Edit tour

Windows Analysis Report
NLRpif3sEB.exe

Overview

General Information

Sample name:	NLRpif3sEB.exe renamed because original name is a hash value
Original sample name:	3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814.exe
Analysis ID:	1575228
MD5:	7083f90ec97477ac0dc977324bba3ec8
SHA1:	003402d622f48f10c5f3521244be458619e8d49b
SHA256:	3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814
Tags:	exeuser-NDA0E
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses ping.exe to check the status of other devices and networks

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

NLRpif3sEB.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\NLRpif3sEB.exe" MD5: 7083F90EC97477AC0DC977324BBA3EC8)

cmd.exe (PID: 6332 cmdline: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 4076 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NLRpif3sEB.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: NLRpif3sEB.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: NLRpif3sEB.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00404911 CryptUnprotectData,LocalFree,	0_2_00404911
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00410D22 CryptUnprotectData,LocalFree,	0_2_00410D22
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00410ED8 CoCreateInstance,CoTaskMemFree,CoTaskMemFree,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	0_2_00410ED8
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00411FC7 CryptUnprotectData,LocalFree,	0_2_00411FC7

Source: NLRpif3sEB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NLRpif3sEB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose,	0_2_00404CE1
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004108E4
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,	0_2_004118BB

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197

Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknown	TCP traffic detected without corresponding DNS query: 213.226.100.197

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_004129A8 InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004129A8

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197

Source: NLRpif3sEB.exe, NLRpif3sEB.exe, 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2108183406.000000000322A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://213.226.100.197;
Source: NLRpif3sEB.exe, 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2108183406.000000000322A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://213.226.100.197;%s

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004058F2 OpenProcessToken,GetTokenInformation,NtCreateToken,CloseHandle,		0_2_004058F2
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle,		0_2_00405750

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040A856	0_2_0040A856
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00408406	0_2_00408406
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040881D	0_2_0040881D
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040A4D4	0_2_0040A4D4
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00407CEF	0_2_00407CEF
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004040BB	0_2_004040BB
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040795E	0_2_0040795E
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00403DFA	0_2_00403DFA
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040D611	0_2_0040D611
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040821E	0_2_0040821E
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00410ED8	0_2_00410ED8
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040A2A0	0_2_0040A2A0
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00407AA0	0_2_00407AA0
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00415B50	0_2_00415B50
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_0040A759	0_2_0040A759

Source: NLRpif3sEB.exe, 00000000.00000002.2107804477.00000000017CC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exej%Q vs NLRpif3sEB.exe

Source: NLRpif3sEB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@6/0@0/2

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle,

0_2_00405750

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00405836 RtlAdjustPrivilege,CreateToolhelp32Snapshot,Process32NextW,OpenProcess,OpenProcessToken,CloseHandle,CloseHandle,Process32NextW,CloseHandle,

0_2_00405836

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00407656 CoCreateInstance,SysAllocString,SysAllocString,VariantClear,

0_2_00407656

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Mutant created: \Sessions\1\BaseNamedObjects\CC1E89063FF11448456937
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Command line argument: 0rz

0_2_007A7180

Source: NLRpif3sEB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NLRpif3sEB.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\NLRpif3sEB.exe "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: NLRpif3sEB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: NLRpif3sEB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NLRpif3sEB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NLRpif3sEB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NLRpif3sEB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NLRpif3sEB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_007A4B40 LoadLibraryA,GetProcAddress,

0_2_007A4B40

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00417AB0 push eax; ret	0_2_00417AC4
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00417AB0 push eax; ret	0_2_00417AEC
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A67D5 push ecx; ret	0_2_007A67E8

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Process created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Process created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"			Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-14560

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-14271

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-15363

Source: C:\Users\user\Desktop\NLRpif3sEB.exe TID: 7100	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe TID: 7100	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_004145B8 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jne 00414B0Dh

0_2_004145B8

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose,	0_2_00404CE1
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004108E4
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,	0_2_004118BB

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_004145B8 GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetComputerNameW,GetUserNameW,GetLocalTime,EnumDisplayDevicesW,GetKeyboardLayoutList,GetKeyboardLayoutList,

0_2_004145B8

Source: NLRpif3sEB.exe, 00000000.00000002.2107804477.000000000179B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: NLRpif3sEB.exe, 00000000.00000002.2107804477.00000000017CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7k
Source: NLRpif3sEB.exe, 00000000.00000002.2107804477.000000000174E000.00000004.00000020.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2107804477.000000000179B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	API call chain: ExitProcess graph end node			graph_0-14273
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	API call chain: ExitProcess graph end node			graph_0-14480

