180f495becd0f7980bd37
Instruction Fuzzy Hash: 84E0C2313206148FC300AB2CE40499977A8EF4A315B0002AAE505D7331DF61ED418785

Function 069E00F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fc4229dae415c6659bf3e5e79ce8d5a923dab4009e1ba0131b2e03a95d5f56
Instruction ID: fd4a5ca3f568619cb99899fc4e07b7850f338318d33af7559f14294a8554c1a9
Opcode Fuzzy Hash: b0fc4229dae415c6659bf3e5e79ce8d5a923dab4009e1ba0131b2e03a95d5f56
Instruction Fuzzy Hash: 3FC04C39740009CFCB00DB99E5448DCB7F0EF8822AB1140E5E60997631C731AD55CF50

Function 069E0114 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
Instruction ID: 16ffe3de997f42af0047eb078db530f1f27b524ca8407b4afb49fe63eb64c9ac
Opcode Fuzzy Hash: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
Instruction Fuzzy Hash: A6B01236A40008C9DF00CFC4F0003EDB770F780237F000063C20C62800837006749AD2

Function 069E0102 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2743404464.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
Instruction ID: 16ffe3de997f42af0047eb078db530f1f27b524ca8407b4afb49fe63eb64c9ac
Opcode Fuzzy Hash: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
Instruction Fuzzy Hash: A6B01236A40008C9DF00CFC4F0003EDB770F780237F000063C20C62800837006749AD2

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h2TTyq9R7h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
h2TTyq9R7h.exe

Function 007035E4 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 291
processCOMMON

Function 007B0612 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Function 0077D0B5 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Function 0070F376 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
threadinjectionprocessCOMMON

Function 007020B3 Relevance: 3.2, APIs: 2, Instructions: 192
fileCOMMON

Function 007BE5D5 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMON

Function 007B1663 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 007064C4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 007B070F Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Function 0070277F Relevance: 1.5, APIs: 1, Instructions: 15
COMMON