Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1571903
MD5:	9a2cc9d6c6282e7b2a0ff5649a70b0df
SHA1:	99c7c3969c9ab39261b59f047514ff7de2bc4c07
SHA256:	b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287
Tags:	exeLummaStealeruser-Bitsight
Infos:

Detection

LummaC Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9A2CC9D6C6282E7B2A0FF5649A70B0DF)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9A2CC9D6C6282E7B2A0FF5649A70B0DF)

file.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9A2CC9D6C6282E7B2A0FF5649A70B0DF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["impend-differ.biz", "zinc-sneark.biz", "drive-connect.cyou", "covery-mover.biz", "formy-spill.biz", "dare-curbys.biz", "se-blurry.biz", "dwell-exclaim.biz", "print-vexer.biz"], "Build id": "FATE99--test"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T20:40:59.709613+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.79.7	443	TCP
2024-12-09T20:41:02.096133+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.79.7	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T20:41:00.823464+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.79.7	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T20:41:00.823464+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.79.7	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://drive-connect.cyou/apin	Avira URL Cloud: Label: malware
Source: drive-connect.cyou	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/c	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/apis&&4	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1657324741.000000000273F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["impend-differ.biz", "zinc-sneark.biz", "drive-connect.cyou", "covery-mover.biz", "formy-spill.biz", "dare-curbys.biz", "se-blurry.biz", "dwell-exclaim.biz", "print-vexer.biz"], "Build id": "FATE99--test"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.2% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drive-connect.cyou
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--test

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_00409CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_0040CE55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D074
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D087
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_0041597D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h	3_2_0040C274
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [00444284h]	3_2_00425230
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ebx	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042AAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	3_2_0040C36E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	3_2_0042536C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00427307
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	3_2_00436B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0043DBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_0042B475
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042B4BB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004345F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	3_2_00427653
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042A630
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]	3_2_004296D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00417E82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	3_2_0041CEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebx, 03h	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	3_2_0043DFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.79.7:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: drive-connect.cyou
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: print-vexer.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.79.7:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drive-connect.cyou

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: drive-connect.cyou

Source: unknown

Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apin
Source: file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apis&&4
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/c

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00431BB0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1000	0_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E8900	0_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E2101	0_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6362	0_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4C00	0_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4DB	0_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6D70	0_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E3500	0_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F458A	0_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D3E60	0_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1000	2_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E8900	2_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E2101	2_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D7AF0	2_2_004D7AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F6362	2_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70	2_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D4C00	2_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4DB	2_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D6D70	2_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E3500	2_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F458A	2_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D3E60	2_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040A960	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004087F0	3_2_004087F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436F90	3_2_00436F90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409070	3_2_00409070
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A030	3_2_0043A030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004380D9	3_2_004380D9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D8E0	3_2_0041D8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042D085	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004280B0	3_2_004280B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426170	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042297F	3_2_0042297F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042A100	3_2_0042A100
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00437900	3_2_00437900
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00405910	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425920	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004301D0	3_2_004301D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004081F0	3_2_004081F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00408990	3_2_00408990
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00417190	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414A40	3_2_00414A40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041BA48	3_2_0041BA48
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040CA54	3_2_0040CA54
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422270	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406200	3_2_00406200
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423A00	3_2_00423A00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CAC0	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E2C0	3_2_0043E2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004292D0	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415ADC	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BA8D	3_2_0042BA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040E2A9	3_2_0040E2A9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004192BA	3_2_004192BA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040B351	3_2_0040B351
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041CB5A	3_2_0041CB5A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409360	3_2_00409360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041C360	3_2_0041C360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416B7E	3_2_00416B7E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00411B1B	3_2_00411B1B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043533A	3_2_0043533A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CBD6	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A3F0	3_2_0043A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439B90	3_2_00439B90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004233A0	3_2_004233A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436C40	3_2_00436C40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040D44C	3_2_0040D44C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00434C4D	3_2_00434C4D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00407470	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00419C10	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418C1E	3_2_00418C1E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D420	3_2_0041D420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DC20	3_2_0041DC20
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436430	3_2_00436430
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CCE0	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DCF0	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422CF8	3_2_00422CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00427C9D	3_2_00427C9D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CD60	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416571	3_2_00416571
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423D30	3_2_00423D30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004215F0	3_2_004215F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DE40	3_2_0041DE40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00412670	3_2_00412670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425670	3_2_00425670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041AE00	3_2_0041AE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CE00	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423E30	3_2_00423E30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004156D0	3_2_004156D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042C6D7	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415EE0	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004266E7	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406690	3_2_00406690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E690	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436690	3_2_00436690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402EA0	3_2_00402EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004376B0	3_2_004376B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426EBE	3_2_00426EBE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00428F5D	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042B763	3_2_0042B763
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414F08	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00420717	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418731	3_2_00418731
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041EF30	3_2_0041EF30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFD3	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00410FD6	3_2_00410FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFDA	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004167A5	3_2_004167A5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418FAD	3_2_00418FAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004097B0	3_2_004097B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DFB0	3_2_0043DFB0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00414A30 appears 76 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004EB97D appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00408000 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004DD9E0 appears 102 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004E6C0B appears 42 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00436F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00436F90

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDB9A push ecx; ret	0_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DDB9A push ecx; ret	2_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00446061 push edx; retf	3_2_00446062
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh	3_2_0043CA63
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00445A2E push esi; ret	3_2_00445A31
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00442543 push esp; retf	3_2_00442549
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439F70 push eax; mov dword ptr [esp], 60616263h	3_2_00439F7F

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0043B480 LdrInitializeThunk,

3_2_0043B480

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004DD86F

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005061A9 mov edi, dword ptr fs:[00000030h]	0_2_005061A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70 mov edi, dword ptr fs:[00000030h]	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70 mov edi, dword ptr fs:[00000030h]	2_2_004D1B70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004EC275 GetProcessHeap,

0_2_004EC275

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD863 SetUnhandledExceptionFilter,	0_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004DD4B3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD863 SetUnhandledExceptionFilter,	2_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004DD4B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005061A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_005061A9

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFEBE
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFEBE

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DE170 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_004DE170

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://drive-connect.cyou/apin	100%	Avira URL Cloud	malware
drive-connect.cyou	100%	Avira URL Cloud	malware
https://drive-connect.cyou/	100%	Avira URL Cloud	malware
https://drive-connect.cyou/c	100%	Avira URL Cloud	malware
https://drive-connect.cyou/apis&&4	100%	Avira URL Cloud	malware
https://drive-connect.cyou/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive-connect.cyou	104.21.79.7	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
zinc-sneark.biz	false		high
covery-mover.biz	false		high
formy-spill.biz	false		high
se-blurry.biz	false		high
https://drive-connect.cyou/api	true	Avira URL Cloud: malware	unknown
print-vexer.biz	false		high
dwell-exclaim.biz	false		high
drive-connect.cyou	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.m	file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-connect.cyou/apin	file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive-connect.cyou/	file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive-connect.cyou/c	file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive-connect.cyou/apis&&4	file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.79.7	drive-connect.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571903
Start date and time:	2024-12-09 20:40:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@6/0@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 30 Number of non-executed functions: 167
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target file.exe, PID 7596 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:41:00	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drive-connect.cyou	BPzptjK1aF.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.139.78

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	https://quiet-sun-5d9f.atmos4.workers.dev/login	Get hash	malicious	Unknown	Browse	104.21.50.75
	attachDocx.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	http://www.polarinsight.online/tb	Get hash	malicious	Unknown	Browse	172.67.166.58
	https://www.aarp.org/money/scams-fraud/info-2024/title-theft-real-estate-fraud.html	Get hash	malicious	HTMLPhisher	Browse	104.18.27.193
	http://xn--gmq700hb9ir4byxw.shop/bnBkL2ViZml0c2JwY0F7Zm1mdy9idWp0cHMkbHYvcGQvem1xanVtYnNmZC9xbmJ3MDA7dHF1dWk	Get hash	malicious	ReCaptcha Phish	Browse	104.16.123.96
	https://webservice.ucampaign.unear.net/UmailTracking/t.aspx?p=64620006&c=MTI2NjMxOA==&up=46435316&e=jlim@vvblawyers.com&l=MTczODQ=&i=1126&u=aHR0cHM6Ly9zcGhleGFtcy5jb20vLndlbGwta25vdy8/MHM1N2RiPU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbWIySnhkRWN6SmtRMEprMTFiSGR5VkdoSGVVdFpMaTQ1U2pOWU5sSnlhbVk2Y2tZMEpqTXpKblY1Wm5VdWIyWmxaV3BwTXpNbVJUUW1kSFJpYldReE15WnZZbkYwUkRRbVFqRW1SalFtYlc1MWFVY3pKa1EwSmtJeEprWTBKbnBsY0dOSE15WkVOQ1pDTVNaR05DWjZaWEJqUkRRbVFqRW1SalFtWldKbWFVY3pKa1EwSmtJeEprWTBKbVp0ZW5WMFJ6TW1SRFFtTVRNbU1UTW1NVE1tTVRNbVFqRW1SVGdtTVRNbU1UTW1NVE1tTVRNbU1UTW1NVE1tTVRNbU1UTW1RakVtUXpRbWIyWmxaV3BwTVRNbVFqUW1lblZxYldwamFuUnFkekV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKa0l4SmtNMEptWjFhbWw0TVRNbVFqUW1jM0J0Y0dReE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkRPQ1l4TXlaMWVXWjFMbTltWldWcWFTOHhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1ptYlhwMWRFUTBKakV6SmpFekpqRXpKakV6SmtJeEprWTBKbVp0ZFdwMVJ6TW1SRFFtWm01d1NVWTBKbVp0ZFdwMVJEUW1NVE1tTVRNbU1UTW1NVE1tUWpFbVJ6TW1LekV6Sm1aek1UTW1aV1ZpTVRNbVJUUW1SVFFtUlRRbVJUUW1SVFFtUlRRbVJEUW1NVE1tSzBjekpqRXpKakV6SmtZMEpqTXpKa1UwSmpFelkyczJSR054UjFoamIwTkdaWHRYU0dWemVtZHNkSHBtYVdkdWMydGxhVFF6SmtjekptWnpSek1tWldSSE15WjRjRzlzTG0xdFpuZ3ZSek1tYUhOd0wyWnRZbTl3YW50aWIzTm1kVzlxYjJadVlrY3pKa2N6SmtJMEpuUnhkWFZwUlRRbWJYTjJRelFtTXpNekprVTBKblZ2Wm5WdmNHUXhNeVl6TXlacGRHWnpaMlp6TXpNbVJUUW1kMnAyY21ZdWNYVjFhVEV6Sm1KMVptNUVOQ1l4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1l6TXlZNUxrZFZWak16SmtVMEpuVm1kSE5pYVdReE15WmlkV1p1UkRRbU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbVpXSm1hVVEwSmtJeEprWTBKbTF1ZFdsRU5DWkNNU1pHTkNadlluRjBSek1tUkRRbVpHczNhRnBXUkRRbWRIczFUVVUwSmt4WWJYZ3hUMUZuWkZoUVdYTjdOWGRIT1h0UlJUWW1RMDlHTkNZek15WjFlV1oxTG05bVpXVnFhVE16SmtVMEpuUjBZbTFrTVRNbWIySnhkRVEwSmtJeEpnPT0=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7
	SJqOoILabX.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.79.7
	8GHb2yuPOk.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.79.7
	W7ZBbzV7A5.exe	Get hash	malicious	Unknown	Browse	104.21.79.7
	BPzptjK1aF.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.805484562629924
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	828'416 bytes
MD5:	9a2cc9d6c6282e7b2a0ff5649a70b0df
SHA1:	99c7c3969c9ab39261b59f047514ff7de2bc4c07
SHA256:	b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287
SHA512:	b61aa465d601a75426129b2096e900c008faeee6d67b729bf3b2fdeef6957934e9bba7353ad55b499c2722f5381c9cc684f867e4c2b7958e743d1a459eae88d7
SSDEEP:	12288:43+0sQQRz2L8CqyGAuDi5r5jBlhyyZzWDtkfDdEIHiyO+rBlhyyZzWDtkfDdEIH7:4BqSL8CWopBCyqXIdXBCyqXId5
TLSH:	CD050141B8C14472C46326328C74E7BA5E3EF9744F31AEDBE3A45A3DDA316C18735A4A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Vg............................r.............@.......................................@..................................<..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40e572
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756FE8D [Mon Dec 9 14:28:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8f4e72561d4efc2a78f43ace5ca381df

Entrypoint Preview

Instruction
call 00007F39ECDEDDBAh
jmp 00007F39ECDEDC29h
mov ecx, dword ptr [00436900h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F39ECDEDDB6h
test esi, ecx
jne 00007F39ECDEDDD8h
call 00007F39ECDEDDE1h
mov ecx, eax
cmp ecx, edi
jne 00007F39ECDEDDB9h
mov ecx, BB40E64Fh
jmp 00007F39ECDEDDC0h
test esi, ecx
jne 00007F39ECDEDDBCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00436900h], ecx
not ecx
pop edi
mov dword ptr [00436940h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00433F48h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00433F00h]
xor dword ptr [ebp-04h], eax
call dword ptr [00433EFCh]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00433F90h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00438008h
call dword ptr [00433F68h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F39ECDF55DEh
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33ce0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b000	0x1f88	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ff08	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2c288	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33e94	0x178	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ec0	0x2a000	ac710cf82f0bf7022a4aaa856b12d73e	False	0.5421084449404762	data	6.670829529851215	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xa33c	0xa400	ee2f812185df99eb0802af6cb8092b28	False	0.42485232469512196	data	4.924236004008865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x27d4	0x1800	472cb0caa2519382f7c923808f8b67fa	False	0.3839518229166667	data	4.8137648404324445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.TLS	0x39000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3a000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b000	0x1f88	0x2000	accec0655340d78d26259bfb9ab151b5	False	0.7593994140625	data	6.543821280470182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x3d000	0x48e00	0x48e00	c6c4a18aacb63847a01d1ba3271bcb87	False	1.0003383629931388	data	7.999337628936504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x86000	0x48e00	0x48e00	c6c4a18aacb63847a01d1ba3271bcb87	False	1.0003383629931388	data	7.999337628936504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

CreateWindowExW, DefWindowProcW, GetMessageW, PostQuitMessage, RegisterClassW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T20:40:59.709613+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.79.7	443	TCP
2024-12-09T20:41:00.823464+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.79.7	443	TCP
2024-12-09T20:41:00.823464+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.79.7	443	TCP
2024-12-09T20:41:02.096133+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.79.7	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 20:40:58.465059996 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:40:58.465111017 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:40:58.465230942 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:40:58.480856895 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:40:58.480870962 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:40:59.709430933 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:40:59.709613085 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:40:59.711924076 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:40:59.711934090 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:40:59.712173939 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:40:59.752245903 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.086533070 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.086563110 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.086684942 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.823477983 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.823575974 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.823687077 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.825874090 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.825897932 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.825911045 CET	49730	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.825916052 CET	443	49730	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.871098995 CET	49731	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.871155977 CET	443	49731	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:00.871252060 CET	49731	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.871548891 CET	49731	443	192.168.2.4	104.21.79.7
Dec 9, 2024 20:41:00.871565104 CET	443	49731	104.21.79.7	192.168.2.4
Dec 9, 2024 20:41:02.096132994 CET	49731	443	192.168.2.4	104.21.79.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 20:40:58.126285076 CET	52005	53	192.168.2.4	1.1.1.1
Dec 9, 2024 20:40:58.458127975 CET	53	52005	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 20:40:58.126285076 CET	192.168.2.4	1.1.1.1	0x313f	Standard query (0)	drive-connect.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 20:40:58.458127975 CET	1.1.1.1	192.168.2.4	0x313f	No error (0)	drive-connect.cyou		104.21.79.7	A (IP address)	IN (0x0001)	false
Dec 9, 2024 20:40:58.458127975 CET	1.1.1.1	192.168.2.4	0x313f	No error (0)	drive-connect.cyou		172.67.139.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive-connect.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.79.7	443	7604	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 19:41:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drive-connect.cyou
2024-12-09 19:41:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-09 19:41:00 UTC	1022	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 19:41:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1h69vlc94jel65eatqhhijps7u; expires=Fri, 04-Apr-2025 13:27:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LX64uhAbRcLK8jezdR1CM%2FUjhP8%2BjCln%2FwP1YrxsPUuT1bwxhrLaL4q0PLkTraG0GqJYn%2FJ2RYojE6USNrGRox%2FnF%2FMXK6A2eam1tWGHsbA1GBb4dT8bMZzhDnOx6Xf5HQP7eZs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef7785c89c543fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1766&rtt_var=676&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1601755&cwnd=236&unsent_bytes=0&cid=de267d6f11d348b9&ts=1128&x=0"
2024-12-09 19:41:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-09 19:41:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:40:57
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4d0000
File size:	828'416 bytes
MD5 hash:	9A2CC9D6C6282E7B2A0FF5649A70B0DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:40:57
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:40:57
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4d0000
File size:	828'416 bytes
MD5 hash:	9A2CC9D6C6282E7B2A0FF5649A70B0DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:40:57
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4d0000
File size:	828'416 bytes
MD5 hash:	9A2CC9D6C6282E7B2A0FF5649A70B0DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 005061A9 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0050611B,0050610B), ref: 0050633F
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00506352
Wow64GetThreadContext.KERNEL32(00000128,00000000), ref: 00506370
ReadProcessMemory.KERNELBASE(00000088,?,0050615F,00000004,00000000), ref: 00506394
VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 005063BF
TerminateProcess.KERNELBASE(00000088,00000000), ref: 005063DE
WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 00506417
WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 00506462
WriteProcessMemory.KERNELBASE(00000088,?,?,00000004,00000000), ref: 005064A0
Wow64SetThreadContext.KERNEL32(00000128,00A90000), ref: 005064DC
ResumeThread.KERNELBASE(00000128), ref: 005064EB

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 0050633E
GetThreadContext, xrefs: 00506281
SetThreadContext, xrefs: 005062CD
ResumeThread, xrefs: 005062E3
WriteProcessMemory, xrefs: 005062BA
Load, xrefs: 005061E5
ReadProcessMemory, xrefs: 00506294
ress, xrefs: 00506231
CreateProcessW, xrefs: 0050625B
VirtualAlloc, xrefs: 0050626E
VirtualAllocEx, xrefs: 005062A7
TerminateProcess, xrefs: 005063CE
aryA, xrefs: 005061ED
GetP, xrefs: 00506229

Memory Dump Source

Source File: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 804f0e1f1cac870e7eb81d71c3eb06ea17bcfbda58f52e757ad8f2d0cbc4ad0c
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 31B1087660064AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 004D1B70 Relevance: 10.8, APIs: 7, Instructions: 267
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D1000: _strlen.LIBCMT ref: 004D1067

CreateFileA.KERNELBASE ref: 004D1BD1
GetFileSize.KERNEL32(00000000,00000000), ref: 004D1BE1
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 004D1C07
CloseHandle.KERNELBASE(00000000), ref: 004D1C16
_strlen.LIBCMT ref: 004D1C84
CloseHandle.KERNEL32(00000000), ref: 004D1E83
PostQuitMessage.USER32(00000000), ref: 004D1EE0