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_007A50C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_007A50C4

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_007A4B40 LoadLibraryA,GetProcAddress,

0_2_007A4B40

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00405108 mov eax, dword ptr fs:[00000030h]	0_2_00405108
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_004075F1 mov eax, dword ptr fs:[00000030h]	0_2_004075F1
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00407605 mov eax, dword ptr fs:[00000030h]	0_2_00407605
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_00407621 mov eax, dword ptr fs:[00000030h]	0_2_00407621
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A4CC0 mov eax, dword ptr fs:[00000030h]	0_2_007A4CC0
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A4960 mov eax, dword ptr fs:[00000030h]	0_2_007A4960
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A4F20 mov ecx, dword ptr fs:[00000030h]	0_2_007A4F20

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A50C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007A50C4
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A6A31 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007A6A31
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Code function: 0_2_007A5B09 SetUnhandledExceptionFilter,	0_2_007A5B09

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: GetLocaleInfoA,

0_2_00416E6D

Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00413CAF CreateMutexA,ExitProcess,GetModuleFileNameW,ExitProcess,GetSystemTime,GetSystemTime,CloseHandle,ExitProcess,

0_2_00413CAF

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

0_2_004145B8

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00406418 GetTimeZoneInformation,

0_2_00406418

Source: C:\Users\user\Desktop\NLRpif3sEB.exe

Code function: 0_2_00416E8E RtlGetVersion,

0_2_00416E8E

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: NLRpif3sEB.exe	String found in binary or memory: Electrum
Source: NLRpif3sEB.exe	String found in binary or memory: com.liberty.jaxx\IndexedDB
Source: NLRpif3sEB.exe	String found in binary or memory: Exodus
Source: NLRpif3sEB.exe	String found in binary or memory: Ethereum
Source: NLRpif3sEB.exe	String found in binary or memory: keystore

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	13 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	2 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	34 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NLRpif3sEB.exe	61%	ReversingLabs	Win32.Trojan.KpotStealer
NLRpif3sEB.exe	100%	Avira	TR/AD.Khalesi.aeba
NLRpif3sEB.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://213.226.100.197;	0%	Avira URL Cloud	safe
http://213.226.100.197;%s	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://213.226.100.197;	NLRpif3sEB.exe, NLRpif3sEB.exe, 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2108183406.000000000322A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://213.226.100.197;%s	NLRpif3sEB.exe, 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2108183406.000000000322A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.226.100.197	unknown	Russian Federation		200019	ALEXHOSTMD	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575228
Start date and time:	2024-12-14 20:04:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NLRpif3sEB.exe renamed because original name is a hash value
Original Sample Name:	3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@6/0@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 35 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NLRpif3sEB.exe

Simulations

Behavior and APIs

Time	Type	Description
14:05:42	API Interceptor	2x Sleep call for process: NLRpif3sEB.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALEXHOSTMD	sora.sh4.elf	Get hash	malicious	Mirai	Browse	176.123.5.14
	http://server.citierupticx.com/specId/product-mje%EF%BC%A0ml.avio.co.jp	Get hash	malicious	HTMLPhisher	Browse	91.208.197.216
	2024-11 eStmt 5563019.exe	Get hash	malicious	ScreenConnect Tool	Browse	176.123.1.130
	otis.exe	Get hash	malicious	Unknown	Browse	91.132.92.231
	otis.exe	Get hash	malicious	Unknown	Browse	91.132.92.231
	armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	powerpc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.913242559455033
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NLRpif3sEB.exe
File size:	544'256 bytes
MD5:	7083f90ec97477ac0dc977324bba3ec8
SHA1:	003402d622f48f10c5f3521244be458619e8d49b
SHA256:	3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814
SHA512:	7ea07933377c2a7651547889decf558dc4243e2b4e4c3e41b374ec2e9bd6d25f2e1109b579b51696cc9f3127ab458f5050917fed1c673df6ccd299fad0089f4c
SSDEEP:	6144:jbgH72UMexaE7qzXi41IpGP2Uxf1SOXUqcAgJo6VVTsGP7J2DMABQ7lOMPJ3Q:jbgH72lWaEcXi4GcxzRr7
TLSH:	9FC492E7C303660FF70374B0C18CAAB5A4561771BE4A58626A266FFCF36D1D10969B83
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...;i..M...;\..M...;h..M...5Q..M...M...M...;m..M...;X..M...;_..M..Rich.M..........PE..L....{{^...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x435414
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E7B7BE5 [Wed Mar 25 15:42:29 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	489091380902ae5fab5138a1044fd8fa

Entrypoint Preview

Instruction
call 00007F98F09006BBh
jmp 00007F98F08FEFDEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043DC78h], eax
mov dword ptr [0043DC74h], ecx
mov dword ptr [0043DC70h], edx
mov dword ptr [0043DC6Ch], ebx
mov dword ptr [0043DC68h], esi
mov dword ptr [0043DC64h], edi
mov word ptr [0043DC90h], ss
mov word ptr [0043DC84h], cs
mov word ptr [0043DC60h], ds
mov word ptr [0043DC5Ch], es
mov word ptr [0043DC58h], fs
mov word ptr [0043DC54h], gs
pushfd
pop dword ptr [0043DC88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043DC7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043DC80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043DC8Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0043DBC8h], 00010001h
mov eax, dword ptr [0043DC80h]
mov dword ptr [0043DB7Ch], eax
mov dword ptr [0043DB70h], C0000409h
mov dword ptr [0043DB74h], 00000001h
mov eax, dword ptr [0043D004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0043D008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bd3c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f000	0x48464	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x72c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3bb48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x38582	0x38600	2ca1e21247c586cd81cd50ddd8f96bba	False	0.3514109271064302	data	5.281420630473987	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3a000	0x24aa	0x2600	324c6009672f87605820a2907d77065f	False	0.34745065789473684	data	4.724043806815104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x1940	0xc00	a1e869547c364d560b5be05df1ef49cb	False	0.22265625	data	2.53160662042428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3f000	0x48464	0x48600	477999904eacff1380b3c82f67633d0a	False	0.3737721286701209	data	3.539645845792326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xa76	0xc00	0551b6d0bb13bc88ee9f5875dfe694fd	False	0.5087890625	data	4.540521816553144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3f1cc	0x2	data	English	United States	5.0
RT_MENU	0x3f1d0	0xa2	data	English	United States	0.5679012345679012
RT_DIALOG	0x3f274	0x144	data	English	United States	0.5679012345679012
RT_STRING	0x3f3b8	0x90	data	English	United States	0.5972222222222222
RT_RCDATA	0x3f448	0x48000	data	English	United States	0.3737284342447917
RT_RCDATA	0x87448	0x19	data	English	United States	1.36

Imports

DLL	Import
KERNEL32.dll	TerminateProcess, GetLastError, VirtualAlloc, LoadLibraryA, SetCalendarInfoA, HeapAlloc, GetProcAddress, CloseHandle, HeapReAlloc, GetStringTypeW, MultiByteToWideChar, LCMapStringW, GetModuleHandleW, RtlUnwind, Sleep, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LoadLibraryW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetCurrentProcess, HeapSize, InterlockedDecrement, GetCurrentThreadId, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameW, EncodePointer, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, IsProcessorFeaturePresent
USER32.dll	EndPaint, PostQuitMessage, GetClientRect, BeginPaint, GetDC, ReleaseDC, DefWindowProcW, GetMessageW, LoadCursorW, TranslateMessage, LoadIconW, ShowWindow, CreateWindowExW, MessageBoxW, RegisterClassW, UpdateWindow, DispatchMessageW
GDI32.dll	LineTo, GetStockObject, MoveToEx
Normaliz.dll	IdnToNameprepUnicode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 20:04:58.949801922 CET	49730	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:04:59.073381901 CET	80	49730	213.226.100.197	192.168.2.4
Dec 14, 2024 20:04:59.073631048 CET	49730	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:04:59.073776960 CET	49730	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:04:59.200999975 CET	80	49730	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:21.003298044 CET	80	49730	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:21.003520012 CET	49730	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:21.003964901 CET	49730	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:21.007930994 CET	49736	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:21.130458117 CET	80	49730	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:21.134324074 CET	80	49736	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:21.134510040 CET	49736	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:21.134593964 CET	49736	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:21.254499912 CET	80	49736	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:43.082082987 CET	80	49736	213.226.100.197	192.168.2.4
Dec 14, 2024 20:05:43.082182884 CET	49736	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:43.082266092 CET	49736	80	192.168.2.4	213.226.100.197
Dec 14, 2024 20:05:43.202833891 CET	80	49736	213.226.100.197	192.168.2.4