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateMessagePostQuitReadSize
String ID:
API String ID: 3694359222-0
Opcode ID: 653e994a700eb888eb94d394468969cb7db6141c5c9048051b7274e6d42dcaa1
Instruction ID: 7cadcb260add03fe49041223ccef2ab87c15e9b75fd104b2f2366021b5fdcbcf
Opcode Fuzzy Hash: 653e994a700eb888eb94d394468969cb7db6141c5c9048051b7274e6d42dcaa1
Instruction Fuzzy Hash: D7912372904340ABC314DF24C89562FBBE5AF89754F154A2FFC858B361E738E944CB96

Function 004D20D0 Relevance: 13.6, APIs: 9, Instructions: 109
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004D20E8
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004D20F9
GetCurrentThreadId.KERNEL32 ref: 004D214A

Part of subcall function 004DD0B6: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 004DD0C2
Part of subcall function 004DD0B6: GetExitCodeThread.KERNEL32(?,?), ref: 004DD0DB
Part of subcall function 004DD0B6: CloseHandle.KERNEL32(?), ref: 004DD0ED

Part of subcall function 004E3E7D: CreateThread.KERNELBASE(?,?,Function_00013F95,00000000,?,?), ref: 004E3EC6
Part of subcall function 004E3E7D: GetLastError.KERNEL32 ref: 004E3ED2
Part of subcall function 004E3E7D: __dosmaperr.LIBCMT ref: 004E3ED9

GetCurrentThreadId.KERNEL32 ref: 004D21AF
std::_Throw_Cpp_error.LIBCPMT ref: 004D21E9
std::_Throw_Cpp_error.LIBCPMT ref: 004D21F0
std::_Throw_Cpp_error.LIBCPMT ref: 004D21F7
std::_Throw_Cpp_error.LIBCPMT ref: 004D2204
std::_Throw_Cpp_error.LIBCPMT ref: 004D2213

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFileLastNameObjectSingleWait__dosmaperr
String ID:
API String ID: 686914455-0
Opcode ID: 510dbaa99e0db160de6518ccd9bb741a2a7b409d49f204097832bc1fb849137d
Instruction ID: 9d1bc49ec1a248935437e9771ca860e04de8cd8d151177fe9463666e0fabe6d3
Opcode Fuzzy Hash: 510dbaa99e0db160de6518ccd9bb741a2a7b409d49f204097832bc1fb849137d
Instruction Fuzzy Hash: 6331D5B1A043016AE7206F658C27B5F76A4AF54B04F01441FFA48AB3C1EABC9910D79B

Function 004EB8B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,29CDBBBE,?,004EB9C1,?,?,00000000), ref: 004EB973

Strings

ext-ms-, xrefs: 004EB91D
api-ms-, xrefs: 004EB909

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2d69ef865c7a822f7b483e87330438520a02d9ce9c9d9c77b8451d6148f61868
Instruction ID: d1f891c9d9298c337318924da5090913e32598822976f59b28bda8ba0dba909b
Opcode Fuzzy Hash: 2d69ef865c7a822f7b483e87330438520a02d9ce9c9d9c77b8451d6148f61868
Instruction Fuzzy Hash: 1B210571A01355F7C7219B26EC41A6F376CEF61761F140122EA51A73D1D738EE00D6E4

Function 004D14C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 004D14DA

Strings

ios_base::failbit set, xrefs: 004D1758
ios_base::badbit set, xrefs: 004D1763, 004D1781, 004D1AB3
ios_base::eofbit set, xrefs: 004D1753

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 02b22efc10220c95f9137c3f8d713403ffaf0c9f903650f546a95659afeaa973
Instruction ID: ff9a4ce690444fb269a08e251bce02af110424f78bd0582e3c1122aee792bbd7
Opcode Fuzzy Hash: 02b22efc10220c95f9137c3f8d713403ffaf0c9f903650f546a95659afeaa973
Instruction Fuzzy Hash: 679172742042009FDB14DF29C4A4B26B7E2FF89314F18869EE9568F3A6D739EC45CB45

Function 004D1AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D1000: _strlen.LIBCMT ref: 004D1067

FreeConsole.KERNELBASE(?,?,?,00504808,ios_base::badbit set), ref: 004D1AE1
VirtualProtect.KERNELBASE(0050601C,00000549,00000040,?), ref: 004D1B30
ExitProcess.KERNEL32 ref: 004D1B66

Strings

ios_base::badbit set, xrefs: 004D1763, 004D1781, 004D1AB3

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ConsoleExitFreeProcessProtectVirtual_strlen
String ID: ios_base::badbit set
API String ID: 4233975149-3882152299
Opcode ID: 27c71eb1ee9ead94b214e1edfe36d08d2cd9feea28efa9cf830b01855c1d4402
Instruction ID: 9fe98cde3f508bb538d7ddcbd09cbfbbc9e9a523118973d27084b221d1b77e17
Opcode Fuzzy Hash: 27c71eb1ee9ead94b214e1edfe36d08d2cd9feea28efa9cf830b01855c1d4402
Instruction Fuzzy Hash: 2E012835B801087BEB007BA6DC13FAF7B64DB44748F004066FA08BA3D2E579A62486D8

Function 004E3E7D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00013F95,00000000,?,?), ref: 004E3EC6
GetLastError.KERNEL32 ref: 004E3ED2
__dosmaperr.LIBCMT ref: 004E3ED9

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2d7bd0e570095a7581a82b4554528a98cf3a9338cf5579f7358cb87333c05703
Instruction ID: 7519e33f02bdc4d0297c573b0e72b853326345b9c4f396035f79841448ff1a5a
Opcode Fuzzy Hash: 2d7bd0e570095a7581a82b4554528a98cf3a9338cf5579f7358cb87333c05703
Instruction Fuzzy Hash: 92016D72900249ABCF16AFA7DC09A9E3A68EF5035BF00405AF90197250DB799E50DB94

Function 004F2520 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F28CA: GetConsoleOutputCP.KERNEL32(29CDBBBE,00000000,00000000,?), ref: 004F292D

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,004E7097,?), ref: 004F26A5
GetLastError.KERNEL32(?,?,004E7097,?,004E72DB,00000000,?,00000000,004E72DB,?,?,?,00504DE0,0000002C,004E71C7,?), ref: 004F26AF

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 1ee15e546e97311dac69037d2ab18b2728ae3f2ad69cfb4d5851d661878d7be3
Instruction ID: 8d4a6b248ceafec90788584af8a3da0e2c2db56f25b1e6723264300702b179ac
Opcode Fuzzy Hash: 1ee15e546e97311dac69037d2ab18b2728ae3f2ad69cfb4d5851d661878d7be3
Instruction Fuzzy Hash: F661C17180015DAFDF01DFA8CA44EFFBBB9BF09308F14015AEA00A7251D3B9DA059B69

Function 004F2CF9 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,004F268B,00000000,004E72DB,?,00000000,?,00000000), ref: 004F2D95
GetLastError.KERNEL32(?,004F268B,00000000,004E72DB,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,004E7097), ref: 004F2DBB

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: c0b81d58a71aac54ac8ed41aae8d3847679cff2a505161a804495bd3ce2e9520
Instruction ID: 6778a7de7e657c026d0cbb8fab47201efac5c1004c2f5b8a01b29dfc5affb7e5
Opcode Fuzzy Hash: c0b81d58a71aac54ac8ed41aae8d3847679cff2a505161a804495bd3ce2e9520
Instruction Fuzzy Hash: 4621BF30A002199FCF19CF29DE80AEDB7B9EB49301F1444AAEA06D7311D774DE468FA4

Function 004EC3D2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,004EC2C1,00505160), ref: 004EC41E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,004EC2C1,00505160), ref: 004EC430

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ac046f0d28879dbc08c6ff6360b32fce24f7d50e52f49d53bcb6413804ffc8ec
Instruction ID: 4c98d98d14847815a255676e9d51acb74de23abd4ee511d5e95e1b69e14a9562
Opcode Fuzzy Hash: ac046f0d28879dbc08c6ff6360b32fce24f7d50e52f49d53bcb6413804ffc8ec
Instruction Fuzzy Hash: 9C11D5715047D14AC7304A3F8CE86377A94AB56372B38071BD4F6C22F2C638C9479549

Function 004E3F95 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00504C30,0000000C), ref: 004E3FA8
ExitThread.KERNEL32 ref: 004E3FAF

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 5393075cbd00652621b0eeeb3120690dea0e7944ea15d0f03da12850eb6e57e2
Instruction ID: 5ad383eee385fe15794e9cab8e3de6ac65c57ffde2ac3c69c8c41bfaacfec272
Opcode Fuzzy Hash: 5393075cbd00652621b0eeeb3120690dea0e7944ea15d0f03da12850eb6e57e2
Instruction Fuzzy Hash: BBF0AF71940245AFDB11AF72D80AA6E3B79FF10306F20018EF10197291CB79AA01DFA5

Function 004EAB23 Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
SetLastError.KERNEL32(00000000), ref: 004EABC9

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 823752752df6ff6d01443754575a8cb22370b4dc2cc0b21bcc62c3b23274ad30
Instruction ID: 8b25720f83cc207b4d16221c0427e5c2fc613e21de2a2abeaed447a81e137d67
Opcode Fuzzy Hash: 823752752df6ff6d01443754575a8cb22370b4dc2cc0b21bcc62c3b23274ad30
Instruction Fuzzy Hash: 4011C121B44292AED61037A7AC86E2F2649AF203AF710013AF61592191DB5C7C2952EF

Function 004DAF05 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026127e4d6120f567a7ab9a3cc862c6345c8196c77ecdb647f1accb24ab00a95
Instruction ID: 465d17685fdd5c71bddad92844fbb8604c2419d0aa9e73de6a1f770c8247c9a9
Opcode Fuzzy Hash: 026127e4d6120f567a7ab9a3cc862c6345c8196c77ecdb647f1accb24ab00a95
Instruction Fuzzy Hash: 6B31A27260451AAFCB14DF69C8A08EEB7B8FF09324B14466BE412E3390E735F954CB95

Function 004DAEF7 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: e290f4e42505182648df4caa2ba2f78b96c941a3563cb8aa00ab183667960b27
Instruction ID: 8b013a93e9382fff054efd618ccd69b2fe0ae693e522b040ca313201157878ef
Opcode Fuzzy Hash: e290f4e42505182648df4caa2ba2f78b96c941a3563cb8aa00ab183667960b27
Instruction Fuzzy Hash: C01197B260C2864FCB05CF38E4B1669BB60EF4233472444EFE4418A382D6295460C70E

Function 004EB97D Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02ada698f18b868a0cdc8daea3d87200469c3e6f095b4a1c35c3e215389f25f
Instruction ID: dc68add938f2e26a9ae440ccdc523f219cea16ddd0d1c701f51d5009f5c5616c
Opcode Fuzzy Hash: d02ada698f18b868a0cdc8daea3d87200469c3e6f095b4a1c35c3e215389f25f
Instruction Fuzzy Hash: 190145732002559FEB028E6BEC81A2F33AAFBC03253204126FA0087255DB349C1197C8

Function 004EBC50 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,004EAB70,00000001,00000364,?,00000005,000000FF,?,004E3FBA,00504C30,0000000C), ref: 004EBC91

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a494944901124a13e14d067fc4e31e6fa22a2cec39c6fe3dd37cc1056465984b
Instruction ID: ffe3ed30d2411ec037e8ab824bd2184143109e6a1378eb04a8aec8bc398f35da
Opcode Fuzzy Hash: a494944901124a13e14d067fc4e31e6fa22a2cec39c6fe3dd37cc1056465984b
Instruction Fuzzy Hash: 2BF059312082A067EB222F638C04E1B3748EF81766B35411BBC08F7290CF38DC0086E9

Function 004EA8D1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,004EC8AA,?,?,004EC8AA,00000220,?,00000000,?), ref: 004EA903

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 40eb865d41083d47407b62873435b44908f9bb7ee374ae856b58313e9286700e
Instruction ID: 2917e5b75b62b9f7d640afc5fe47c736490ad07d23f7ce7f90e6b15cf1a9d2b9
Opcode Fuzzy Hash: 40eb865d41083d47407b62873435b44908f9bb7ee374ae856b58313e9286700e
Instruction Fuzzy Hash: E7E02B312012A556D72037A39C04B5F7798AF513F3F170123ED0596291EF2CED6191AF

Non-executed Functions

Function 004EFBD2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 004EFCDA
IsValidCodePage.KERNEL32(00000000), ref: 004EFD18
IsValidLocale.KERNEL32(?,00000001), ref: 004EFD2B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004EFD73
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004EFD8E

Strings

l#P, xrefs: 004EFC87

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: l#P
API String ID: 415426439-1800326595
Opcode ID: fe5378ef075649fe7d5729991cda63ae41bd0a987ca7c7686a7f245e903a355b
Instruction ID: ce4b18558ad0d64a82ced7387e9eb64745ec203032d77ddc893cf4bc2ac60374
Opcode Fuzzy Hash: fe5378ef075649fe7d5729991cda63ae41bd0a987ca7c7686a7f245e903a355b
Instruction Fuzzy Hash: 62519072A00249AFDB10DFA6CC41ABF77B8FF44706F24447AE901E7291E7789908CB65

Function 004F6362 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004F6579

Strings

1#INF, xrefs: 004F6498
1#QNAN, xrefs: 004F6475
1#IND, xrefs: 004F6467
1#SNAN, xrefs: 004F646E

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 74f6ea032d4e3d21f36f4ffa98d269b72d8341709668d92a1c7d3c8afbfff050
Instruction ID: c78c8f28de309ce4a08613ef7ee45b5db29868d951cee056f70988e74b9b30b8
Opcode Fuzzy Hash: 74f6ea032d4e3d21f36f4ffa98d269b72d8341709668d92a1c7d3c8afbfff050
Instruction Fuzzy Hash: 59D23872E0822D8FDB64CE28DD40BEAB7B5EB44315F1541EAD50DE7240EB78AE818F45

Function 004F0337 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004EFD08,00000002,00000000,?,?,?,004EFD08,?,00000000), ref: 004F03D0
GetLocaleInfoW.KERNEL32(?,20001004,004EFD08,00000002,00000000,?,?,?,004EFD08,?,00000000), ref: 004F03F9
GetACP.KERNEL32(?,?,004EFD08,?,00000000), ref: 004F040E

Strings

OCP, xrefs: 004F038B
ACP, xrefs: 004F0355

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 943cd613a3563592843a9c7c40b2e502c479e5eace1e6ef5bcebafb68014d120
Instruction ID: 5f77635c8746760a29e780d5830b107825f1fb040d4ca317ce7c93392dccf44d
Opcode Fuzzy Hash: 943cd613a3563592843a9c7c40b2e502c479e5eace1e6ef5bcebafb68014d120
Instruction Fuzzy Hash: 8421B832A0020DABD734CF14C901ABB72A6BBD4B54B568066EF0AD7313E73ADE41C358

Function 004E8900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
Instruction ID: 7a67c928a3a5b2c864619efe98099dc247a5fad8c2934f916dfe398de8b12193
Opcode Fuzzy Hash: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
Instruction Fuzzy Hash: 6E026E71E012199FDF14CFAAC980AAEB7F1FF48315F24826ED519A7380DB35A9418B94

Function 004F0919 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 004F0A09
FindNextFileW.KERNEL32(00000000,?), ref: 004F0AFD
FindClose.KERNEL32(00000000), ref: 004F0B3C
FindClose.KERNEL32(00000000), ref: 004F0B6F

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 3afbe254f767cc14cde2f8fd8e92f1bedfd848a27d74f47dd1713cb011a59d4d
Instruction ID: 17845ab7c9f040fcef74d48205c198d7e8ca4fe93394e5efc3a612d587c720e6
Opcode Fuzzy Hash: 3afbe254f767cc14cde2f8fd8e92f1bedfd848a27d74f47dd1713cb011a59d4d
Instruction Fuzzy Hash: 1371E571D0515C5FDF21EF25CC89ABFBBB8AB85304F1441DAE14CA7212EA385E859F18

Function 004DD86F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004DD87B
IsDebuggerPresent.KERNEL32 ref: 004DD947
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004DD960
UnhandledExceptionFilter.KERNEL32(?), ref: 004DD96A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5819163b054a0354deb45f7c8ceaf0286493d02ae59361256d8fd480c38ebda6
Instruction ID: 45d45fac9f0a06987dfc74c320387214959da5c255caf7e4a4d3146c13fe5f29
Opcode Fuzzy Hash: 5819163b054a0354deb45f7c8ceaf0286493d02ae59361256d8fd480c38ebda6
Instruction Fuzzy Hash: E43116B5D012199BDF21EFA5D8497CDBBB8AF08300F1041AAE40CAB250EB759B85DF44

Function 004D6D70 Relevance: 5.5, Strings: 4, Instructions: 524COMMON

Download Yara Rule

Strings

+, xrefs: 004D7217
+, xrefs: 004D7404
%, xrefs: 004D71FE
%, xrefs: 004D73EB

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID: %$%$+$+
API String ID: 0-3555305375
Opcode ID: 8bf52dc134d8e78c9fe3d90e29757dea0bd5326f79281c58065bca38c5585134
Instruction ID: 347119d0a709953c32b605208e0bb2ac0c55a4157a36831ef057e27c71b7217e
Opcode Fuzzy Hash: 8bf52dc134d8e78c9fe3d90e29757dea0bd5326f79281c58065bca38c5585134
Instruction Fuzzy Hash: 3122983050C7808FD315DF29C4A036FBBE2AB8A354F158A1FE885973A1E7789985CB47

Function 004D3E60 Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

+, xrefs: 004D44D4
%, xrefs: 004D44BB
+, xrefs: 004D42F7
%, xrefs: 004D42DE

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID: %$%$+$+
API String ID: 0-3555305375
Opcode ID: 54dab03ed5bf11e8316eb1ecdb0fa95fc63d58f6286fe6a2867404ba84acfcf7
Instruction ID: cf93c8518c6b0d1392248229c4e723b5f0a51d41ba452eb6619e1aeb506ce9a2
Opcode Fuzzy Hash: 54dab03ed5bf11e8316eb1ecdb0fa95fc63d58f6286fe6a2867404ba84acfcf7
Instruction Fuzzy Hash: BA1287705087848FD715DF29C0A036FBBE1ABCA354F148A1FE989973A1D7398985CB47

Function 004EFEBE Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004EFF12
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004EFF5C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F0022

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: c2da70a09a7ade78296c8deeaf023d9859687752e1b84b872bd0cd3cb9c5aea0
Instruction ID: 08a25c19b73c55244490b3f1cf2a9895b803e743a6b15fb06cce965859c04a2c
Opcode Fuzzy Hash: c2da70a09a7ade78296c8deeaf023d9859687752e1b84b872bd0cd3cb9c5aea0
Instruction Fuzzy Hash: 0761927150010B9FDB289F25DC82BBB77A8EF45305F1480BBEA05D6286EB3CD985DB54

Function 004E695D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004E6A55
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004E6A5F
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004E6A6C

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dc72577a8639e2a9150e9f56d172abe09b1e3f8842705afe26dda68d9c24f8ae
Instruction ID: 9c78ead07baf664751f0b17a048446a26990bb25c6fac42d9bc92bbfa9626b63
Opcode Fuzzy Hash: dc72577a8639e2a9150e9f56d172abe09b1e3f8842705afe26dda68d9c24f8ae
Instruction Fuzzy Hash: 3E31E574D01228ABCB21DF69DC8978DBBB8BF18350F5085EAE41CA7250E7749F859F44

Function 004D1000 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D1067

Strings

Something, xrefs: 004D141E

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: _strlen
String ID: Something
API String ID: 4218353326-2334896984
Opcode ID: 20eaf8b4d4b681f771d75edda32b26f5a240f730d73d10d55173f71726e19c19
Instruction ID: 2b45f4b9db8b8e27a7125370d0012084993ed791abe264ebe2d8bf2dc66bc97c
Opcode Fuzzy Hash: 20eaf8b4d4b681f771d75edda32b26f5a240f730d73d10d55173f71726e19c19
Instruction Fuzzy Hash: EE713571A04311AFC318EF69C89052BF7E1AF8A304F058A2FED45DB351E634E941CB9A

Function 004DE170 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,004DE076,?,?,?,?,004DE09A,000000FF,00000000,?,?,004DDDB1,00000000,ios_base::badbit set), ref: 004DE1A8
GetSystemTimeAsFileTime.KERNEL32(?,29CDBBBE,00000000,?,004FAC4A,000000FF,?,004DE076,?,?,?,?,004DE09A,000000FF,00000000), ref: 004DE1AC

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 25912bad1777307c98a5777ce51c1ce1dd76b098c00bc74ac2d8d4bbae66f71d
Instruction ID: e438126fd00acc7b8a6a1b7264700133e97f58e4442bebfa6a95178f34a260d4
Opcode Fuzzy Hash: 25912bad1777307c98a5777ce51c1ce1dd76b098c00bc74ac2d8d4bbae66f71d
Instruction Fuzzy Hash: 43F06576A04558EFD7119F44DC14B6DB7ACFB09B10F14422BEC1297790DB39A9049B84

Function 004F458A Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004F44E5,?,?,00000008,?,?,004FA97B,00000000), ref: 004F47B7

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54c40a36f88cc7ccfed8d8ce2ffeb86cdf5ada9d5b99f35fa9e6b61cbbc15b9b
Instruction ID: 8ca051a4e8ea9c6c9b666717f19866d1019c1ff9f9f3ffb1c93358b4488430e1
Opcode Fuzzy Hash: 54c40a36f88cc7ccfed8d8ce2ffeb86cdf5ada9d5b99f35fa9e6b61cbbc15b9b
Instruction Fuzzy Hash: A6B18F35510608CFD714CF28C48AB667BE0FF85364F258659EA99CF3A1C739E992CB44

Function 004DD4DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004DD4F1

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 745ab168018c31f539bef3ba3175782a4df100fb57d05c49a72b02e3b5837563
Instruction ID: 81bbe7815fe27b1708b4a0e6a01936d51b19baca34fd3e86aaa88b1ff6416031
Opcode Fuzzy Hash: 745ab168018c31f539bef3ba3175782a4df100fb57d05c49a72b02e3b5837563
Instruction Fuzzy Hash: 9BA1ADB2E02605CFCB18CF58D8916AEBBB0FB58324F24856BD425E7760D338A854DF60

Function 004F0170 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F01C4

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b8a6d392aa082dd7dd2b360160eccc46bc8dfdd977d811f14a2e292bcaf16fa6
Instruction ID: 1dd6393253b5202f781ba4c2a18ecbf07beff74fdf88105c9a0054c2edf1d9b9
Opcode Fuzzy Hash: b8a6d392aa082dd7dd2b360160eccc46bc8dfdd977d811f14a2e292bcaf16fa6
Instruction Fuzzy Hash: F421C83261514A9BEB289B66EC45A7B73A8EF84315B1040BFFE01D6242E778ED00C764

Function 004E3500 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 004E3670

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bfb5ca0909a24570a5921a3e6ca96e6ff6fc22414cac3a42b384bd01ab8ffe91
Instruction ID: 0f351ec2065bcdb9dbfd1a07f893c2638dd5483492fe23eff24476052185eb46
Opcode Fuzzy Hash: bfb5ca0909a24570a5921a3e6ca96e6ff6fc22414cac3a42b384bd01ab8ffe91
Instruction Fuzzy Hash: FCC1D0B0900686AFCB36DF3BC58867BBBA1AF05307F14461FE45297791C339AA05CB19

Function 004E2101 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 004E2285

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cb5735cad87a064385dcabcea1ac5d3835f0b76df1b8a10df1f206168f711e48
Instruction ID: 759422fae9c16574663ff981f415e4d93403bd4a71224589213a04364b176a74
Opcode Fuzzy Hash: cb5735cad87a064385dcabcea1ac5d3835f0b76df1b8a10df1f206168f711e48
Instruction Fuzzy Hash: 0FB1E4309006C79BCB248F6ACB556BFB7B9BF04306F14061FDA5297791C6BC9A02CB59

Function 004F0290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F02E4

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c4197ac77392fd05e79c0a18a7afbc02db4292a6c95f9f2082228f1fc2c07485
Instruction ID: c6e8ab615935b360b0b5923cb5afca0272879c8ce252018c477f7aac75e0f414
Opcode Fuzzy Hash: c4197ac77392fd05e79c0a18a7afbc02db4292a6c95f9f2082228f1fc2c07485
Instruction Fuzzy Hash: DA11C672A1011A9BD714AB2ADC46ABB77ACEF44314B10407FFA01D7242EB3CED049754

Function 004EFE23 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

EnumSystemLocalesW.KERNEL32(004EFEBE,00000001,00000000,?,-00000050,?,004EFCAE,00000000,-00000002,00000000,?,00000055,?), ref: 004EFE95

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8f687684197402f1b66f6be3cb0e096d3fefec751947c069d5c9c9307f61304e
Instruction ID: aaac753b82396b0a559e8698330e892fa8bba2ce37b0585f5c54805ff309dab3
Opcode Fuzzy Hash: 8f687684197402f1b66f6be3cb0e096d3fefec751947c069d5c9c9307f61304e
Instruction Fuzzy Hash: 6F1129372003055FDB289F3AC89167BB791FF80319B18443EE54687741D3757946C740

Function 004F043D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004F00DA,00000000,00000000,?), ref: 004F0469

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e3bf14dc0129df8448f34c4b7283e2873cffc6f4670dd7d5613ad2f1ed90c772
Instruction ID: 900c2f255f47e978e8e5ec1462e639c582c40e659b3f0fbfa4ac77299a5d2260
Opcode Fuzzy Hash: e3bf14dc0129df8448f34c4b7283e2873cffc6f4670dd7d5613ad2f1ed90c772
Instruction Fuzzy Hash: 5F014E3261011ABBDB389F21CC057BB3768EFC0328F14442AEF42A3281DA78FE41C599

Function 004F0111 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

EnumSystemLocalesW.KERNEL32(004F0170,00000001,?,?,-00000050,?,004EFC76,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 004F015B

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 239d5df9195a986a109a0abe302417c7d0e34e213da593ff3db778e5768846a2
Instruction ID: 6bb8bf69f76b44481518a16ea0fb2844345e65ae14ee918fd2d07c72b57273da
Opcode Fuzzy Hash: 239d5df9195a986a109a0abe302417c7d0e34e213da593ff3db778e5768846a2
Instruction Fuzzy Hash: 3AF0C2362003086FDB255F359CC1A7B7B95EBC0768F15442EFA058B791C6B6AC42C654

Function 004EBB60 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004E6BF4: EnterCriticalSection.KERNEL32(?,?,004EAFB0,?,005050C0,00000008,004EAEA2,?,?,?), ref: 004E6C03

EnumSystemLocalesW.KERNEL32(004EBB53,00000001,00505140,0000000C,004EB4B8,-00000050), ref: 004EBB98

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7370a37b5d439bbb13c2d9d55960b854f03bb907868bed575690ff9dad81e5b0
Instruction ID: 40bc6d7177b9a8612ae4fcddbd1f82409508ce501b372d99526f752ea35583d4
Opcode Fuzzy Hash: 7370a37b5d439bbb13c2d9d55960b854f03bb907868bed575690ff9dad81e5b0
Instruction Fuzzy Hash: B2F04F76A40205DFDB00DF5AD842B9E77B0EB18725F10811BF410DB3A1CB795908DF44

Function 004F0245 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

EnumSystemLocalesW.KERNEL32(004F0290,00000001,?,?,?,004EFCD0,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 004F027C

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 77b5cea0d89476d5a9accbadbb6b65d02071dac5c668777376451f6deccb8541
Instruction ID: d312f2b400f2b597f227e4bf2124b17b88eb34b74757a5c63eed3a61c3b54361
Opcode Fuzzy Hash: 77b5cea0d89476d5a9accbadbb6b65d02071dac5c668777376451f6deccb8541
Instruction Fuzzy Hash: CEF05C3630020857CB049F35D84977B7F94EFC1714B07409AEB058B241C275DD42C7A4

Function 004EB5BC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,004E5950,?,20001004,00000000,00000002,?,?,004E4862), ref: 004EB5F0

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1ba1ed58e65673ac5f13648d84908cd8dd74edcb4e7f15c50df41ab61e07233a
Instruction ID: b0052115b1b6e2b87af3f4594d60c90c49a444c0c17c929ca6def90bd75e5a53
Opcode Fuzzy Hash: 1ba1ed58e65673ac5f13648d84908cd8dd74edcb4e7f15c50df41ab61e07233a
Instruction Fuzzy Hash: B8E04F31900158BBCF222F62EC04A9F7F29EF44752F048026FD0565221CB39CE21ABD9

Function 004DD863 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000D984), ref: 004DD868

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c5af4f08b7a76aea3fc757802398c764eeb49b82ae4dd68364a3ac2dedba37da
Instruction ID: db14c875226ac312a625d20d85c5079cb84fa40ab86543e614aec8dbffc530d5
Opcode Fuzzy Hash: c5af4f08b7a76aea3fc757802398c764eeb49b82ae4dd68364a3ac2dedba37da
Instruction Fuzzy Hash:

Function 004EC275 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004EC275

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7523de3e48e16540b6c31e1a34b7c5ec236063533df5428837f8c650b5d44fc8
Instruction ID: 60c552b58a1d969d4ef4b28ff3d1fe02766c515e7e7d8ddfcd01ef5f4fbee32d
Opcode Fuzzy Hash: 7523de3e48e16540b6c31e1a34b7c5ec236063533df5428837f8c650b5d44fc8
Instruction Fuzzy Hash: E4A012305011019BC3104F315E0460C37A856501C03044014A400C0160DA3844487F01

Function 004D4C00 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89299c8e5036090960a4cc36e6c1ea777176362c8fb8987ec0ee3bbf1ae92e04
Instruction ID: 84bfb0dbb916608a835385e7c1b184c01e8018b3eeb4cdb7c2e21960405112f7
Opcode Fuzzy Hash: 89299c8e5036090960a4cc36e6c1ea777176362c8fb8987ec0ee3bbf1ae92e04
Instruction Fuzzy Hash: D9428F746087418FC714DF28C4A466AB7E1FF85304F55895FE8968B3A1DB78EC41CB8A

Function 004D1F20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 118windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004D1F53
RegisterClassW.USER32(?), ref: 004D1F6A
CreateWindowExW.USER32 ref: 004D1FCA
GetLastError.KERNEL32 ref: 004D1FD4
GetMessageW.USER32(Christmas Balls,00000000,00000000,00000000), ref: 004D2000
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004D203D

Strings

[err id]: %i, xrefs: 004D1FDB
CreatingTool, xrefs: 004D1FB3
Keep low..., xrefs: 004D2052
Christmas Balls, xrefs: 004D1F5D, 004D1FBB, 004D1FFF

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Message$ClassCreateErrorHandleLastModuleRegisterWindow
String ID: Christmas Balls$CreatingTool$Keep low...$[err id]: %i
API String ID: 91802587-478130180
Opcode ID: 1796487d9b6bdb661f9fea7d42bcd2afc050f72ff8b6daffa5b78acc2ae60107
Instruction ID: 94a858674adb55cddd229718e6f0c19d5068655d508dc77f914862f91065491f
Opcode Fuzzy Hash: 1796487d9b6bdb661f9fea7d42bcd2afc050f72ff8b6daffa5b78acc2ae60107
Instruction Fuzzy Hash: 14418170A143419FD300DF25C955B2BB7E4BF99704F00851EF98997390DBB9D944CB56

Function 004F9712 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,004F96FD,?,?,?,?,?,?,?,?,?), ref: 004F97B8
__alloca_probe_16.LIBCMT ref: 004F9873
__alloca_probe_16.LIBCMT ref: 004F9902
__freea.LIBCMT ref: 004F994D
__freea.LIBCMT ref: 004F9953
__freea.LIBCMT ref: 004F9989
__freea.LIBCMT ref: 004F998F
__freea.LIBCMT ref: 004F999F

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 912ba4ee097b042e94ce39df3a3a225fa6bfdc3949521dc5160041ffac2d707e
Instruction ID: 2653b88461410703b8ec8a0278e8e91a9ea7f823ca3dd921f0424039c536fed6
Opcode Fuzzy Hash: 912ba4ee097b042e94ce39df3a3a225fa6bfdc3949521dc5160041ffac2d707e
Instruction Fuzzy Hash: 4171D4B290024D9BDF21AF658C81FBF7BE99F46314F16045FEA04A7382D67D9C018769

Function 004DDE85 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 004DDECC
__alloca_probe_16.LIBCMT ref: 004DDEF8
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 004DDF37
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004DDF54
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004DDF93
__alloca_probe_16.LIBCMT ref: 004DDFB0
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004DDFF2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004DE015

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: be3189863e0159ed7c6878a80827971f66c8c4fe543945856de428c37508d474
Instruction ID: 9acb706b9dadf607f9dd85eddf3a002e2472b9f4346241b1cb12ddeba7757201
Opcode Fuzzy Hash: be3189863e0159ed7c6878a80827971f66c8c4fe543945856de428c37508d474
Instruction Fuzzy Hash: 2B51BE72A0021AABEF226F62CC55FAF7BA9EF44784F10442BF9119A350D779DD00DA58

Function 004ED7EB Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004ED871

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
Instruction ID: 8e434e28498b5da1d3ca9e04a7bef88bed10ad10942407e0b20ef0f6ff397b4e
Opcode Fuzzy Hash: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
Instruction Fuzzy Hash: C7B16772E042D59FDB15CF2ACC82BBF7BA5EF15311F15416BE904AB382D2789901C7A8

Function 004DEE00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004DEE37
___except_validate_context_record.LIBVCRUNTIME ref: 004DEE3F
_ValidateLocalCookies.LIBCMT ref: 004DEEC8
__IsNonwritableInCurrentImage.LIBCMT ref: 004DEEF3
_ValidateLocalCookies.LIBCMT ref: 004DEF48

Strings

csm, xrefs: 004DEEDD

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f73d23ca411b44ee7d36e5723f1745b7ba3afe828aff8649fa4e2b61db02c69e
Instruction ID: edf008cac518e75301adec57fe8b147d825304abfcba785acd0cd15d723bfab3
Opcode Fuzzy Hash: f73d23ca411b44ee7d36e5723f1745b7ba3afe828aff8649fa4e2b61db02c69e
Instruction Fuzzy Hash: 8B41B530900219ABCF10EF6AC894A9F7BB5BF45314F14855BE8149F392C739EE15CB9A

Function 004DDD27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004DDD3B
AcquireSRWLockExclusive.KERNEL32(00000008,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004DDD5A
AcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDD88
TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDDE3
TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDDFA

Strings

ios_base::badbit set, xrefs: 004DDD71

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: 3181b5c2f88cebc329a2242a0f87a2d5a52589e7bfe4eb6f878a4fd81ba58532
Instruction ID: 3fd0019473455825df63d5f01364a88ba6ee055b1fbb075b46ef526ba214cbf2
Opcode Fuzzy Hash: 3181b5c2f88cebc329a2242a0f87a2d5a52589e7bfe4eb6f878a4fd81ba58532
Instruction Fuzzy Hash: 8A414931E00A06DBCF20DF65C5A49AAB3B9FF29311B104A1BD456DB740D738EA45CB59

Function 004DE13C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004DE142
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004DE150
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004DE161

Strings

kernel32.dll, xrefs: 004DE13D
GetTempPath2W, xrefs: 004DE156
GetSystemTimePreciseAsFileTime, xrefs: 004DE14A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 65fc68f1acf15b9a0955130e8296dff7cc425e5aeefc7b02272e00a4e9d84820
Instruction ID: ec5ee1ccb8f17c17ee0384ac2366a6315c208ea7ef3324bc6873fd0816eb2e03
Opcode Fuzzy Hash: 65fc68f1acf15b9a0955130e8296dff7cc425e5aeefc7b02272e00a4e9d84820
Instruction Fuzzy Hash: 78D0A7319526109BC3505F70BD0CD5E3EBCFB2C3017004011F900D21D0EB740508DE59

Function 004F38AD Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5591e41c9eceefc952ae9942f8430ce9f2e37131391563b0de75f8a9a7319fc1
Instruction ID: 834e085733850ad07d7eeddc470d81ac2725790192e49c164b09e0e34c7958f4
Opcode Fuzzy Hash: 5591e41c9eceefc952ae9942f8430ce9f2e37131391563b0de75f8a9a7319fc1
Instruction Fuzzy Hash: D6B12770E0428DAFCF11DFAAC850BBE7BB1AF15306F14019AE640A7382C7799E45CB59

Function 004D5640 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 352COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D589C
Concurrency::cancel_current_task.LIBCPMT ref: 004D5A5B

Strings

false, xrefs: 004D56CC, 004D56E7, 004D572D, 004D5748, 004D58E9, 004D58F7, 004D593D, 004D5958
,, xrefs: 004D585C
true, xrefs: 004D5784, 004D5797, 004D57DD, 004D57F8, 004D5994, 004D59A7, 004D59ED, 004D5A08

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_strlen
String ID: ,$false$true
API String ID: 575380510-760133229
Opcode ID: 9fff70a2064ffce0019ad1b38ebc23adabc4c58ff5a4e4c4ee5c15c805af5dcc
Instruction ID: c405599d8f821fb38a2efd3ff1dc16b5b67ab5774a5557cec8fa61a1fe221a48
Opcode Fuzzy Hash: 9fff70a2064ffce0019ad1b38ebc23adabc4c58ff5a4e4c4ee5c15c805af5dcc
Instruction Fuzzy Hash: 18C1B1B15043059FD310AF65CC95B6BB6E8EF94308F04492EF9898B382F779D918CB96

Function 004E9664 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E965B,004DEBD7,004DD9C8), ref: 004E9672
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E9680
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E9699
SetLastError.KERNEL32(00000000,004E965B,004DEBD7,004DD9C8), ref: 004E96EB

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 366b9d4e237a265d9232ec46113aa84601750b06a8d58d873d1ef9a851fe938f
Instruction ID: 79a6681a3aaebdda7060e70a029f4f1f72bf1998f5da09738d22b72759ea72ca
Opcode Fuzzy Hash: 366b9d4e237a265d9232ec46113aa84601750b06a8d58d873d1ef9a851fe938f
Instruction Fuzzy Hash: F5012432208752AEE7103B77AC86A6F2764EB213BB724032FF211501F0EF998C25A14C

Function 004E9F2C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004EA04B
CallUnexpected.LIBVCRUNTIME ref: 004EA2C4