HTTP Request Dependency Graph

213.226.100.197

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	213.226.100.197	80	7052	C:\Users\user\Desktop\NLRpif3sEB.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 20:04:59.073776960 CET	65	OUT	GET / HTTP/1.1 Connection: Keep-Alive Host: 213.226.100.197

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	213.226.100.197	80	7052	C:\Users\user\Desktop\NLRpif3sEB.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 20:05:21.134593964 CET	65	OUT	GET / HTTP/1.1 Connection: Keep-Alive Host: 213.226.100.197

Target ID:	0
Start time:	14:04:57
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\NLRpif3sEB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NLRpif3sEB.exe"
Imagebase:	0x770000
File size:	544'256 bytes
MD5 hash:	7083F90EC97477AC0DC977324BBA3EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:05:42
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:05:42
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:05:42
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1
Imagebase:	0x630000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	55.9%
Signature Coverage:	13.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	23

Executed Functions

Function 004129A8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 155
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413569: InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004135AB

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000), ref: 004129CC
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00412A08
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00412A21
HttpOpenRequestW.WININET(0000EA60,?,?,00000000,00000000,00000000,-00000001,00000000), ref: 00412A5C
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00412A80
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 00412A99
HttpSendRequestW.WININET(00000000,?,?,0000EA60,?), ref: 00412AB1
InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 00412AC7
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00412AEF
InternetCloseHandle.WININET(00000000), ref: 00412B07
InternetCloseHandle.WININET(0000EA60), ref: 00412B10
InternetCloseHandle.WININET(?), ref: 00412B19

Strings

`, xrefs: 004129DF

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Internet$CloseHandleOption$HttpOpenQueryRequest$AvailableConnectCrackDataFileReadSend
String ID: `
API String ID: 2263532179-1850852036
Opcode ID: 337f231a003c4c706b158496a4df7ab4e4f1f63051ffc8cb6a84e9b7fa47582e
Instruction ID: dc99d5b8504d753b9beb300cd76dbe9c4bb2313e18cd3c81913fb33a92f5dd12
Opcode Fuzzy Hash: 337f231a003c4c706b158496a4df7ab4e4f1f63051ffc8cb6a84e9b7fa47582e
Instruction Fuzzy Hash: 53513AB1A00219BFDF119FA5DD49EEFBFB8EB48700F10412AF512E2150D7795A90DB68

Function 00413CAF Relevance: 12.2, APIs: 8, Instructions: 169
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413B6C: CoInitializeEx.COMBASE(00000000,00000002), ref: 00413B7B

Part of subcall function 0041701B: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00413CCB,?,00000032), ref: 00417037

CreateMutexA.KERNEL32(00000000,00000001,?), ref: 00413CD6
ExitProcess.KERNEL32 ref: 00413CEC
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00413CFF
ExitProcess.KERNEL32 ref: 00413D2F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: ExitProcess$CreateFileInformationInitializeModuleMutexNameVolume
String ID:
API String ID: 2804266631-0
Opcode ID: fcd8eb96de6217f256b999b5a7e5d2b0f0d3e120eca5a8fc7563aa3f23ff9bf0
Instruction ID: ddbba73eb4803778151220dfd07befdf9224cd48c48c060a4fbae49941d5bf6b
Opcode Fuzzy Hash: fcd8eb96de6217f256b999b5a7e5d2b0f0d3e120eca5a8fc7563aa3f23ff9bf0
Instruction Fuzzy Hash: AD514C72C00218AADF11FBB1AD4A9DE777CAF05305F1004ABF605A6042EB399BC88B59

Function 007A4CC0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26e765b5013b219c1abc091eac328a0d5c8a046ec8bb4a422298991ddf01ce7
Instruction ID: 7603a2472ed12046b4ab69322df02bc3577b2223112e8b6f7a6670809ff62f80
Opcode Fuzzy Hash: b26e765b5013b219c1abc091eac328a0d5c8a046ec8bb4a422298991ddf01ce7
Instruction Fuzzy Hash: 38012278A00208EFCB44CF58C190999BBB5FB4C354F208299EC499B746D736EE82CF80

Function 004064C7 Relevance: 54.8, APIs: 17, Strings: 14, Instructions: 569
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405192: LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D