Strings

csm, xrefs: 004E9FD6
csm, xrefs: 004E9F69
csm, xrefs: 004EA082

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: f88c2c7eb8b4f71642b00808e42c3363ea120c55e9ca52bbdf9df5d0940924df
Instruction ID: 7e3f3089b1ef9d684b9cddac97becea2541cc02f3b9076c2d79f7f67397e8dab
Opcode Fuzzy Hash: f88c2c7eb8b4f71642b00808e42c3363ea120c55e9ca52bbdf9df5d0940924df
Instruction Fuzzy Hash: 92B18D31C00289DFCF14DFA6C98099EB7B5BF14306F14459BE8146B351D739E961CB9A

Function 004D3BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D3BFC
std::_Lockit::_Lockit.LIBCPMT ref: 004D3C1A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D3C3C
std::_Lockit::~_Lockit.LIBCPMT ref: 004D3CAA

Strings

ios_base::badbit set, xrefs: 004D3BE2

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: 72fb6970c24c2a8b461c502f4c4721957db4a3e38a4d21080324ab86dd32b272
Instruction ID: 833351e73a026d1a4a209451a10d2f22f0deb905346cc7bec211e3da36f1a86a
Opcode Fuzzy Hash: 72fb6970c24c2a8b461c502f4c4721957db4a3e38a4d21080324ab86dd32b272
Instruction Fuzzy Hash: F321B172D182089FC710EF15E965A1A73A0FF68B25F01455FE4889B361D738BE04CB8A

Function 004DA5A6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DA5AD
std::_Lockit::_Lockit.LIBCPMT ref: 004DA5BA
std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

Part of subcall function 004D9CA8: _Yarn.LIBCPMT ref: 004D9CC8
Part of subcall function 004D9CA8: _Yarn.LIBCPMT ref: 004D9CEC

Strings

bad locale name, xrefs: 004DA608

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: 8e80b54d846ba5ddfd740659dcd73b86b9ea1bf7ee6e49a86be17ab4b0b98cbc
Instruction ID: a3206799f8dd7c3f3a8112cf502654f10f8f66f3db19b40f3b98854b1c5c2e21
Opcode Fuzzy Hash: 8e80b54d846ba5ddfd740659dcd73b86b9ea1bf7ee6e49a86be17ab4b0b98cbc
Instruction Fuzzy Hash: 8C118BB0804748DEC720DF6AD59168ABBE0FF28304F50896FE0CAC3741D774AA44CB9A

Function 004E40E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,29CDBBBE,?,?,00000000,004FAD7A,000000FF,?,004E41AA,00000002,?,004E4246,004E6EA9), ref: 004E411E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004E4130
FreeLibrary.KERNEL32(00000000,?,?,00000000,004FAD7A,000000FF,?,004E41AA,00000002,?,004E4246,004E6EA9), ref: 004E4152

Strings

mscoree.dll, xrefs: 004E4117
CorExitProcess, xrefs: 004E4128

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: be5589ccf3ffbaf248a3360e6d5ffba5e7d9f6776507183c432b24b79858d1e8
Instruction ID: 96eb287af4ee36dad4ef6f52b5713cbbba30be64d725792d2c19bad78f192aa2
Opcode Fuzzy Hash: be5589ccf3ffbaf248a3360e6d5ffba5e7d9f6776507183c432b24b79858d1e8
Instruction Fuzzy Hash: 7401D631950659EFDF118F50DC09FAEBBBCFB54B11F004526F811A27E0DB789904DA90

Function 004EC086 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004EC10B
__alloca_probe_16.LIBCMT ref: 004EC1D4
__freea.LIBCMT ref: 004EC23B

Part of subcall function 004EA8D1: RtlAllocateHeap.NTDLL(00000000,004EC8AA,?,?,004EC8AA,00000220,?,00000000,?), ref: 004EA903

__freea.LIBCMT ref: 004EC24E
__freea.LIBCMT ref: 004EC25B

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: a40e3d0bd34d020f0b5175294d95be750faebf79d30c54c2bf7ba5fd201e8bb4
Instruction ID: 98057bf85edbb97f4d94ca61a1cc1f523d02292a13bff8914470264a3e45d381
Opcode Fuzzy Hash: a40e3d0bd34d020f0b5175294d95be750faebf79d30c54c2bf7ba5fd201e8bb4
Instruction Fuzzy Hash: 2751F572E00286AFDB105FA7CCC1DBB36A9EF84715B15056BFE04D6201E738DC1286A9

Function 004DB857 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DB85E
std::_Lockit::_Lockit.LIBCPMT ref: 004DB868
int.LIBCPMT ref: 004DB87F

Part of subcall function 004DA613: std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
Part of subcall function 004DA613: std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

codecvt.LIBCPMT ref: 004DB8A2
std::_Lockit::~_Lockit.LIBCPMT ref: 004DB8D9

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: c00f9634d97b92b6f428b9e7995bcc9c7122a10d0af2149891f601ee3ed62154
Instruction ID: 0314ca5857c23f5e5906fb74e7ac9059b542a5a51faec101cf5bb51a6d6682b8
Opcode Fuzzy Hash: c00f9634d97b92b6f428b9e7995bcc9c7122a10d0af2149891f601ee3ed62154
Instruction Fuzzy Hash: E001ED31C04119CBCB04BB6189656AEB7A9BF84328F16484FF401AB381CF78AE01DBD9

Function 004D9ECE Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004D9ED5
std::_Lockit::_Lockit.LIBCPMT ref: 004D9EE0
std::_Lockit::~_Lockit.LIBCPMT ref: 004D9F4E

Part of subcall function 004D9DA2: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004D9DBA

std::locale::_Setgloballocale.LIBCPMT ref: 004D9EFB
_Yarn.LIBCPMT ref: 004D9F11

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: a3219344283142d24c1774fa747649790e52101e0944aefaa05d43131c309a02
Instruction ID: 7185d0491d62a96b4981d45e619889ae3316b989c8be240ec02982a0e1549876
Opcode Fuzzy Hash: a3219344283142d24c1774fa747649790e52101e0944aefaa05d43131c309a02
Instruction Fuzzy Hash: 7901DF75A041149BD706EB21D86553D7BA5FF98344B14804FE801E7381CF38BE06DBD9

Function 004D5D40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 483COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 004D605C
_strcspn.LIBCMT ref: 004D6081

Strings

invalid string position, xrefs: 004D5FD0
., xrefs: 004D6066

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: _strcspn
String ID: .$invalid string position
API String ID: 3709121408-2424062830
Opcode ID: 4fa6dd832b894ba76cd29f946fdbd9fbcbb4a7da128f71668c833914e553e16f
Instruction ID: 1c47b095e18aaf71a2b22e41f4180f87f4479f17ecb29a26de0985dbd63d3ccd
Opcode Fuzzy Hash: 4fa6dd832b894ba76cd29f946fdbd9fbcbb4a7da128f71668c833914e553e16f
Instruction Fuzzy Hash: DD02B2746083449FC714DF28C494A2AB7E1FF85304F158A6FF8958B362EB78E945CB86

Function 004D22C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D22DA

Strings

ios_base::failbit set, xrefs: 004D2669
ios_base::badbit set, xrefs: 004D2674, 004D2692
ios_base::eofbit set, xrefs: 004D2664

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 76d1e9d265353f2f271900ea635b6f5cf9d1a7be56a6b6b58651b4f84bfd2ef9
Instruction ID: 3e393f43acf251227d6531daafd93ce3f0fe6f0e306b9ab8d8b17bb4f58b5303
Opcode Fuzzy Hash: 76d1e9d265353f2f271900ea635b6f5cf9d1a7be56a6b6b58651b4f84bfd2ef9
Instruction Fuzzy Hash: 51C1AE352047019FC714CF29C5A0B6AB7E1FF98318F55866EE8998B3A1C779EC42CB85

Function 004EF2D6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(?,?,004E3FBA,00504C30,0000000C), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000), ref: 004EABC9

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,004E46FA,?,?,?,00000055,?,-00000050,?,?,?), ref: 004EF395
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,004E46FA,?,?,?,00000055,?,-00000050,?,?), ref: 004EF3CC

Strings

utf8, xrefs: 004EF49E
l#P, xrefs: 004EF349

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: l#P$utf8
API String ID: 943130320-809511986
Opcode ID: 1369d60ad8b124eed8d14c5efc0676904de1ad6493e09d32d73a4f33c69b861d
Instruction ID: eefbfebe0c0ac94f196a4656db8ed60cd4dc683e1dd1007efc6304fb651f0396
Opcode Fuzzy Hash: 1369d60ad8b124eed8d14c5efc0676904de1ad6493e09d32d73a4f33c69b861d
Instruction Fuzzy Hash: DF512731600381AAE725AB738C42BB773A8EF14706F10057BF949972C1F77CDA4886AD

Function 004F5521 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004F55BD,00000000,?,00508370,?,?,?,004F54F4,00000004,InitializeCriticalSectionEx,004FE634,004FE63C), ref: 004F552E
GetLastError.KERNEL32(?,004F55BD,00000000,?,00508370,?,?,?,004F54F4,00000004,InitializeCriticalSectionEx,004FE634,004FE63C,00000000,?,004EA57C), ref: 004F5538
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004F5560

Strings

api-ms-, xrefs: 004F5545

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: eaf09f64c9ed4b3fbaec368ed8c3fee1adcde0704df755d449351db2f3d9ff47
Instruction ID: 2c82e5a2dc7bb67bbf91691d6bc1d976ab8ce26de08bd51d35cc59c1bb1f0e76
Opcode Fuzzy Hash: eaf09f64c9ed4b3fbaec368ed8c3fee1adcde0704df755d449351db2f3d9ff47
Instruction Fuzzy Hash: E8E04830680749B7DF101B51EC06B6D3F699B20BD1F144021FB0CA85E0D7699A949648

Function 004F28CA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(29CDBBBE,00000000,00000000,?), ref: 004F292D

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004F2B7F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004F2BC5
GetLastError.KERNEL32 ref: 004F2C68

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: fc05a0dfd2906aba58896a4ad84168b0f3810e646aa8cbc71e6bb6587a5ecc34
Instruction ID: 71f50736f6256c1ce60e59de0d3c518011dae2667852a463323cd04d6762bb00
Opcode Fuzzy Hash: fc05a0dfd2906aba58896a4ad84168b0f3810e646aa8cbc71e6bb6587a5ecc34
Instruction Fuzzy Hash: F5D19CB1D0028C9FCF15CFE8C980AAEBBB4FF09304F24452AE956EB351D674A945CB54

Function 004E9C53 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004E9D1A
___AdjustPointer.LIBCMT ref: 004E9D3D
___AdjustPointer.LIBCMT ref: 004E9DD9

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9f299138cbcf58831b2ce81aa8c56f0f4c9004b3694ac671c479c7714f8e997d
Instruction ID: 21702aa65f9150ef87bf89c23691497beca8a7ded748fcc2cc567a92823b717d
Opcode Fuzzy Hash: 9f299138cbcf58831b2ce81aa8c56f0f4c9004b3694ac671c479c7714f8e997d
Instruction Fuzzy Hash: 9651F272A00696AFDB249F53C851FAA77A4FF44702F24452FE8064B3D1E739AC80C798

Function 004D2850 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D286C
std::_Lockit::_Lockit.LIBCPMT ref: 004D288A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D28AC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D291A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: bbae28f5c1d10000a275ba00477482583579f7fdec611fdc13a2b70ef1b05ffc
Instruction ID: 0cb0cb124828834ae06ad3e97a864ae428ab330123247085ae99d2d51ac607da
Opcode Fuzzy Hash: bbae28f5c1d10000a275ba00477482583579f7fdec611fdc13a2b70ef1b05ffc
Instruction Fuzzy Hash: 9F21AD71E082049FC710FF26E965A2A73E0FF68724F05859FE4888B361D778AD04DB96

Function 004D6AF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D6B0C
std::_Lockit::_Lockit.LIBCPMT ref: 004D6B2A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D6B4C
std::_Lockit::~_Lockit.LIBCPMT ref: 004D6BBA

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 1c9965bb68dc84afa6ca3fcb01c44be975c78a4f30105ce4b1eea434f478b723
Instruction ID: e1a87bc51bf09d7aefbe52b3a92406c7b8f3c596f091787d02c9ed966d70cdac
Opcode Fuzzy Hash: 1c9965bb68dc84afa6ca3fcb01c44be975c78a4f30105ce4b1eea434f478b723
Instruction Fuzzy Hash: 21218071D082149FC710EF59E865A1A73E4EF68724F06445FE4888B3A1D738BD44CBC6

Function 004D8290 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D82AC
std::_Lockit::_Lockit.LIBCPMT ref: 004D82CA
std::_Lockit::~_Lockit.LIBCPMT ref: 004D82EC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D835A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: dcad6fd11ac2ba3c51cdd49748b3c2be8cafc507be638897d94e0857c075e9be
Instruction ID: a7d560f3c58d3edeb85c4c1b829ec8640c9d26fb777af1295dc7d863f5ac73db
Opcode Fuzzy Hash: dcad6fd11ac2ba3c51cdd49748b3c2be8cafc507be638897d94e0857c075e9be
Instruction Fuzzy Hash: 102171719042049FC714EF19E869A2E77E0FF58714F45855FE8988B361EB39BD04CB8A

Function 004D8380 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D839C
std::_Lockit::_Lockit.LIBCPMT ref: 004D83BA
std::_Lockit::~_Lockit.LIBCPMT ref: 004D83DC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D844A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: fa4c76d5e51b488bd58e03c0a0842bfca9d78425f776154a151d6dc48e83021b
Instruction ID: d463aacbcf180bd3b40ff6f9db1108d6ec03ad28821db689bdd8a13efa992cb4
Opcode Fuzzy Hash: fa4c76d5e51b488bd58e03c0a0842bfca9d78425f776154a151d6dc48e83021b
Instruction Fuzzy Hash: AF2182719043159FC711EF19E8A5A2A73E0EF58724F05845FE8888B351EB78BD04CB96

Function 004D5460 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D547C
std::_Lockit::_Lockit.LIBCPMT ref: 004D549A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D54BC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D552A

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 22896b99e5b5af9b18b9b46179b3ab2035994cae5bf6cae43e9f51350c6213fd
Instruction ID: e2837ab736cad96ae1924900bc507013a20044c648ea352a47c75c66871449ef
Opcode Fuzzy Hash: 22896b99e5b5af9b18b9b46179b3ab2035994cae5bf6cae43e9f51350c6213fd
Instruction Fuzzy Hash: 3821DD71D08604AFC711EF19E965A1A73A0EF68324F01849FE4988B361DB38BD44CB8A

Function 004F06F6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

GetLastError.KERNEL32 ref: 004F075A
__dosmaperr.LIBCMT ref: 004F0761
GetLastError.KERNEL32 ref: 004F079B
__dosmaperr.LIBCMT ref: 004F07A2

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 65f5dba58660caa93bb6877484e754eb20db9c9cd0ab4f38dcee25668a2cc970
Instruction ID: 1082dc44f2f3e471ceb9a39e95514d89e1e044c9f44c16bd1272abf1fd8bbcb7
Opcode Fuzzy Hash: 65f5dba58660caa93bb6877484e754eb20db9c9cd0ab4f38dcee25668a2cc970
Instruction Fuzzy Hash: D521D671600249AF8B20BF62DC8083BB7E9EF90368750455EFA1597252D738FC40CF99

Function 004E0C62 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75860d00cd783ff0ccc9385787d4ceef468cd22a07bac2f2dede68381ea728b3
Instruction ID: 7072d655e4d89b4abc44a7b3e2f29fa2a06479ab28adea3161c317b1f09520f6
Opcode Fuzzy Hash: 75860d00cd783ff0ccc9385787d4ceef468cd22a07bac2f2dede68381ea728b3
Instruction Fuzzy Hash: 6F210471200289AFDB10AFE7CC40C2B77A9EF1036A720461AF935D3241EBB8FC808759

Function 004F1AEC Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004F1AF4

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F1B2C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F1B4C

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 069fdc7563c3885a8d077f7df02cbe31d974bb56a8b0556ad13d72631ea86ffa
Instruction ID: 4dc4e797f4423d73b689ffdea6501ab0cd87fcd4da7560da5e3194c8fdaac893
Opcode Fuzzy Hash: 069fdc7563c3885a8d077f7df02cbe31d974bb56a8b0556ad13d72631ea86ffa
Instruction Fuzzy Hash: 2F1104E1A00649FEA71127739C8AC7F699CDEA53A9710012AF60191211FE78AE02967A

Function 004DCB2A Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DCB31
std::_Lockit::_Lockit.LIBCPMT ref: 004DCB3B
int.LIBCPMT ref: 004DCB52

Part of subcall function 004DA613: std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
Part of subcall function 004DA613: std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

std::_Lockit::~_Lockit.LIBCPMT ref: 004DCBAC

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 70eb3cbba3245cd055eeb35abeb2c9fc1d75b4797798b9df16fff1380ff95c16
Instruction ID: b58540ce8f42e61d2f473db64540728e367d6cb40ef280ed45c03d191be22e5e
Opcode Fuzzy Hash: 70eb3cbba3245cd055eeb35abeb2c9fc1d75b4797798b9df16fff1380ff95c16
Instruction Fuzzy Hash: D511A031D0411A8BCB04EB61D96566DB761AF44718F25444FE401AB381CB78BE01DB99

Function 004F99D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000), ref: 004F99E7
GetLastError.KERNEL32(?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?,?,?,004F2602,00000000), ref: 004F99F3

Part of subcall function 004F9A44: CloseHandle.KERNEL32(FFFFFFFE,004F9A03,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?,?), ref: 004F9A54

___initconout.LIBCMT ref: 004F9A03

Part of subcall function 004F9A25: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004F99C1,004F8EAC,?,?,004F2CBC,?,00000000,00000000,?), ref: 004F9A38

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?), ref: 004F9A18

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4073fb452acc2bf39f5868661c05f3178dd435da1111e5847a2e4d3732fa01cc
Instruction ID: 5b20afe49dfc811936039094a1e03a836322697f68d661982be1e10f18d9c5ea
Opcode Fuzzy Hash: 4073fb452acc2bf39f5868661c05f3178dd435da1111e5847a2e4d3732fa01cc
Instruction Fuzzy Hash: 01F01C36D00269BBCF262F95EC08A9E3F66FB587A0F044015FA0985170C6368D64EB94

Function 004DE5C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004DE5D9
GetCurrentThreadId.KERNEL32 ref: 004DE5E8
GetCurrentProcessId.KERNEL32 ref: 004DE5F1
QueryPerformanceCounter.KERNEL32(?), ref: 004DE5FE

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e791756b3b835d30100d40df8863e0a0c4f9212e42eb2cdf9db7e05af165db5b
Instruction ID: b2c2be6856f36e684330460313926b85f6fe7bbb3a15333f1ea7ee41e01aad43
Opcode Fuzzy Hash: e791756b3b835d30100d40df8863e0a0c4f9212e42eb2cdf9db7e05af165db5b
Instruction Fuzzy Hash: 02F06274D1020EEFCB00DBB4D94999EBBF8FF2C204BA18596E412E7110EB34AB489B50

Function 004EA350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004EA251,?,?,00000000,00000000,00000000,?), ref: 004EA375

Strings

MOC, xrefs: 004EA387
RCC, xrefs: 004EA38F

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4c1c640daf646ccf0d944efa5bdd5084f413ed60497adabc381132e46943e97f
Instruction ID: 76aa1d119a09cf2ea172580756707885b07dd5e2675ba515b66e6f148c651277
Opcode Fuzzy Hash: 4c1c640daf646ccf0d944efa5bdd5084f413ed60497adabc381132e46943e97f
Instruction Fuzzy Hash: C441CC71900249EFCF05DF95CC85AAEBBB2BF48305F18809AF90467251D379AA60CB56

Function 004E9BBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004E9E33

Strings

csm, xrefs: 004E9EC6
csm, xrefs: 004E9E55

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 5e8fd7fc69c334e9c479dbaf2c414cdd10093a594edb8fdbc2b1c2706f2c3d10
Instruction ID: 2fff2e28982cbe03e5135a1c58c0c7653755bd32ac21780e01a49e1b56fee4b5
Opcode Fuzzy Hash: 5e8fd7fc69c334e9c479dbaf2c414cdd10093a594edb8fdbc2b1c2706f2c3d10
Instruction Fuzzy Hash: 9E31C632400295EBCF268F56C8449AB7B65FF09317B14415BF944893E1C37BDC61DB8A

Function 004D2A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D2A96
__Getctype.LIBCPMT ref: 004D2B0A

Strings

ios_base::badbit set, xrefs: 004D2A42

Memory Dump Source

Source File: 00000000.00000002.1656737797.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.1656723785.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656758493.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656828669.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656841280.0000000000507000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656855222.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656890128.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_file.jbxd

Similarity

API ID: GetctypeLockitLockit::_std::_
String ID: ios_base::badbit set
API String ID: 2423992667-3882152299
Opcode ID: a57528cc6a56caf26033d6bea94796e8fd382b21b337ceaa0fa3fa1e055309b9
Instruction ID: fc5bc6bfb278557a67acd9047ff0110d3beaaad5ef072457ce59ad4125677f90
Opcode Fuzzy Hash: a57528cc6a56caf26033d6bea94796e8fd382b21b337ceaa0fa3fa1e055309b9
Instruction Fuzzy Hash: DF31B1B19087848BE3109F25C96531BBBE4AFE5708F04491EF5884B342E7B9E948C7D7

Analysis Process: file.exePID: 7596, Parent PID: 7536COMMON

Non-executed Functions

Function 004EFBD2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(00000000,?,004ECF02), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000,?,?,00000028,004E6E76), ref: 004EABC9

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 004EFCDA
IsValidCodePage.KERNEL32(00000000), ref: 004EFD18
IsValidLocale.KERNEL32(?,00000001), ref: 004EFD2B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004EFD73
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004EFD8E

Strings

l#P, xrefs: 004EFC87

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: l#P
API String ID: 415426439-1800326595
Opcode ID: a1861d705af97808363bc61a397296e2ef3724fd7f1be81beb54b9c9fc57f766
Instruction ID: ce4b18558ad0d64a82ced7387e9eb64745ec203032d77ddc893cf4bc2ac60374
Opcode Fuzzy Hash: a1861d705af97808363bc61a397296e2ef3724fd7f1be81beb54b9c9fc57f766
Instruction Fuzzy Hash: 62519072A00249AFDB10DFA6CC41ABF77B8FF44706F24447AE901E7291E7789908CB65

Function 004D1B70 Relevance: 9.3, APIs: 6, Instructions: 267filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D1000: _strlen.LIBCMT ref: 004D1067

GetFileSize.KERNEL32(00000000,00000000), ref: 004D1BE1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004D1C07
CloseHandle.KERNEL32(00000000), ref: 004D1C16
_strlen.LIBCMT ref: 004D1C84
CloseHandle.KERNEL32(00000000), ref: 004D1E83
PostQuitMessage.USER32(00000000), ref: 004D1EE0

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: CloseFileHandle_strlen$MessagePostQuitReadSize
String ID:
API String ID: 2365707584-0
Opcode ID: bb85169f50c0897420890ef9e76b684ff2a0ccf385b788e5aa32ea03ff6e6966
Instruction ID: 7cadcb260add03fe49041223ccef2ab87c15e9b75fd104b2f2366021b5fdcbcf
Opcode Fuzzy Hash: bb85169f50c0897420890ef9e76b684ff2a0ccf385b788e5aa32ea03ff6e6966
Instruction Fuzzy Hash: D7912372904340ABC314DF24C89562FBBE5AF89754F154A2FFC858B361E738E944CB96

Function 004F0337 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004EFD08,00000002,00000000,?,?,?,004EFD08,?,00000000), ref: 004F03D0
GetLocaleInfoW.KERNEL32(?,20001004,004EFD08,00000002,00000000,?,?,?,004EFD08,?,00000000), ref: 004F03F9
GetACP.KERNEL32(?,?,004EFD08,?,00000000), ref: 004F040E

Strings

OCP, xrefs: 004F038B
ACP, xrefs: 004F0355

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 943cd613a3563592843a9c7c40b2e502c479e5eace1e6ef5bcebafb68014d120
Instruction ID: 5f77635c8746760a29e780d5830b107825f1fb040d4ca317ce7c93392dccf44d
Opcode Fuzzy Hash: 943cd613a3563592843a9c7c40b2e502c479e5eace1e6ef5bcebafb68014d120
Instruction Fuzzy Hash: 8421B832A0020DABD734CF14C901ABB72A6BBD4B54B568066EF0AD7313E73ADE41C358

Function 004E8900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
Instruction ID: 7a67c928a3a5b2c864619efe98099dc247a5fad8c2934f916dfe398de8b12193
Opcode Fuzzy Hash: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
Instruction Fuzzy Hash: 6E026E71E012199FDF14CFAAC980AAEB7F1FF48315F24826ED519A7380DB35A9418B94

Function 004F0919 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F0A09

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0b3e827810410a46a2f65b1a2031089f320c01a12bf8efaf4a2eac04bcc43609
Instruction ID: d9dc6fef9d33c02b3cb444f2424ae5403a13f5415411999f2b64bce99a55974a
Opcode Fuzzy Hash: 0b3e827810410a46a2f65b1a2031089f320c01a12bf8efaf4a2eac04bcc43609
Instruction Fuzzy Hash: 0071E471D0515C9FDF21EF25CC89ABFB7B8AB85304F1441DAE14CA7212EA389E859F18

Function 004DD86F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004DD87B
IsDebuggerPresent.KERNEL32 ref: 004DD947
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004DD960
UnhandledExceptionFilter.KERNEL32(?), ref: 004DD96A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5819163b054a0354deb45f7c8ceaf0286493d02ae59361256d8fd480c38ebda6
Instruction ID: 45d45fac9f0a06987dfc74c320387214959da5c255caf7e4a4d3146c13fe5f29
Opcode Fuzzy Hash: 5819163b054a0354deb45f7c8ceaf0286493d02ae59361256d8fd480c38ebda6
Instruction Fuzzy Hash: E43116B5D012199BDF21EFA5D8497CDBBB8AF08300F1041AAE40CAB250EB759B85DF44

Function 004D1F20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 118windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004D1F53
RegisterClassW.USER32(?), ref: 004D1F6A
CreateWindowExW.USER32 ref: 004D1FCA
GetLastError.KERNEL32 ref: 004D1FD4
GetMessageW.USER32(Christmas Balls,00000000,00000000,00000000), ref: 004D2000
GetMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004D203D

Strings

Keep low..., xrefs: 004D2052
Christmas Balls, xrefs: 004D1F5D, 004D1FBB, 004D1FFF
CreatingTool, xrefs: 004D1FB3
[err id]: %i, xrefs: 004D1FDB

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Message$ClassCreateErrorHandleLastModuleRegisterWindow
String ID: Christmas Balls$CreatingTool$Keep low...$[err id]: %i
API String ID: 91802587-478130180
Opcode ID: e0129692006e326685cda9f83a09f84596f4608c64bec456b76763be015a9029
Instruction ID: 94a858674adb55cddd229718e6f0c19d5068655d508dc77f914862f91065491f
Opcode Fuzzy Hash: e0129692006e326685cda9f83a09f84596f4608c64bec456b76763be015a9029
Instruction Fuzzy Hash: 14418170A143419FD300DF25C955B2BB7E4BF99704F00851EF98997390DBB9D944CB56

Function 004D20D0 Relevance: 13.6, APIs: 9, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004D20E8
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004D20F9
GetCurrentThreadId.KERNEL32 ref: 004D214A

Part of subcall function 004DD0B6: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 004DD0C2
Part of subcall function 004DD0B6: GetExitCodeThread.KERNEL32(?,?), ref: 004DD0DB
Part of subcall function 004DD0B6: CloseHandle.KERNEL32(?), ref: 004DD0ED

Part of subcall function 004E3E7D: CreateThread.KERNEL32(?,?,004E3F95,00000000,?,?), ref: 004E3EC6
Part of subcall function 004E3E7D: GetLastError.KERNEL32 ref: 004E3ED2
Part of subcall function 004E3E7D: __dosmaperr.LIBCMT ref: 004E3ED9

GetCurrentThreadId.KERNEL32 ref: 004D21AF
std::_Throw_Cpp_error.LIBCPMT ref: 004D21E9
std::_Throw_Cpp_error.LIBCPMT ref: 004D21F0
std::_Throw_Cpp_error.LIBCPMT ref: 004D21F7
std::_Throw_Cpp_error.LIBCPMT ref: 004D2204
std::_Throw_Cpp_error.LIBCPMT ref: 004D2213

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFileLastNameObjectSingleWait__dosmaperr
String ID:
API String ID: 686914455-0
Opcode ID: 6be9552521179d6d60e030523b70db402c41edddc46df9da070a6f9aeb656575
Instruction ID: 9d1bc49ec1a248935437e9771ca860e04de8cd8d151177fe9463666e0fabe6d3
Opcode Fuzzy Hash: 6be9552521179d6d60e030523b70db402c41edddc46df9da070a6f9aeb656575
Instruction Fuzzy Hash: 6331D5B1A043016AE7206F658C27B5F76A4AF54B04F01441FFA48AB3C1EABC9910D79B

Function 004F9712 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,004F96FD,?,?,?,?,?,?,?,?,?,?), ref: 004F97B8
__alloca_probe_16.LIBCMT ref: 004F9873
__alloca_probe_16.LIBCMT ref: 004F9902
__freea.LIBCMT ref: 004F994D
__freea.LIBCMT ref: 004F9953
__freea.LIBCMT ref: 004F9989
__freea.LIBCMT ref: 004F998F
__freea.LIBCMT ref: 004F999F

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: b7808db50c4d8e58067dbd2426e47748ddbfb46f48d4d9362d117fa765546c79
Instruction ID: 2653b88461410703b8ec8a0278e8e91a9ea7f823ca3dd921f0424039c536fed6
Opcode Fuzzy Hash: b7808db50c4d8e58067dbd2426e47748ddbfb46f48d4d9362d117fa765546c79
Instruction Fuzzy Hash: 4171D4B290024D9BDF21AF658C81FBF7BE99F46314F16045FEA04A7382D67D9C018769

Function 004DDE85 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 004DDECC
__alloca_probe_16.LIBCMT ref: 004DDEF8
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 004DDF37
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004DDF54
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004DDF93
__alloca_probe_16.LIBCMT ref: 004DDFB0
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004DDFF2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004DE015

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: caa1d006b98d197b44bfb07eeb27d1939883629713f7a4715a68e93d7b7f480d
Instruction ID: 9acb706b9dadf607f9dd85eddf3a002e2472b9f4346241b1cb12ddeba7757201
Opcode Fuzzy Hash: caa1d006b98d197b44bfb07eeb27d1939883629713f7a4715a68e93d7b7f480d
Instruction Fuzzy Hash: 2B51BE72A0021AABEF226F62CC55FAF7BA9EF44784F10442BF9119A350D779DD00DA58

Function 004ED7EB Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004ED871

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
Instruction ID: 8e434e28498b5da1d3ca9e04a7bef88bed10ad10942407e0b20ef0f6ff397b4e
Opcode Fuzzy Hash: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
Instruction Fuzzy Hash: C7B16772E042D59FDB15CF2ACC82BBF7BA5EF15311F15416BE904AB382D2789901C7A8

Function 004DEE00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004DEE37
___except_validate_context_record.LIBVCRUNTIME ref: 004DEE3F
_ValidateLocalCookies.LIBCMT ref: 004DEEC8
__IsNonwritableInCurrentImage.LIBCMT ref: 004DEEF3
_ValidateLocalCookies.LIBCMT ref: 004DEF48

Strings

csm, xrefs: 004DEEDD

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: eca5e426a676d1e88b05c199591afb58c2bd3c0692309fdd964c21e818a74649
Instruction ID: edf008cac518e75301adec57fe8b147d825304abfcba785acd0cd15d723bfab3
Opcode Fuzzy Hash: eca5e426a676d1e88b05c199591afb58c2bd3c0692309fdd964c21e818a74649
Instruction Fuzzy Hash: 8B41B530900219ABCF10EF6AC894A9F7BB5BF45314F14855BE8149F392C739EE15CB9A

Function 004DDD27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(00506958,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004DDD3B
AcquireSRWLockExclusive.KERNEL32(00000008,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004DDD5A
AcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDD88
TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDDE3
TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,004FAD5D,000000FF,00000000,004D9652,?,?,?,?,?,?,00000000), ref: 004DDDFA

Strings

ios_base::badbit set, xrefs: 004DDD71

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: 163e38fef85f2da7c1b08a5ee7874fdbca20e448a08247a071ad7fb1076e709e
Instruction ID: 3fd0019473455825df63d5f01364a88ba6ee055b1fbb075b46ef526ba214cbf2
Opcode Fuzzy Hash: 163e38fef85f2da7c1b08a5ee7874fdbca20e448a08247a071ad7fb1076e709e
Instruction Fuzzy Hash: 8A414931E00A06DBCF20DF65C5A49AAB3B9FF29311B104A1BD456DB740D738EA45CB59

Function 004EB8B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,004EB9C1,004D34FA,?,00000000,004DA3DD,004D34FC,?,004EB596,00000022,FlsSetValue,004FE054,0P,004DA3DD), ref: 004EB973

Strings

api-ms-, xrefs: 004EB909
ext-ms-, xrefs: 004EB91D

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2d69ef865c7a822f7b483e87330438520a02d9ce9c9d9c77b8451d6148f61868
Instruction ID: d1f891c9d9298c337318924da5090913e32598822976f59b28bda8ba0dba909b
Opcode Fuzzy Hash: 2d69ef865c7a822f7b483e87330438520a02d9ce9c9d9c77b8451d6148f61868
Instruction Fuzzy Hash: 1B210571A01355F7C7219B26EC41A6F376CEF61761F140122EA51A73D1D738EE00D6E4

Function 004DB857 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DB85E
std::_Lockit::_Lockit.LIBCPMT ref: 004DB868
int.LIBCPMT ref: 004DB87F

Part of subcall function 004DA613: std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
Part of subcall function 004DA613: std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

codecvt.LIBCPMT ref: 004DB8A2
std::_Lockit::~_Lockit.LIBCPMT ref: 004DB8D9

Strings

pyP, xrefs: 004DB873

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID: pyP
API String ID: 3716348337-1042686473
Opcode ID: c00f9634d97b92b6f428b9e7995bcc9c7122a10d0af2149891f601ee3ed62154
Instruction ID: 0314ca5857c23f5e5906fb74e7ac9059b542a5a51faec101cf5bb51a6d6682b8
Opcode Fuzzy Hash: c00f9634d97b92b6f428b9e7995bcc9c7122a10d0af2149891f601ee3ed62154
Instruction Fuzzy Hash: E001ED31C04119CBCB04BB6189656AEB7A9BF84328F16484FF401AB381CF78AE01DBD9

Function 004DE13C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004DE142
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004DE150
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004DE161

Strings

GetTempPath2W, xrefs: 004DE156
kernel32.dll, xrefs: 004DE13D
GetSystemTimePreciseAsFileTime, xrefs: 004DE14A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 65fc68f1acf15b9a0955130e8296dff7cc425e5aeefc7b02272e00a4e9d84820
Instruction ID: ec5ee1ccb8f17c17ee0384ac2366a6315c208ea7ef3324bc6873fd0816eb2e03
Opcode Fuzzy Hash: 65fc68f1acf15b9a0955130e8296dff7cc425e5aeefc7b02272e00a4e9d84820
Instruction Fuzzy Hash: 78D0A7319526109BC3505F70BD0CD5E3EBCFB2C3017004011F900D21D0EB740508DE59

Function 004F38AD Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe82cb40342952d2f82e1ebf65d19abe7ec410c3f1d19441f2dd9c3fab08412
Instruction ID: 834e085733850ad07d7eeddc470d81ac2725790192e49c164b09e0e34c7958f4
Opcode Fuzzy Hash: cfe82cb40342952d2f82e1ebf65d19abe7ec410c3f1d19441f2dd9c3fab08412
Instruction Fuzzy Hash: D6B12770E0428DAFCF11DFAAC850BBE7BB1AF15306F14019AE640A7382C7799E45CB59

Function 004D5640 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 352COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D589C
Concurrency::cancel_current_task.LIBCPMT ref: 004D5A5B

Strings

false, xrefs: 004D56CC, 004D56E7, 004D572D, 004D5748, 004D58E9, 004D58F7, 004D593D, 004D5958
,, xrefs: 004D585C
true, xrefs: 004D5784, 004D5797, 004D57DD, 004D57F8, 004D5994, 004D59A7, 004D59ED, 004D5A08

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_strlen
String ID: ,$false$true
API String ID: 575380510-760133229
Opcode ID: 6dceb7d17b337375968f63e2f2014650583c4c12c700bc387075ed974fd2f512
Instruction ID: c405599d8f821fb38a2efd3ff1dc16b5b67ab5774a5557cec8fa61a1fe221a48
Opcode Fuzzy Hash: 6dceb7d17b337375968f63e2f2014650583c4c12c700bc387075ed974fd2f512
Instruction Fuzzy Hash: 18C1B1B15043059FD310AF65CC95B6BB6E8EF94308F04492EF9898B382F779D918CB96

Function 004E9664 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E965B,004DEBD7,004DD9C8), ref: 004E9672
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E9680
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E9699
SetLastError.KERNEL32(00000000,004E965B,004DEBD7,004DD9C8), ref: 004E96EB

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: db74212bd767a9f784cb615cafd36cdc2bb21f614eac970b704cfc71b18b3036
Instruction ID: 79a6681a3aaebdda7060e70a029f4f1f72bf1998f5da09738d22b72759ea72ca
Opcode Fuzzy Hash: db74212bd767a9f784cb615cafd36cdc2bb21f614eac970b704cfc71b18b3036
Instruction Fuzzy Hash: F5012432208752AEE7103B77AC86A6F2764EB213BB724032FF211501F0EF998C25A14C

Function 004E9F2C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004EA04B
CallUnexpected.LIBVCRUNTIME ref: 004EA2C4