LoadLibraryA.KERNEL32(?), ref: 0040731F
LoadLibraryA.KERNEL32(?), ref: 00407343
LoadLibraryA.KERNEL32(?), ref: 0040736C
LoadLibraryA.KERNEL32(?), ref: 00407395
LoadLibraryA.KERNEL32(?), ref: 004073DA
LoadLibraryA.KERNEL32(?), ref: 004073FF
LoadLibraryA.KERNEL32(?), ref: 00407428
LoadLibraryA.KERNEL32(?), ref: 0040744A
LoadLibraryA.KERNEL32(?), ref: 0040746F
LoadLibraryA.KERNEL32(?), ref: 00407497
LoadLibraryA.KERNEL32(?), ref: 004074C0
LoadLibraryA.KERNEL32(?), ref: 004074E5
LoadLibraryA.KERNEL32(?), ref: 0040750A
LoadLibraryA.KERNEL32(?), ref: 0040752F
LoadLibraryA.KERNEL32(?), ref: 00407551
LoadLibraryA.KERNEL32(?), ref: 00407573
LoadLibraryA.KERNEL32(?), ref: 00407598

Strings

>, xrefs: 00407315
c50, xrefs: 004069F3
.Y*, xrefs: 004069B7
LNF, xrefs: 0040724B
(F&, xrefs: 0040697B
f|j?, xrefs: 0040729F
W0U, xrefs: 00406C9B
+N, xrefs: 00406953
8I, xrefs: 00406D01
U=, xrefs: 00406A07
yF|d, xrefs: 00406B47
[Xx, xrefs: 004070E9
uE, xrefs: 00406E19
p, xrefs: 0040712F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: LibraryLoad
String ID: [Xx$(F&$.Y*$8I$>$f|j?$p$yF|d$uE$+N$LNF$U=$W0U$c50
API String ID: 1029625771-3468027254
Opcode ID: 1b2d95f987bde8cf06e019b5f51688bb45c474f0357fcc0c95498163d0c90df6
Instruction ID: 7b55cb6931a6eae9675ae3473d819d56059f9eb575f203993a4290f2a2dbd950
Opcode Fuzzy Hash: 1b2d95f987bde8cf06e019b5f51688bb45c474f0357fcc0c95498163d0c90df6
Instruction Fuzzy Hash: 178289B08052699BDB61CF518D987CEBBB5BB45308F5082DAD5097A200DBB91FC9CF89

Function 007A452D Relevance: 22.6, APIs: 15, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 007A4539
TerminateProcess.KERNEL32(00000000), ref: 007A4540
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007A454E
GetLastError.KERNEL32 ref: 007A4558
GetCurrentProcess.KERNEL32(00000000), ref: 007A4565
TerminateProcess.KERNEL32(00000000), ref: 007A456C
IdnToNameprepUnicode.NORMALIZ(00000000,00000000,00000000,00000000,00000000), ref: 007A457C
GetLastError.KERNEL32 ref: 007A4586
GetCurrentProcess.KERNEL32(00000000), ref: 007A4593
TerminateProcess.KERNEL32(00000000), ref: 007A459A
_malloc.LIBCMT ref: 007A45A5
_memset.LIBCMT ref: 007A45C5
_free.LIBCMT ref: 007A46B5

Part of subcall function 007A50D3: HeapFree.KERNEL32(00000000,00000000,?,007A64BD,00000000,?,?,007A556B,007A5196), ref: 007A50E9
Part of subcall function 007A50D3: GetLastError.KERNEL32(00000000,?,007A64BD,00000000,?,?,007A556B,007A5196), ref: 007A50FB

_free.LIBCMT ref: 007A46C1
_free.LIBCMT ref: 007A46CD

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: Process$CurrentErrorLastTerminate_free$CalendarFreeHeapInfoNameprepUnicode_malloc_memset
String ID:
API String ID: 3381973965-0
Opcode ID: 8134fef728c8e20ee777daae96959e7a555f79d35250498a4846d77ebe9982bb
Instruction ID: 9b1988303bafd2cbe8d39fde035f32bea6d13196881024d023cfe6cd46f04fe2
Opcode Fuzzy Hash: 8134fef728c8e20ee777daae96959e7a555f79d35250498a4846d77ebe9982bb
Instruction Fuzzy Hash: 854184B1D00104EBEB10DFE4DC4ABBF7774AFC6705F144664E205AA281E7BD5A44CB92