Strings

csm, xrefs: 004E9F69
csm, xrefs: 004EA082
csm, xrefs: 004E9FD6

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 3782b00ff2bc5365c3a3ae51d58fd0d47da783409a2498ec23b8cae47a05041c
Instruction ID: 7e3f3089b1ef9d684b9cddac97becea2541cc02f3b9076c2d79f7f67397e8dab
Opcode Fuzzy Hash: 3782b00ff2bc5365c3a3ae51d58fd0d47da783409a2498ec23b8cae47a05041c
Instruction Fuzzy Hash: 92B18D31C00289DFCF14DFA6C98099EB7B5BF14306F14459BE8146B351D739E961CB9A

Function 004D3BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D3BFC
std::_Lockit::_Lockit.LIBCPMT ref: 004D3C1A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D3C3C
std::_Lockit::~_Lockit.LIBCPMT ref: 004D3CAA

Strings

ios_base::badbit set, xrefs: 004D3BE2

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: 095269c943ac7083ed52c03f576591ce05307374d438f70298567265700e436b
Instruction ID: 833351e73a026d1a4a209451a10d2f22f0deb905346cc7bec211e3da36f1a86a
Opcode Fuzzy Hash: 095269c943ac7083ed52c03f576591ce05307374d438f70298567265700e436b
Instruction Fuzzy Hash: F321B172D182089FC710EF15E965A1A73A0FF68B25F01455FE4889B361D738BE04CB8A

Function 004DA5A6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DA5AD
std::_Lockit::_Lockit.LIBCPMT ref: 004DA5BA
std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

Part of subcall function 004D9CA8: _Yarn.LIBCPMT ref: 004D9CC8
Part of subcall function 004D9CA8: _Yarn.LIBCPMT ref: 004D9CEC

Strings

bad locale name, xrefs: 004DA608

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: 8e80b54d846ba5ddfd740659dcd73b86b9ea1bf7ee6e49a86be17ab4b0b98cbc
Instruction ID: a3206799f8dd7c3f3a8112cf502654f10f8f66f3db19b40f3b98854b1c5c2e21
Opcode Fuzzy Hash: 8e80b54d846ba5ddfd740659dcd73b86b9ea1bf7ee6e49a86be17ab4b0b98cbc
Instruction Fuzzy Hash: 8C118BB0804748DEC720DF6AD59168ABBE0FF28304F50896FE0CAC3741D774AA44CB9A

Function 004E40E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,004FAD7A,000000FF,?,004E41AA,004E4091,?,004E4246,00000000), ref: 004E411E
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,004FAD7A,000000FF,?,004E41AA,004E4091,?,004E4246,00000000), ref: 004E4130
FreeLibrary.KERNEL32(00000000,?,?,00000000,004FAD7A,000000FF,?,004E41AA,004E4091,?,004E4246,00000000), ref: 004E4152

Strings

CorExitProcess, xrefs: 004E4128
mscoree.dll, xrefs: 004E4117

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: be5589ccf3ffbaf248a3360e6d5ffba5e7d9f6776507183c432b24b79858d1e8
Instruction ID: 96eb287af4ee36dad4ef6f52b5713cbbba30be64d725792d2c19bad78f192aa2
Opcode Fuzzy Hash: be5589ccf3ffbaf248a3360e6d5ffba5e7d9f6776507183c432b24b79858d1e8
Instruction Fuzzy Hash: 7401D631950659EFDF118F50DC09FAEBBBCFB54B11F004526F811A27E0DB789904DA90

Function 004EC086 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004EC10B
__alloca_probe_16.LIBCMT ref: 004EC1D4
__freea.LIBCMT ref: 004EC23B

Part of subcall function 004EA8D1: HeapAlloc.KERNEL32(00000000,004DA3DD,004D34FA,?,004DECE1,004D34FC,004D34FA,?,?,?,004DA03F,004DA3DD,004D34FE,004D34FA,004D34FA,004D34FA), ref: 004EA903

__freea.LIBCMT ref: 004EC24E
__freea.LIBCMT ref: 004EC25B

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b65dfcd506934558d95e4b52ab6fb50d06873197fce08de70e42ddf3ce43cb2e
Instruction ID: 98057bf85edbb97f4d94ca61a1cc1f523d02292a13bff8914470264a3e45d381
Opcode Fuzzy Hash: b65dfcd506934558d95e4b52ab6fb50d06873197fce08de70e42ddf3ce43cb2e
Instruction Fuzzy Hash: 2751F572E00286AFDB105FA7CCC1DBB36A9EF84715B15056BFE04D6201E738DC1286A9

Function 004D9ECE Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004D9ED5
std::_Lockit::_Lockit.LIBCPMT ref: 004D9EE0
std::_Lockit::~_Lockit.LIBCPMT ref: 004D9F4E

Part of subcall function 004D9DA2: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004D9DBA

std::locale::_Setgloballocale.LIBCPMT ref: 004D9EFB
_Yarn.LIBCPMT ref: 004D9F11

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: a3219344283142d24c1774fa747649790e52101e0944aefaa05d43131c309a02
Instruction ID: 7185d0491d62a96b4981d45e619889ae3316b989c8be240ec02982a0e1549876
Opcode Fuzzy Hash: a3219344283142d24c1774fa747649790e52101e0944aefaa05d43131c309a02
Instruction Fuzzy Hash: 7901DF75A041149BD706EB21D86553D7BA5FF98344B14804FE801E7381CF38BE06DBD9

Function 004D5D40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 483COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 004D605C
_strcspn.LIBCMT ref: 004D6081

Strings

invalid string position, xrefs: 004D5FD0
., xrefs: 004D6066

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: _strcspn
String ID: .$invalid string position
API String ID: 3709121408-2424062830
Opcode ID: 4fa6dd832b894ba76cd29f946fdbd9fbcbb4a7da128f71668c833914e553e16f
Instruction ID: 1c47b095e18aaf71a2b22e41f4180f87f4479f17ecb29a26de0985dbd63d3ccd
Opcode Fuzzy Hash: 4fa6dd832b894ba76cd29f946fdbd9fbcbb4a7da128f71668c833914e553e16f
Instruction Fuzzy Hash: DD02B2746083449FC714DF28C494A2AB7E1FF85304F158A6FF8958B362EB78E945CB86

Function 004D22C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D22DA

Strings

ios_base::eofbit set, xrefs: 004D2664
ios_base::badbit set, xrefs: 004D2674, 004D2692
ios_base::failbit set, xrefs: 004D2669

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: eabb908c907826fce91ca6a41377e5238a6d60fd9c1fe5976774e471920e073f
Instruction ID: 3e393f43acf251227d6531daafd93ce3f0fe6f0e306b9ab8d8b17bb4f58b5303
Opcode Fuzzy Hash: eabb908c907826fce91ca6a41377e5238a6d60fd9c1fe5976774e471920e073f
Instruction Fuzzy Hash: 51C1AE352047019FC714CF29C5A0B6AB7E1FF98318F55866EE8998B3A1C779EC42CB85

Function 004D14C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004D14DA

Strings

ios_base::eofbit set, xrefs: 004D1753
ios_base::badbit set, xrefs: 004D1763, 004D1781, 004D1AB3
ios_base::failbit set, xrefs: 004D1758

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 70fd4204dbafdad6f664a570c9701827df756aa345f4252368a69c951afcf1b8
Instruction ID: ff9a4ce690444fb269a08e251bce02af110424f78bd0582e3c1122aee792bbd7
Opcode Fuzzy Hash: 70fd4204dbafdad6f664a570c9701827df756aa345f4252368a69c951afcf1b8
Instruction Fuzzy Hash: 679172742042009FDB14DF29C4A4B26B7E2FF89314F18869EE9568F3A6D739EC45CB45

Function 004EF2D6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 004EAB23: GetLastError.KERNEL32(00000000,?,004ECF02), ref: 004EAB27
Part of subcall function 004EAB23: SetLastError.KERNEL32(00000000,?,?,00000028,004E6E76), ref: 004EABC9

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,004E46FA,?,?,?,00000055,?,-00000050,?,?,?), ref: 004EF395
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,004E46FA,?,?,?,00000055,?,-00000050,?,?), ref: 004EF3CC

Strings

utf8, xrefs: 004EF49E
l#P, xrefs: 004EF349

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: l#P$utf8
API String ID: 943130320-809511986
Opcode ID: 53751beddf0f29add30e4b8c9b0d0be749bb3d01af86c2fdb52d330de01dacd6
Instruction ID: eefbfebe0c0ac94f196a4656db8ed60cd4dc683e1dd1007efc6304fb651f0396
Opcode Fuzzy Hash: 53751beddf0f29add30e4b8c9b0d0be749bb3d01af86c2fdb52d330de01dacd6
Instruction Fuzzy Hash: DF512731600381AAE725AB738C42BB773A8EF14706F10057BF949972C1F77CDA4886AD

Function 004DCBC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(BB40E64E,ios_base::badbit set,?,?,?,00000000,004FAD5D,000000FF,00000000,004D9652), ref: 004DCBF2

Part of subcall function 004DCC88: std::_Throw_Cpp_error.LIBCPMT ref: 004DCCA9

Strings

@zP, xrefs: 004DCBED
XiP, xrefs: 004DCBF7
ios_base::badbit set, xrefs: 004DCBDB

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID: @zP$XiP$ios_base::badbit set
API String ID: 350343453-2396428632
Opcode ID: 989c7c921d9a475d8bf10e0dd208a6991e0799555f4fff343d403228bea3c566
Instruction ID: 79f0a00f3880f6d751f3a9ca53c8a6d37aa183114ebd6cc1d0418044e974354a
Opcode Fuzzy Hash: 989c7c921d9a475d8bf10e0dd208a6991e0799555f4fff343d403228bea3c566
Instruction Fuzzy Hash: 0811D031A106069FDB25DB15C8A1BABB3E5FF44B24F10052FE62A97780DB39AC00CB94

Function 004F5521 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004F55BD,00000000,?,00508370,?,?,?,004F54F4,00000004,InitializeCriticalSectionEx,004FE634,004FE63C), ref: 004F552E
GetLastError.KERNEL32(?,004F55BD,00000000,?,00508370,?,?,?,004F54F4,00000004,InitializeCriticalSectionEx,004FE634,004FE63C,00000000,?,004EA57C), ref: 004F5538
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004F5560

Strings

api-ms-, xrefs: 004F5545

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: eaf09f64c9ed4b3fbaec368ed8c3fee1adcde0704df755d449351db2f3d9ff47
Instruction ID: 2c82e5a2dc7bb67bbf91691d6bc1d976ab8ce26de08bd51d35cc59c1bb1f0e76
Opcode Fuzzy Hash: eaf09f64c9ed4b3fbaec368ed8c3fee1adcde0704df755d449351db2f3d9ff47
Instruction Fuzzy Hash: E8E04830680749B7DF101B51EC06B6D3F699B20BD1F144021FB0CA85E0D7699A949648

Function 004F28CA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 004F292D

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004F2B7F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004F2BC5
GetLastError.KERNEL32 ref: 004F2C68

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c9797c7ac1608f2e6f186b7e748c04382d19968a191b626a2fba1c7b0eab8b71
Instruction ID: 71f50736f6256c1ce60e59de0d3c518011dae2667852a463323cd04d6762bb00
Opcode Fuzzy Hash: c9797c7ac1608f2e6f186b7e748c04382d19968a191b626a2fba1c7b0eab8b71
Instruction Fuzzy Hash: F5D19CB1D0028C9FCF15CFE8C980AAEBBB4FF09304F24452AE956EB351D674A945CB54

Function 004E9C53 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004E9D1A
___AdjustPointer.LIBCMT ref: 004E9D3D
___AdjustPointer.LIBCMT ref: 004E9DD9

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 75ee554351fe91715aa87224f2effc3fa475f2c05913598c8355fa2a528af027
Instruction ID: 21702aa65f9150ef87bf89c23691497beca8a7ded748fcc2cc567a92823b717d
Opcode Fuzzy Hash: 75ee554351fe91715aa87224f2effc3fa475f2c05913598c8355fa2a528af027
Instruction Fuzzy Hash: 9651F272A00696AFDB249F53C851FAA77A4FF44702F24452FE8064B3D1E739AC80C798

Function 004D2850 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D286C
std::_Lockit::_Lockit.LIBCPMT ref: 004D288A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D28AC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D291A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: b7f551833024216c352c84ef8d460e34b21c0a9fff57d9979e96d65696515ce2
Instruction ID: 0cb0cb124828834ae06ad3e97a864ae428ab330123247085ae99d2d51ac607da
Opcode Fuzzy Hash: b7f551833024216c352c84ef8d460e34b21c0a9fff57d9979e96d65696515ce2
Instruction Fuzzy Hash: 9F21AD71E082049FC710FF26E965A2A73E0FF68724F05859FE4888B361D778AD04DB96

Function 004D6AF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D6B0C
std::_Lockit::_Lockit.LIBCPMT ref: 004D6B2A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D6B4C
std::_Lockit::~_Lockit.LIBCPMT ref: 004D6BBA

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 0b83e36defab8530a9beb017d04967cc7279b17470bf5c61c4e4321192f631b8
Instruction ID: e1a87bc51bf09d7aefbe52b3a92406c7b8f3c596f091787d02c9ed966d70cdac
Opcode Fuzzy Hash: 0b83e36defab8530a9beb017d04967cc7279b17470bf5c61c4e4321192f631b8
Instruction Fuzzy Hash: 21218071D082149FC710EF59E865A1A73E4EF68724F06445FE4888B3A1D738BD44CBC6

Function 004D8290 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D82AC
std::_Lockit::_Lockit.LIBCPMT ref: 004D82CA
std::_Lockit::~_Lockit.LIBCPMT ref: 004D82EC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D835A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 4ba4bbfa3fe7cdd75acd68167e3baa96a11094225fab257e7c3711ed1ae7591c
Instruction ID: a7d560f3c58d3edeb85c4c1b829ec8640c9d26fb777af1295dc7d863f5ac73db
Opcode Fuzzy Hash: 4ba4bbfa3fe7cdd75acd68167e3baa96a11094225fab257e7c3711ed1ae7591c
Instruction Fuzzy Hash: 102171719042049FC714EF19E869A2E77E0FF58714F45855FE8988B361EB39BD04CB8A

Function 004D8380 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D839C
std::_Lockit::_Lockit.LIBCPMT ref: 004D83BA
std::_Lockit::~_Lockit.LIBCPMT ref: 004D83DC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D844A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 5bdc87d309066b3cc5307eab6e1c286671fcf9e1cf3198ecd60ceea690963bce
Instruction ID: d463aacbcf180bd3b40ff6f9db1108d6ec03ad28821db689bdd8a13efa992cb4
Opcode Fuzzy Hash: 5bdc87d309066b3cc5307eab6e1c286671fcf9e1cf3198ecd60ceea690963bce
Instruction Fuzzy Hash: AF2182719043159FC711EF19E8A5A2A73E0EF58724F05845FE8888B351EB78BD04CB96

Function 004D5460 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D547C
std::_Lockit::_Lockit.LIBCPMT ref: 004D549A
std::_Lockit::~_Lockit.LIBCPMT ref: 004D54BC
std::_Lockit::~_Lockit.LIBCPMT ref: 004D552A

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 74445aa25653af390b4e6d83a9b98a4c399784bcd7073995ee6287317dadaf50
Instruction ID: e2837ab736cad96ae1924900bc507013a20044c648ea352a47c75c66871449ef
Opcode Fuzzy Hash: 74445aa25653af390b4e6d83a9b98a4c399784bcd7073995ee6287317dadaf50
Instruction Fuzzy Hash: 3821DD71D08604AFC711EF19E965A1A73A0EF68324F01849FE4988B361DB38BD44CB8A

Function 004F06F6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 004F075A
__dosmaperr.LIBCMT ref: 004F0761
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 004F079B
__dosmaperr.LIBCMT ref: 004F07A2

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: ab4b5b41db4bd27165d644cc5ca155978cfd79cb2b207598a059a8f714e3635a
Instruction ID: 1082dc44f2f3e471ceb9a39e95514d89e1e044c9f44c16bd1272abf1fd8bbcb7
Opcode Fuzzy Hash: ab4b5b41db4bd27165d644cc5ca155978cfd79cb2b207598a059a8f714e3635a
Instruction Fuzzy Hash: D521D671600249AF8B20BF62DC8083BB7E9EF90368750455EFA1597252D738FC40CF99

Function 004E0C62 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bc732c6cfe4cc5c1f5f09e89add354da88c0c98bce6bf48b42cc8e38596a5f
Instruction ID: 7072d655e4d89b4abc44a7b3e2f29fa2a06479ab28adea3161c317b1f09520f6
Opcode Fuzzy Hash: 39bc732c6cfe4cc5c1f5f09e89add354da88c0c98bce6bf48b42cc8e38596a5f
Instruction Fuzzy Hash: 6F210471200289AFDB10AFE7CC40C2B77A9EF1036A720461AF935D3241EBB8FC808759

Function 004F1AEC Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004F1AF4

Part of subcall function 004EA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EC231,?,00000000,-00000008), ref: 004EAA42

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F1B2C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F1B4C

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 3e310244db88a23f2a5671a9add2601149b1cbc300cd4322aa75e1c52d3906fb
Instruction ID: 4dc4e797f4423d73b689ffdea6501ab0cd87fcd4da7560da5e3194c8fdaac893
Opcode Fuzzy Hash: 3e310244db88a23f2a5671a9add2601149b1cbc300cd4322aa75e1c52d3906fb
Instruction Fuzzy Hash: 2F1104E1A00649FEA71127739C8AC7F699CDEA53A9710012AF60191211FE78AE02967A

Function 004DCB2A Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DCB31
std::_Lockit::_Lockit.LIBCPMT ref: 004DCB3B
int.LIBCPMT ref: 004DCB52

Part of subcall function 004DA613: std::_Lockit::_Lockit.LIBCPMT ref: 004DA624
Part of subcall function 004DA613: std::_Lockit::~_Lockit.LIBCPMT ref: 004DA63E

std::_Lockit::~_Lockit.LIBCPMT ref: 004DCBAC

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 70eb3cbba3245cd055eeb35abeb2c9fc1d75b4797798b9df16fff1380ff95c16
Instruction ID: b58540ce8f42e61d2f473db64540728e367d6cb40ef280ed45c03d191be22e5e
Opcode Fuzzy Hash: 70eb3cbba3245cd055eeb35abeb2c9fc1d75b4797798b9df16fff1380ff95c16
Instruction Fuzzy Hash: D511A031D0411A8BCB04EB61D96566DB761AF44718F25444FE401AB381CB78BE01DB99

Function 004F99D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000), ref: 004F99E7
GetLastError.KERNEL32(?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?,?,?,004F2602,00000000), ref: 004F99F3

Part of subcall function 004F9A44: CloseHandle.KERNEL32(FFFFFFFE,004F9A03,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?,?), ref: 004F9A54

___initconout.LIBCMT ref: 004F9A03

Part of subcall function 004F9A25: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004F99C1,004F8EAC,?,?,004F2CBC,?,00000000,00000000,?), ref: 004F9A38

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,004F8EBF,00000000,00000001,00000000,?,?,004F2CBC,?,00000000,00000000,?), ref: 004F9A18

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4073fb452acc2bf39f5868661c05f3178dd435da1111e5847a2e4d3732fa01cc
Instruction ID: 5b20afe49dfc811936039094a1e03a836322697f68d661982be1e10f18d9c5ea
Opcode Fuzzy Hash: 4073fb452acc2bf39f5868661c05f3178dd435da1111e5847a2e4d3732fa01cc
Instruction Fuzzy Hash: 01F01C36D00269BBCF262F95EC08A9E3F66FB587A0F044015FA0985170C6368D64EB94

Function 004DE5C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004DE5D9
GetCurrentThreadId.KERNEL32 ref: 004DE5E8
GetCurrentProcessId.KERNEL32 ref: 004DE5F1
QueryPerformanceCounter.KERNEL32(?), ref: 004DE5FE

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e791756b3b835d30100d40df8863e0a0c4f9212e42eb2cdf9db7e05af165db5b
Instruction ID: b2c2be6856f36e684330460313926b85f6fe7bbb3a15333f1ea7ee41e01aad43
Opcode Fuzzy Hash: e791756b3b835d30100d40df8863e0a0c4f9212e42eb2cdf9db7e05af165db5b
Instruction Fuzzy Hash: 02F06274D1020EEFCB00DBB4D94999EBBF8FF2C204BA18596E412E7110EB34AB489B50

Function 004EA350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004EA251,?,?,00000000,00000000,00000000,?), ref: 004EA375

Strings

RCC, xrefs: 004EA38F
MOC, xrefs: 004EA387

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dbd46ced7b4e4af6fe2edc373a978ac751a1bb37acde68bac7b616e69d039e13
Instruction ID: 76aa1d119a09cf2ea172580756707885b07dd5e2675ba515b66e6f148c651277
Opcode Fuzzy Hash: dbd46ced7b4e4af6fe2edc373a978ac751a1bb37acde68bac7b616e69d039e13
Instruction Fuzzy Hash: C441CC71900249EFCF05DF95CC85AAEBBB2BF48305F18809AF90467251D379AA60CB56

Function 004E9BBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004E9E33

Strings

csm, xrefs: 004E9E55
csm, xrefs: 004E9EC6

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 82567981a993e18aa352cfc9f22eb20de0800df58ab89b47641df18afdb14dd9
Instruction ID: 2fff2e28982cbe03e5135a1c58c0c7653755bd32ac21780e01a49e1b56fee4b5
Opcode Fuzzy Hash: 82567981a993e18aa352cfc9f22eb20de0800df58ab89b47641df18afdb14dd9
Instruction Fuzzy Hash: 9E31C632400295EBCF268F56C8449AB7B65FF09317B14415BF944893E1C37BDC61DB8A

Function 004D2A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D2A96
__Getctype.LIBCPMT ref: 004D2B0A

Strings

ios_base::badbit set, xrefs: 004D2A42

Memory Dump Source

Source File: 00000002.00000002.1656501815.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000002.00000002.1656482697.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656523461.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656538167.0000000000506000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656554330.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1656569840.000000000050D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d0000_file.jbxd

Similarity

API ID: GetctypeLockitLockit::_std::_
String ID: ios_base::badbit set
API String ID: 2423992667-3882152299
Opcode ID: 94fe182236c10b45dbe6fc4bc07a0929d53270d5a640a83545da43576953c686
Instruction ID: fc5bc6bfb278557a67acd9047ff0110d3beaaad5ef072457ce59ad4125677f90
Opcode Fuzzy Hash: 94fe182236c10b45dbe6fc4bc07a0929d53270d5a640a83545da43576953c686
Instruction Fuzzy Hash: DF31B1B19087848BE3109F25C96531BBBE4AFE5708F04491EF5884B342E7B9E948C7D7

Analysis Process: file.exePID: 7604, Parent PID: 7536COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.6%
Total number of Nodes:	83
Total number of Limit Nodes:	7

Executed Functions

Function 00436F90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 571
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00437173
SysAllocString.OLEAUT32(D080DE8F), ref: 004371DB
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437218
SysAllocString.OLEAUT32(9F4F9D4B), ref: 00437268
SysAllocString.OLEAUT32(E8D216C6), ref: 0043731A
VariantInit.OLEAUT32(.'()), ref: 00437385
VariantClear.OLEAUT32(.'()), ref: 004374E0
SysFreeString.OLEAUT32(?), ref: 00437504
SysFreeString.OLEAUT32(?), ref: 0043750A
SysFreeString.OLEAUT32(00000000), ref: 00437517
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437552

Strings

p*v,, xrefs: 00437199
.;, xrefs: 00437282
.'(), xrefs: 00437008, 004370C1
"#$%, xrefs: 004375FC
>C, xrefs: 004370D7
{|, xrefs: 004373BF
{.] , xrefs: 004371A1
C, xrefs: 004370CF
!", xrefs: 004371A9

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: !"$"#$%$.'()$.;$>C$C$p*v,${.] ${|
API String ID: 2573436264-264043890
Opcode ID: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
Instruction ID: 06fb3ad9466451430b31427f45de08a7eb0daa23bec53a4f5f9458ad790f981b
Opcode Fuzzy Hash: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
Instruction Fuzzy Hash: D302F0B1A083009FD320CF64CC81B5BBBE5EB99314F14982DF6C59B3A1D679E805CB96

Function 0040A960 Relevance: 9.2, Strings: 7, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N[\D, xrefs: 0040AD01, 0040ACD2, 0040ADB7, 0040ADC0, 0040ADEE, 0040ABA4, 0040ACF6, 0040ABC5
n, xrefs: 0040A982
'D F, xrefs: 0040AAC6
#xDz, xrefs: 0040AACE
A|}~, xrefs: 0040AAD6
kl, xrefs: 0040AB2D
N[\D, xrefs: 0040AC00

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: #xDz$'D F$A|}~$N[\D$N[\D$kl$n
API String ID: 0-490458541
Opcode ID: d47076afbd05a78a046f2f951199cb1dbd1ea0c989cd37d394d3fd4149bb2193
Instruction ID: 966b8f91f76bb20883ed88500b6b89ab0c93423946d56f050922860fedc986fe
Opcode Fuzzy Hash: d47076afbd05a78a046f2f951199cb1dbd1ea0c989cd37d394d3fd4149bb2193
Instruction Fuzzy Hash: D7C1267260C3504BC714CF6488905AFBBD3ABC2304F1E893DE9D56B382D679991AC78B

Function 0040CE55 Relevance: 9.0, Strings: 7, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z@(, xrefs: 0040CF5B
333480F93FDFE8E623D904AF30EFEBBC, xrefs: 0040CEAF
F^, xrefs: 0040D0B9
drive-connect.cyou, xrefs: 0040D27A
N~ :, xrefs: 0040CF45
I@, xrefs: 0040D0C4
VgfW, xrefs: 0040CF2F

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: 333480F93FDFE8E623D904AF30EFEBBC$F^$I@$N~ :$VgfW$drive-connect.cyou$z@(
API String ID: 0-4180455030
Opcode ID: 12efaed7f1b54f12da6bbf58353711d555d00ce7dd5b906222aedfdf9b1c7be8
Instruction ID: b1d760c26d9b90ec4573806c6615211f8657e28aa76e89aec63d6860f5017e85
Opcode Fuzzy Hash: 12efaed7f1b54f12da6bbf58353711d555d00ce7dd5b906222aedfdf9b1c7be8
Instruction Fuzzy Hash: A191EEB05083C18BD335CF25D8A0BEBBBE0AB96314F148D6DD4DD9B282D738454ACB96

Function 004087F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408811
GetCurrentThreadId.KERNEL32 ref: 0040881A
GetForegroundWindow.USER32 ref: 004088CE
ExitProcess.KERNEL32 ref: 0040897B

Strings

YO9W, xrefs: 00408822

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID: YO9W
API String ID: 3118123366-386669604
Opcode ID: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
Instruction ID: 5b12a659e8285d1355c3597aa5681aa9478bfa7506ef17589c1493984f4e9e7d
Opcode Fuzzy Hash: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
Instruction Fuzzy Hash: 98315977F5061807C31C7AB98C4636AB5874BC4614F0F863E9DD9AB386FDB89C0442D9

Function 0043B480 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00409CC0 Relevance: 1.3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\U^_, xrefs: 00409CE5

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: \U^_
API String ID: 0-352632802
Opcode ID: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
Instruction ID: 5fa690bb4235e6f9a1b833386d74a381627e7adb8b1be8a89cbf23ee07b36487
Opcode Fuzzy Hash: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
Instruction Fuzzy Hash: D011E23060C3808FD324DF3495549ABBBA5EFD7748F545A2CE4C56B281C735980A8FAA

Function 00434BDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00434C09

Strings

t, xrefs: 00434C14

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: t
API String ID: 95929093-2238339752
Opcode ID: 3fa4c25dce8568a0724ebcbfa99840aa77e9227c5342f76fc488d9eef6af0589
Instruction ID: 08a8b9a0e37a212ebea7de5d04b95149eac63241ee44ff142c93878423301f38
Opcode Fuzzy Hash: 3fa4c25dce8568a0724ebcbfa99840aa77e9227c5342f76fc488d9eef6af0589
Instruction Fuzzy Hash: 53F0FF34808298CFDB10DF68D4943EEBBF16F66304F1880ACC08497382D37A9A84CB12

Function 0043B720 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043B720
GetForegroundWindow.USER32 ref: 0043B740

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
Instruction ID: 191facca889f69fa70601903ca8693053aaba1cbaba24685dbffd0b384c421fe
Opcode Fuzzy Hash: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
Instruction Fuzzy Hash: 7ED0A7FDD20110EBC604AB71FC4A41B3A1AEB4722DB545539EC0343352DA39782E868F

Function 0040CDF0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CE03

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
Instruction ID: f1973b7854016afe0481596635c710bb103935c4c1c993b3491e04eff0e8badb
Opcode Fuzzy Hash: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
Instruction Fuzzy Hash: 01D0A7345545486BD250A75CDD0BF563A5C9703B29F400239B763D61D1D9506920C669

Function 0040CE23 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CE35

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
Instruction ID: 9bb2948b1e33ad1240181575e0f5375bfb099cf60bc3df2fdc322b3d55e14239
Opcode Fuzzy Hash: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
Instruction Fuzzy Hash: CAD0C9343D83007AF5748B48ED53F1432169702F11FB00629F322FE6D4C9E07121861D

Function 00439B60 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00412F5C), ref: 00439B80

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
Instruction ID: 8d81dc3d2e1c71e2762f942217139477682170591cb2c618f1865e02491f5b7e
Opcode Fuzzy Hash: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
Instruction Fuzzy Hash: 76D0C935505126EBCA506B28BC15BC73A989F4A671F0708A1B4006A075C765EC919AD8

Function 00439B40 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00414E57,00000400), ref: 00439B50

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
Instruction ID: 3d340f236624c1ae318c051adf9ea47d82c8c11c3707c94fc3fa8f772c7fe72e
Opcode Fuzzy Hash: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
Instruction Fuzzy Hash: 91C04831145224ABDA10AB15EC09B8A3AA8AF496A1F1A04A6B005660B28760AC929A98

Function 0040D2C5 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040D2C5

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 5707253a0f4c189d33386fe30951e2cae249061f9284b9e86972a201113a272f
Instruction ID: aa1ebcc13e0591ffa587ed879dc96101c66d2de581aeeee77924bd980006153c
Opcode Fuzzy Hash: 5707253a0f4c189d33386fe30951e2cae249061f9284b9e86972a201113a272f
Instruction Fuzzy Hash: 1AB0923AA1A015DE8A0047A5B8480D8F360E6882A67508873E31AE2010D231113A4656

Non-executed Functions

Function 00431BB0 Relevance: 47.4, APIs: 2, Strings: 25, Instructions: 179COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431BF9
GetSystemMetrics.USER32 ref: 00431C09

Strings

="C, xrefs: 00431E2A
="C, xrefs: 00431DB1
="C, xrefs: 00431DBC
="C, xrefs: 00431E1F
="C, xrefs: 00431DFE
b(C, xrefs: 00431ECF
="C, xrefs: 00431E09
="C, xrefs: 00431DD2
="C, xrefs: 00431DA6
="C, xrefs: 00431EC4
='C, xrefs: 00431D9B
, xrefs: 00431CF6
#C, xrefs: 00431D7A
="C, xrefs: 00431E6C
="C, xrefs: 00431E77
="C, xrefs: 00431E98
&)C, xrefs: 00431EAE
="C, xrefs: 00431EDA
S%C, xrefs: 00431E14
="C, xrefs: 00431EE5
="C, xrefs: 00431EB9
="C, xrefs: 00431E8D
="C, xrefs: 00431E61
;(C, xrefs: 00431E4B
="C, xrefs: 00431DDD

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID: $&)C$;(C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$='C$S%C$b(C$#C
API String ID: 4116985748-628680385
Opcode ID: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
Instruction ID: ea45c71986b2e534ecec44a4126f62931ddcc8577b73b097e58ed3aa899a90b6
Opcode Fuzzy Hash: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
Instruction Fuzzy Hash: 41B16FB04097818FE771DF14D48879BBBE0BBC5308F508A2EE5E89B251CBB95448CF86

Function 00419C10 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1297COMMON

Download Yara Rule

APIs

Part of subcall function 0043B480: LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE

FreeLibrary.KERNEL32(?), ref: 0041A21A
FreeLibrary.KERNEL32(?), ref: 0041A29B

Strings

cba`, xrefs: 0041A13D
PQ, xrefs: 00419FAC
wEtG, xrefs: 00419F94
cba`, xrefs: 00419C63
cba`, xrefs: 0041AA31
I,~M, xrefs: 0041AA47

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I,~M$PQ$cba`$cba`$cba`$wEtG
API String ID: 764372645-3803835663
Opcode ID: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
Instruction ID: ce701afe96e54189f6fff091c8333c98f5ae15aa60c98f01a083bef101dadeb2
Opcode Fuzzy Hash: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
Instruction Fuzzy Hash: C59235746093409FE714CF65D891B6BBBE2EBD5300F28882EE58487391D7799C81CB9B

Function 00425920 Relevance: 12.9, Strings: 10, Instructions: 398COMMON

Download Yara Rule

Strings

&f?x, xrefs: 004259B7
cba`, xrefs: 00425E6C
Z\, xrefs: 004259FF
=j9l, xrefs: 0042599F
cba`, xrefs: 00425C50
"r,t, xrefs: 004259CF
3v#H, xrefs: 004259D7
<b"d, xrefs: 004259AF
^P, xrefs: 00425A07
z%|, xrefs: 004259BF

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: z%|$"r,t$&f?x$3v#H$<b"d$=j9l$cba`$cba`$Z\$^P
API String ID: 0-3047316687
Opcode ID: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
Instruction ID: 146473404e5499b4986dffa8d26f26e1c07bf5215faae6f3d7194190b628d0b4
Opcode Fuzzy Hash: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
Instruction Fuzzy Hash: C2D124B9608380DFE324DF15E88176BB7E1FBD5304F94982DE58587261D738D901CB4A

Function 004233A0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 471COMMON

Download Yara Rule

Strings

$^<P, xrefs: 0042363F
]~"p, xrefs: 0042367F
#R,T, xrefs: 00423647
VW, xrefs: 004233E5
ij, xrefs: 0042397D
KM, xrefs: 004237FB

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: #R,T$$^<P$VW$]~"p$ij$KM
API String ID: 0-788320361
Opcode ID: 0ef6ac19612ecc2b18e822a80ca420e4bb8027dd0eadc437e0bac95af6737912
Instruction ID: 9ed236048ece28067beed024fb633757567cd4a7e3bca11c75bb2a7735f0e68b
Opcode Fuzzy Hash: 0ef6ac19612ecc2b18e822a80ca420e4bb8027dd0eadc437e0bac95af6737912
Instruction Fuzzy Hash: D1F1CAB46083509FD310DF65E88262BBBF1EFD5304F44892DE4958B351EB789A06CB4B

Function 00431A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431A40
GetWindowLongW.USER32 ref: 00431A65
GetClipboardData.USER32 ref: 00431A75
GlobalLock.KERNEL32 ref: 00431A8E
GlobalUnlock.KERNEL32 ref: 00431B90
CloseClipboard.USER32 ref: 00431B99

Strings

K, xrefs: 00431B1E

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: K
API String ID: 2832541153-856455061
Opcode ID: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
Instruction ID: 513562b2ac7e6d1d4712994eff6d7c1bc04b9d90a7c3137532ed1f51a9abc6ba
Opcode Fuzzy Hash: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
Instruction Fuzzy Hash: 34418E6150C7818ED310AF7C988826FBFE09B96224F044A6EE8E5872D2E6389549C797

Function 004296D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON

Download Yara Rule

Strings

9nI9, xrefs: 004299D6
[93=, xrefs: 004299E6
='0{, xrefs: 004299DE
;>*2, xrefs: 004299CE
);?g, xrefs: 004299EE
cba`, xrefs: 0042974C
fa, xrefs: 004299F6

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: );?g$9nI9$;>*2$='0{$[93=$cba`$fa
API String ID: 0-154584671
Opcode ID: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
Instruction ID: 21be1e4f2e6752f9380b4aadbcf4cd787e7e0f4b09ea5b297d7e9ef9a1fb0c4b
Opcode Fuzzy Hash: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
Instruction Fuzzy Hash: 3FC1077560C3A08FC3118F29D89066BBBE2AF96310F588A6DF4E1573D2C7398D45CB5A

Function 0042D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON

Download Yara Rule

Strings

#, xrefs: 0042D4AC
0, xrefs: 0042D430
k, xrefs: 0042D4B6
AGsW, xrefs: 0042D496
P, xrefs: 0042D554

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: #$0$AGsW$P$k
API String ID: 0-1629916805
Opcode ID: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
Instruction ID: 8816b6b3b95a3b8c405e0a0f8c285763547ceed8af8c8b555c70c7a9f783aa76
Opcode Fuzzy Hash: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
Instruction Fuzzy Hash: 1CC1F4317183918ED328CF39D4513ABBBD2AFD2304F68866ED4D58B2D1D6798449C71B

Function 0040C36E Relevance: 6.5, Strings: 5, Instructions: 203COMMON

Download Yara Rule

Strings

4cde, xrefs: 0040C79C
CJ, xrefs: 0040C67E
GS, xrefs: 0040C677
F'k), xrefs: 0040C706
){+}, xrefs: 0040C788

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: ){+}$4cde$CJ$F'k)$GS
API String ID: 0-4192230409
Opcode ID: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
Instruction ID: 6afdb2316fdadaf12e32bd698f1912d34734f08b0bc4a82971b76fff6b28e520
Opcode Fuzzy Hash: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
Instruction Fuzzy Hash: 50B11BB84053058FE354DF629688FAA7BB0FB25310F1A82E9E0992F776D7748405CF96

Function 0042B763 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042BA82

Strings

qjjw, xrefs: 0042B9A6
3, xrefs: 0042D6CD

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: 3$qjjw
API String ID: 3664257935-3235754969
Opcode ID: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
Instruction ID: e0248e225440bb7285b8803733d60271f7e61eb44642cbaa2f092a8799675a72
Opcode Fuzzy Hash: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
Instruction Fuzzy Hash: 29A16C717083919BE7248F24C8917ABBBD2EFD2340F18856ED5C94B3C6DB384405D796

Function 00415ADC Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

WL, xrefs: 00415C75
neA, xrefs: 00415ECE
1/3T, xrefs: 0041611F
^Q, xrefs: 00415C83