Function 00412E5D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostbyname.WS2_32(?), ref: 00412E92
socket.WS2_32(00000002,00000001,00000006), ref: 00412EB4
connect.WS2_32(00000000,?,00000010), ref: 00412EEC
send.WS2_32(00000000,?,00000000,00000000), ref: 00412F37
send.WS2_32(00000000,?,?,00000000), ref: 00412F4F
recv.WS2_32(?,?,00000400,00000000), ref: 00412F6B
closesocket.WS2_32(?), ref: 00413001

Strings

, xrefs: 00412FC2

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: send$closesocketconnectgethostbynamerecvsocket
String ID:
API String ID: 1783939010-2344752452
Opcode ID: 29e188fea70a0dd2f8240455ef74e17abaa8d4ab1a3e0102d3a2115e332ad8ad
Instruction ID: da93d37a2aa8dd86005f6c059bbb5740c46efee5a5ea72e2e65dce030ffe33f1
Opcode Fuzzy Hash: 29e188fea70a0dd2f8240455ef74e17abaa8d4ab1a3e0102d3a2115e332ad8ad
Instruction Fuzzy Hash: 2C51B172900209ABDF219FA8CD45AEF7B75EF44320F104066F901F72A1DB799E91DB98

Function 007A435C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000059,00001000,00000004), ref: 007A4376
VirtualAlloc.KERNEL32(00000000,0000000F,00001000,00000004), ref: 007A438D
MessageBoxW.USER32(00000000,agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk,cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi,00000000), ref: 007A43A7

Strings

cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi, xrefs: 007A439B
agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk, xrefs: 007A43A0

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual$Message
String ID: agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk$cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi
API String ID: 1804078305-2917780553
Opcode ID: aecf1159bca6e133df71d0762a3b084c6e9884186305670266c39c50bb5e68ab
Instruction ID: 4ccc7b0a136d033767af1b2392a51b79f3b498d818826f8e2b81bfe8fd7a722a
Opcode Fuzzy Hash: aecf1159bca6e133df71d0762a3b084c6e9884186305670266c39c50bb5e68ab
Instruction Fuzzy Hash: C3F01C756C0744BAEB308F14DC4BF893A20A786BA3F108220FB5D6C1D1D3F99684CA85

Function 0041701B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00413CCB,?,00000032), ref: 00417037

Strings

C:\, xrefs: 0041702F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: InformationVolume
String ID: C:\
API String ID: 2039140958-3404278061
Opcode ID: 889d53317b2db0a536e5275cff2a90517a2d7934359336816fc69587e525ddc7
Instruction ID: 38deaf873d01ad376382a45a46a62742d6431d24871cea28b4788a870ec15d02
Opcode Fuzzy Hash: 889d53317b2db0a536e5275cff2a90517a2d7934359336816fc69587e525ddc7
Instruction Fuzzy Hash: 80014071C05628B6CF11EFA28D498DFBF78EE49364B10006AF805B3141D6399B85DBF9

Function 007A43C0 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 007A440C
_malloc.LIBCMT ref: 007A4458

Part of subcall function 007A510D: __FF_MSGBANNER.LIBCMT ref: 007A5126
Part of subcall function 007A510D: __NMSG_WRITE.LIBCMT ref: 007A512D
Part of subcall function 007A510D: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,007A445D,?), ref: 007A5152

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocateHandleHeapModule_malloc
String ID:
API String ID: 2614553508-0
Opcode ID: 7adfe9251f69acb726e66b4658be939180b60dacd9fb157a6e2c46932c0e176e
Instruction ID: d0c19a04872bb5edacb304ec11d2a00ff3ef6a5f5ae82b214c25015f012f4b1d
Opcode Fuzzy Hash: 7adfe9251f69acb726e66b4658be939180b60dacd9fb157a6e2c46932c0e176e
Instruction Fuzzy Hash: 5D21C7B5D00209EFDB04DFE4D849AEEBBB4EF89305F108658E905B7240E7799A41CFA1

Function 00778262 Relevance: 3.0, APIs: 1, Instructions: 1701memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000DE,00001000,00000004), ref: 00778282

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e95edaf039313932f4ef897ab547e282aa7891574b0cd2701677a94333f52e7
Instruction ID: 09aeb3727ea582ef36ec3334d74038e97b6a26b490ba5213d892397cd949db94
Opcode Fuzzy Hash: 2e95edaf039313932f4ef897ab547e282aa7891574b0cd2701677a94333f52e7
Instruction Fuzzy Hash: FF233A709012299BDB69CF08CD94BDDBBB5BF48348F1481D9E50DAB356D730AA91CF88

Function 0079D002 Relevance: 2.9, APIs: 1, Instructions: 1644memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000DE,00001000,00000004), ref: 0079D01F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 798682c59470c3559d4ad822a723b462a6fd2d684d814b33bb4b5dccfe1a5eec
Instruction ID: 00ee23968cfcfe08eb2416d9c2f617dddc6dd5a5b33136ae0221f53818b6b8dc
Opcode Fuzzy Hash: 798682c59470c3559d4ad822a723b462a6fd2d684d814b33bb4b5dccfe1a5eec
Instruction Fuzzy Hash: 3C234B719012289BCB69CF08DD95BDCBBB5BF48348F1481D9E50DAB356D730AA91CF88

Function 007820B2 Relevance: 2.9, APIs: 1, Instructions: 1614memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000066,00001000,00000004), ref: 007820CC

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 94c296daabaf7f5dcc9535184ec28e80217e787753e14331037d7a257ae0ee4a
Instruction ID: b86aae80eb7d8cc66ba3cd63212d57bf84dff99bc080e8d35d9af136f9f0668d
Opcode Fuzzy Hash: 94c296daabaf7f5dcc9535184ec28e80217e787753e14331037d7a257ae0ee4a
Instruction Fuzzy Hash: E2233D709012299BCB69CF08C994BDDBBB6BF84349F1481D9D50DAB356D730AB91CF88

Function 007A0942 Relevance: 2.8, APIs: 1, Instructions: 1539
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,000000D5,00001000,00000004), ref: 007A095F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ef74b55320617192862ccbed7205ab29fd65ed25cdb5208de4c74039b21e10a6
Instruction ID: 7560625ab9dc05fce6ddf7a83cd13b096130cac960ca4cc8a6dfdd1b2a3cb102
Opcode Fuzzy Hash: ef74b55320617192862ccbed7205ab29fd65ed25cdb5208de4c74039b21e10a6
Instruction Fuzzy Hash: 12132C709012299BDB69CF08CD94BDDBBB5BF88348F1481D9E50DAB356D730AA91CF48

Function 0079B342 Relevance: 2.8, APIs: 1, Instructions: 1533
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0079B35C

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54907d4ed6f6e3467cc576293e85d5bba377ddc6a4cf020fbb2c1d42d024a6f1
Instruction ID: a58b2ec191540d84a5dd12ea7064a8fb86ce9a2b5a24eb466b1b688c042848c2
Opcode Fuzzy Hash: 54907d4ed6f6e3467cc576293e85d5bba377ddc6a4cf020fbb2c1d42d024a6f1
Instruction Fuzzy Hash: EB134D709011289BDB69CF08DD94BDCBBB6BF84349F1482D9D50DAB356D730AA91CF88

Function 007913D2 Relevance: 2.8, APIs: 1, Instructions: 1527
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0000009E,00001000,00000004), ref: 007913F2

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86968a3957e8cc3cd70d8444a9fe91604947625c44eab641b4986f754c2ffebe
Instruction ID: d45ca6791911ad2428259630704d1934c3cf442826b5f258def718d5783e99a7
Opcode Fuzzy Hash: 86968a3957e8cc3cd70d8444a9fe91604947625c44eab641b4986f754c2ffebe
Instruction Fuzzy Hash: C9134A719012289BCB69CF08DD95BDCBBB5BF48348F1481D9E50DAB356D730AA91CF88

Function 00794982 Relevance: 2.8, APIs: 1, Instructions: 1524
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,000000BE,00001000,00000004), ref: 007949A2

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d59b4f7a9a79709cb48b885bb91a11b17edaa2919701f8d2b3bb476890adae49
Instruction ID: 483f5e49c44f9b23bf973b8d08b746d6168d93457586ee73c343c5ed113bec5d
Opcode Fuzzy Hash: d59b4f7a9a79709cb48b885bb91a11b17edaa2919701f8d2b3bb476890adae49
Instruction Fuzzy Hash: 99134D709011289BDB69CF08DD94B9DBBB6BF84349F1482D9D50DAB346D730AA91CF88

Function 0078C2B2 Relevance: 2.7, APIs: 1, Instructions: 1494
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000004), ref: 0078C2D2

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 88537b647c7e6074c9c4e37c9926deb876b4e393bc6b30e9741a25a32368b849
Instruction ID: a9427460b799ec06383e2a5480e07a95c75885a612bd899009249a5e1af7a02c
Opcode Fuzzy Hash: 88537b647c7e6074c9c4e37c9926deb876b4e393bc6b30e9741a25a32368b849
Instruction Fuzzy Hash: 67132C709012299BDB69CF08CD94BEDBBB5BF44348F1481D9E50DAB356D730AA91CF88

Function 0079EEC2 Relevance: 2.7, APIs: 1, Instructions: 1416
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,000000DD,00001000,00000004), ref: 0079EEDF

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6bb2ccbaaec487e9e6d9ac6b0353434e7e2cedece5744b86d92a2edd794861b
Instruction ID: bd6e0630745fa1277f2bb8f2d842732093fd9a04d0a4b6f1e4bcb8b1ef4981a3
Opcode Fuzzy Hash: b6bb2ccbaaec487e9e6d9ac6b0353434e7e2cedece5744b86d92a2edd794861b
Instruction Fuzzy Hash: 48033F709011299BDB68CF08CD94BDDBBB6BF84349F1482D9D50DAB356D730AA91CF88

Function 0077A282 Relevance: 2.7, APIs: 1, Instructions: 1416
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000098,00001000,00000004), ref: 0077A29F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6db90cfb276ba4a49809ad35bbe09fbd641879b7b3643afda5a861a8ba6cc85
Instruction ID: a106854258a7af08f6e37882bed854ee6e228bef7986de2670836a82f8a5bc67
Opcode Fuzzy Hash: c6db90cfb276ba4a49809ad35bbe09fbd641879b7b3643afda5a861a8ba6cc85
Instruction Fuzzy Hash: 9A033F709011289BDB69CF08CD94BDDBBB6BF84349F1482D9D54DAB346D730AA91CF88

Function 00787582 Relevance: 2.6, APIs: 1, Instructions: 1398memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000088,00001000,00000004), ref: 007875A2

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 36198adadb680999069345f051bd1b32994855e5032f004fe61c5a69ef4ffd6e
Instruction ID: 684b8447fc6b2b2115c497e757c4fa1ff2ba6996c40512a43f651e86379adc09
Opcode Fuzzy Hash: 36198adadb680999069345f051bd1b32994855e5032f004fe61c5a69ef4ffd6e
Instruction Fuzzy Hash: D0033F709011299BCB68CF08CD94BDDBBB6BF84349F1482D9D50DAB356D730AA91CF88

Function 00797DC2 Relevance: 2.6, APIs: 1, Instructions: 1350memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000DB,00001000,00000004), ref: 00797DDF

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feb95bda0b9f1b583c46d0ec3f29066dcee9d26513474099623c73b3eeb74b9f
Instruction ID: 0763054f922897336c3b695466e5573d64e96b1119e8d1d5963de5a7a659d49f
Opcode Fuzzy Hash: feb95bda0b9f1b583c46d0ec3f29066dcee9d26513474099623c73b3eeb74b9f
Instruction Fuzzy Hash: C8033F709012289BDB69CF08DDA4BDDBBB5BF44348F1881D9E50DAB356D730AA91CF48

Function 0077BCF2 Relevance: 2.6, APIs: 1, Instructions: 1344memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000086,00001000,00000004), ref: 0077BD0F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f231486b0e6904a909a0279c3af612fda6284ac8f23a4435d1500f0236a0402f
Instruction ID: 0bb81c680a662cfb15ddd9d1a441061e9d746ec722a4cd672c313fb4ee67d9f6
Opcode Fuzzy Hash: f231486b0e6904a909a0279c3af612fda6284ac8f23a4435d1500f0236a0402f
Instruction Fuzzy Hash: 00F23F709021299BDB65CF08CD94BDCBBB6BF84349F1482D9D50DAB356D730AA91CF88

Function 00788F72 Relevance: 2.6, APIs: 1, Instructions: 1329memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000E1,00001000,00000004), ref: 00788F8F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5763fcd6c4f3cd2c6edc9dfd4c6d2779e1d8483ff28c48c47ee8c193ceb68812
Instruction ID: b1bfc2f9dd4fca8134159995ae5b1d45377ebb25217b49321f7a9679d31a7ab3
Opcode Fuzzy Hash: 5763fcd6c4f3cd2c6edc9dfd4c6d2779e1d8483ff28c48c47ee8c193ceb68812
Instruction Fuzzy Hash: A1F22C719012289BDB69CF08CD95BDDBBB5