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: 1/3T$WL$^Q$neA
API String ID: 0-3205570823
Opcode ID: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
Instruction ID: 36620dcd79f832a97b090e2ed89ea61b800e286945c25bf48684ec17d430fe28
Opcode Fuzzy Hash: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
Instruction Fuzzy Hash: A9D1CEB4100B01CFD7258F25C8A1BA3BBB1FF86314F19858DC8964F7A2D779A855CB94

Function 00426170 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

YNMZ, xrefs: 00426446
8zVc, xrefs: 0042627D
cba`, xrefs: 004261C1
4zVc, xrefs: 0042621C

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 4zVc$8zVc$YNMZ$cba`
API String ID: 2994545307-1799417857
Opcode ID: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
Instruction ID: a4538a0261ff6c2ac210d57fc6ac5424e6a326b8b8d8802f404cc31a7d59ec03
Opcode Fuzzy Hash: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
Instruction Fuzzy Hash: 189147B2F042208BD724DA25EC8172B7292EBD1314F5A857EEC8597342E678AC00C7DA

Function 0042BFDA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 461COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C0D7

Strings

x, xrefs: 0042C2F2

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: x
API String ID: 3664257935-2363233923
Opcode ID: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
Instruction ID: f24e0535182122329204161442b6cb3576d9d8656e0dc52521a12abdc108ad65
Opcode Fuzzy Hash: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
Instruction Fuzzy Hash: EFD1B46060C3E08ED7358B2994903BFBBD1AFD7344F5849ADD0C99B282D779450ACB57

Function 00420717 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

B:@<, xrefs: 00420D02
F>?0, xrefs: 00420D09

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: B:@<$F>?0
API String ID: 0-4011826714
Opcode ID: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
Instruction ID: 92ed06d7aa227fc4673e4b6d33fedd1ff2714f2f2b1d0eb8acbab6dee258af69
Opcode Fuzzy Hash: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
Instruction Fuzzy Hash: E43256B1A00721CBCB24CF24C892267BBB1FF92310F59825DD8825F796E779A851CBD5

Function 0042C6D7 Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

', xrefs: 0042CC09
iJ, xrefs: 0042CAF5

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: '$iJ
API String ID: 0-30662343
Opcode ID: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
Instruction ID: e8033de2897f6a471e39d6e72682695b514e130b01bc458e21cc2d5cc8d806b0
Opcode Fuzzy Hash: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
Instruction Fuzzy Hash: 7C02F57060C3E18FD7298F2990A03ABBFE1AF97304F58496ED4D997342D77984058B97

Function 00414F08 Relevance: 3.1, Strings: 2, Instructions: 609COMMON

Download Yara Rule

Strings

cba`, xrefs: 00415565
=UA, xrefs: 0041551C, 00415537

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: =UA$cba`
API String ID: 0-2849403845
Opcode ID: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
Instruction ID: b0755fcd4efdf1967727a5f4be91126eb1e252dcdfc562f5600afc0ab194aa5f
Opcode Fuzzy Hash: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
Instruction Fuzzy Hash: 9402FE34608300EFD7149F24D962BABB7B1FB9A304F94582DF481972A2D775EC45CB8A

Function 00422270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON

Download Yara Rule

Strings

TU, xrefs: 00422296
c!", xrefs: 0042242F

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: TU$c!"
API String ID: 0-3813282519
Opcode ID: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
Instruction ID: a4d5b8c078bf2433dc24120fb7555f1f32600d90c3be649242fb2c546733d6d2
Opcode Fuzzy Hash: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
Instruction Fuzzy Hash: 27C16672B04310ABD714DB29ED5277BB3E2EFD5314F48852EE88587381E6BCE801875A

Function 0041D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

pr, xrefs: 0041D112
|~, xrefs: 0041D10A

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: pr$|~
API String ID: 0-4145297803
Opcode ID: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
Instruction ID: 1c71e515e24bd4364ede3925d09e369eeeaf8989eca5e2d791649c7508655d54
Opcode Fuzzy Hash: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
Instruction Fuzzy Hash: E451F0B0A0C3509BD7008F24D8127ABB7F1EF92319F1885AEE4C55B391E7399642CB5E

Function 0041D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

pr, xrefs: 0041D112
|~, xrefs: 0041D10A

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: pr$|~
API String ID: 0-4145297803
Opcode ID: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
Instruction ID: b30244ed6a2ff3de417c81c30de102dda9fa652a451c4e072b4a3ececf8c80cf
Opcode Fuzzy Hash: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
Instruction Fuzzy Hash: B751F4B460C3509BD7009F24C8126ABB7F1EF92315F1885ADE4C55B391E739D642CB5E

Function 0042536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

X, xrefs: 0042556A
BLJB, xrefs: 00425554

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: BLJB$X
API String ID: 0-2222927247
Opcode ID: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
Instruction ID: 1af2eb929763e148cb4abff1c4585c52a2657f08fe5d59f4d12d45bf37d2de30
Opcode Fuzzy Hash: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
Instruction Fuzzy Hash: 13515531708B618BD730DE6894412FBBBE1DF55350F984A3ED8D987382E23CA545E74A

Function 00427653 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

ij, xrefs: 004276D3
H.s , xrefs: 004276E0

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: H.s $ij
API String ID: 0-4017226643
Opcode ID: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
Instruction ID: ae217f9daa6f4cce8b7d259f4259de876ba9e86de0ba8af5ed87a71d833a3b47
Opcode Fuzzy Hash: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
Instruction Fuzzy Hash: 0F31DEB260D3908FD314CF65D48165FBBE2EBC6704F55892DE4C56B340CBB49906CB46

Function 00415EE0 Relevance: 1.9, Strings: 1, Instructions: 625COMMON

Download Yara Rule

Strings

1/3T, xrefs: 0041611F

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 1/3T
API String ID: 2994545307-3266294232
Opcode ID: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
Instruction ID: ff65059a960126ae2aa6a0ba82ae0d71c7a8e5e6bd522a8814a62b27b48fd42c
Opcode Fuzzy Hash: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
Instruction Fuzzy Hash: 37F1E134204741CFE7258F29D891BB3BBA2FB5A301F1945ADD5D68B392C739E881CB58

Function 0042BFD3 Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

x, xrefs: 0042C2F2

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
Instruction ID: cbfe56490d4610b99627c39bd120223bdbde8b4c29662e55905f397c0fd00549
Opcode Fuzzy Hash: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
Instruction Fuzzy Hash: 1AD1176060C7E18ED7358B2894903BFBBD1AF97344F5849AED0D54B382D739940AC797

Function 004266E7 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

&tB, xrefs: 00426E9A

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: &tB
API String ID: 0-268467982
Opcode ID: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
Instruction ID: 06a34f82c29db43340e48ad1cbe7e395302b1ddd3c50ea808075b5b9ec83bf05
Opcode Fuzzy Hash: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
Instruction Fuzzy Hash: C5E169B5A083618FC7109F14E45136BB7E1AFDA304F0A486EE8C597342D639ED45CB9B

Function 0042A630 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042A918

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
Instruction ID: f813c1fc85afd7223dda0e36a8c027de47e21e6ca96e88e37e758e8b14c45e64
Opcode Fuzzy Hash: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
Instruction Fuzzy Hash: 03C113B2B043215BD7149E25E44076BB7E5AF84310F59892FEC9687382E738DC59C78B

Function 0043E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

@CDE, xrefs: 0043E8D1

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @CDE
API String ID: 2994545307-1513065382
Opcode ID: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
Instruction ID: 3c5ac0be7424b57116813a4f2293c38aabf5a2246835f37d4781b8179357b19c
Opcode Fuzzy Hash: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
Instruction Fuzzy Hash: EFB146717493414BC318DB2AC8D1A3BBBE6ABE9314F1CD93DE58687392C638DC058796

Function 00417190 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

RuA, xrefs: 00417542

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: RuA
API String ID: 0-3286949753
Opcode ID: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
Instruction ID: 812d55878a62f6fab66defe66c88ae53172d99736bf38563795d352ae53827f1
Opcode Fuzzy Hash: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
Instruction Fuzzy Hash: 8CB10234208701CFE7258F29D851B73B7F2EB4A711F1489ADD4968B392D738A882CB58

Function 00421EE0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

x%, xrefs: 0042207D

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: x%
API String ID: 0-3980080454
Opcode ID: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
Instruction ID: 53925fe815e81de9676dfe4c3668865c11de61aed011eb2c10e86570e61a59d5
Opcode Fuzzy Hash: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
Instruction Fuzzy Hash: 7BA145B1604320ABCB10DF24DC91B6777E4FF94358F08492DEA858B391E7B9E905C766

Function 0042AAD0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042ACCE

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 1b0d155936ea343f35509df964668f6b6c6c9246b28269455b7de3af52c0cfb1
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: D271E632B183254BD714CE28E58031BBBE3ABC5710F99856EE9949B391D238EC55C78B

Function 00417E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

tuv, xrefs: 00418856

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: tuv
API String ID: 0-2475268160
Opcode ID: 832319e91b6d4892eeb44864a439925f3f6d3c4679f0fc0c8248a51ed8917232
Instruction ID: 96cc1be5c7b42f4822ccf6fdabcc1d0a1cf8542e79077bfe6f2257edbdd6f4ef
Opcode Fuzzy Hash: 832319e91b6d4892eeb44864a439925f3f6d3c4679f0fc0c8248a51ed8917232
Instruction Fuzzy Hash: 2B6133B6604700CFC7208F24D8923A3B3F2FF96318F18456EE996477A1E739A945C759

Function 00425F7D Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

1_B, xrefs: 00426164

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: 1_B
API String ID: 0-2132359058
Opcode ID: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
Instruction ID: 5b09de0f708086b2db089408e795921656c95d083517461b5049a84f32a7c51a
Opcode Fuzzy Hash: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
Instruction Fuzzy Hash: D8415972D09B7487C230DA64A81017BB6D5DB85310F9A847FF9C697342EB38AD01A7CA

Function 0042B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

CUUI, xrefs: 0042B588

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID: CUUI
API String ID: 0-173970609
Opcode ID: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
Instruction ID: 633f9cfe08b78efd1148aada0c0c4a0bea52aba14bf5254293374e99ea80dff2
Opcode Fuzzy Hash: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
Instruction Fuzzy Hash: 9541E7A020C7E08ADB358F2594903ABBBE1DFD3304F5884ADC6C56B243C77988068B5A

Function 0043DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 0043DC39

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
Instruction ID: 1421818bc4f15c0d032df179158ed2797c8d4970c2420d5e39c05150b2e3af5d
Opcode Fuzzy Hash: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
Instruction Fuzzy Hash: C33100B15183048BC314DF18E8C162BBBF8FB9A314F15A92DE68687391D3759908CB9A

Function 00425230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

cba`, xrefs: 004252B6

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
Instruction ID: beb69707a00ddb1e0f288a180930159145dfafadf277c1aff9f3426dfcb85bde
Opcode Fuzzy Hash: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
Instruction Fuzzy Hash: 47113536A44B204BC324CE289DC163777E1AB95314F95263DDCA9D33A1E278EC009AD9

Function 00407470 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
Instruction ID: af49202ca076376fa415bca2a3091a328854806cafe53c7e33487b358e5641c5
Opcode Fuzzy Hash: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
Instruction Fuzzy Hash: 9722B332A087118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47

Function 0043CAC0 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
Instruction ID: a0fb517757f1b8da7777bae7579d9f52a382c29ac2183c4fd28747a7d9f1db1e
Opcode Fuzzy Hash: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
Instruction Fuzzy Hash: F402127AB04216CFC704CF28E8906AAB7F2FB8A311F1A847ED58593351D734AD55CB86

Function 0043CBD6 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
Instruction ID: 0188f3e029ce03e8205a7a452b25b6dbd5bcd661a0513372e50984eaaf58ab41
Opcode Fuzzy Hash: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
Instruction Fuzzy Hash: 98E12F79B04216CFC704CF68E8906AAB7F2FB8A312F1A847EE585D3351D334A955CB85

Function 00405910 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
Instruction ID: 292f23283d7cd07bb6fd19c8603031892cd16be448e450c68c3e166b8ce1a4f1
Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
Instruction Fuzzy Hash: DAF1CF356087418FD724CF29C88066BFBE2EFD9304F08882EE5D597791E679E904CB5A

Function 0043CCE0 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
Instruction ID: b7c2eaf3338182462aad9b41d84ad1057b9f4e6ab3b7739cdaab2d2094e4d2b6
Opcode Fuzzy Hash: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
Instruction Fuzzy Hash: 36C1007AA04216CFC704CF28E8906AAB7F2FB8A311F1A447DE98593351D734ED54CB85

Function 004286F0 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
Instruction ID: 56b07d3b8ecf2697cfceb0b79347f06369642de1c8fee68a0e9743baf01ab03d
Opcode Fuzzy Hash: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
Instruction Fuzzy Hash: 46C12EB060D3218AC314DF14D86272BB7F2EF92364F44891DF0D19B395EB789905CB9A

Function 0043CD60 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
Instruction ID: 20c8691d40d2db25294344e9a87d3a2a4619c2758e90d916e0ff6e9b3fbd9dce
Opcode Fuzzy Hash: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
Instruction Fuzzy Hash: 95B1FE7AA14216CFC704CF68E8906AAB7F1FB8A311F1A447EE98693350D734ED54CB85

Function 0043CE00 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
Instruction ID: 02c91c5c175dbfc798e5ae80a92b3f6d79b9f3e28c5cee1d4de64ad44bd3bbdb
Opcode Fuzzy Hash: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
Instruction Fuzzy Hash: 28B1FE79A08216CFC704CF28E8906AAB7F1FB8A311F1A487DE985D3350D734E955CB95

Function 00416E97 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
Instruction ID: 5a7d6a52498181c9cf4f87941996139a214d8b31775e9e11dc627d5a44ad725e
Opcode Fuzzy Hash: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
Instruction Fuzzy Hash: 73A143B46047418FD724CF29C8D1B63B7E2AB5A304F14892ED59A87792D338E886CB58

Function 0043DFB0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
Instruction ID: 9eaef7f6449a926bdd011e6bf6c7dc343cb48eef6fbbacc1f9e318c96c7b604e
Opcode Fuzzy Hash: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
Instruction Fuzzy Hash: 6891DF356053118BC718DF1AC890A2BB3F6EF9D710F19996DE8858B391E734EC01CB86

Function 0043DCF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
Instruction ID: 42590aa1c4a3029240d7faad05c1566b36b776a36cf424c854185cc8c2ee326e
Opcode Fuzzy Hash: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
Instruction Fuzzy Hash: 58717A31A043014BC714AF29E890A3FB7A6EFDD750F1AD43EE4868B365DB349C11878A

Function 00428F5D Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
Instruction ID: 0033b059549c864885c35c4736f174911fb7ab2e2a7e13fdb612373215023671
Opcode Fuzzy Hash: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
Instruction Fuzzy Hash: 939168B2A083558FC714CF25945226FF7A2AFD1304F98892EE4E687382D639DD05CB4A

Function 0041CEA5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
Instruction ID: 79a636d4ef35a115cd61f203c964b336e8654c9833e22f85933b964d871e8aad
Opcode Fuzzy Hash: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
Instruction Fuzzy Hash: 824113B455835287CB209F289C413BBF3F1AFA2358F59455EE8C597380E738D992C36A

Function 00427307 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
Instruction ID: cd3817f91458a04e6f4698fbdec964a5fe2b941d70aabd782eb82a79c60357af
Opcode Fuzzy Hash: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
Instruction Fuzzy Hash: 4751EBB060C3208AC720DF60E49132BB7F0EFA2344F40492DD9D64B761EB799908DB9B

Function 004292D0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
Instruction ID: 8a214a05a26fc8f928125f8fb48cb90f3e515442b7647201508495c5dbe42c78
Opcode Fuzzy Hash: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
Instruction Fuzzy Hash: DA4127B2B193504BD71CCF258CA275FFBA2EBC5308F16883DE5869B284CA7494078B45

Function 00436B20 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
Instruction ID: 504e49b0b2ddc2a099550f91d12c5185d5b4ceea0bdb26274afb8cde00bc0dbb
Opcode Fuzzy Hash: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
Instruction Fuzzy Hash: B5314632A083385B83249E5D8982067F7E8EBCD714F1AE12FD884E7311E574ED0147C5

Function 0041597D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
Instruction ID: d5ab4806ffe72a1369b891b0c03ce99b48dccca7df38fd9f7e726c1ee5c76a78
Opcode Fuzzy Hash: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
Instruction Fuzzy Hash: 250124347A0A01DBE7258B15A891BB37293FB82310FA49029E18293281DB69AC91875D

Function 004345F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: fc3937f92bddd9b9036211213233e27d23e83f380f16c5f831fb688d5273015d
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8E11EC336051D40EC3158D3C84005A5BF930AD7234F59939AF4B4972E6D62A9D8B8359

Function 0042A060 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
Instruction ID: 81ebb7552e56e7d5adf40a514b1d7c04d719dbb311c9cbdb1d4034df3b6f2776
Opcode Fuzzy Hash: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
Instruction Fuzzy Hash: D601D4F5B00B1147D7309E11A5C0B27B2A9AF8070CF59443EED4467342DB7EEC28C69A

Function 00402B70 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
Instruction ID: dad6f7438d27f99e102fe50886f5565f1d4720bfb2582f27d129ae765fd9d515
Opcode Fuzzy Hash: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
Instruction Fuzzy Hash: EEF0E937B1551607A214DD26ACC453BB366D7C6314B295439E841E3281C979F80692B8

Function 0042B475 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
Instruction ID: c74ae76d4aeefb6f888da0d67bba939e79ddb671e6929748130615be24dd088f
Opcode Fuzzy Hash: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
Instruction Fuzzy Hash: E6D022789048005BC608EB10EE12639B2688F4B2AEF00303DE443FF353CE38EC60890E

Function 0040C274 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
Instruction ID: 52fe0259059b82c7cb9fb3d0f913ef24527c2e8030ec2916e1bb67edfa7a0227
Opcode Fuzzy Hash: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
Instruction Fuzzy Hash: 01D0122494A2994AD3068F389CA1731BBB1EF03100F442558D142DB291C7D09016865C

Function 00427546 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,?,00000000), ref: 00427607

Strings

OR, xrefs: 0042758A
<vB, xrefs: 00427636
JC, xrefs: 00427592
B\, xrefs: 0042759A

Memory Dump Source

Source File: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: CopyFile
String ID: <vB$B\$JC$OR
API String ID: 1304948518-1094185596
Opcode ID: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
Instruction ID: 8ef9865115e3bd1ef4dc2c2120f56385b28599b8e62f1996c0c1473ca8bdbd32
Opcode Fuzzy Hash: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
Instruction Fuzzy Hash: 802180B964D340DFD3209F61A84671BBBF4FB86304F40582CE1D587291EB788515DB4A

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
file.exe

Function 005061A9 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 004D1B70 Relevance: 10.8, APIs: 7, Instructions: 267
filewindowCOMMON

Function 004D20D0 Relevance: 13.6, APIs: 9, Instructions: 109
threadCOMMON

Function 004EB8B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 004D14C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248
COMMON

Function 004D1AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memoryCOMMON

Function 004E3E7D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 004F2520 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 004F2CF9 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 004EC3D2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 004E3F95 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 004EAB23 Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Function 004DAF05 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 004DAEF7 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 004EB97D Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE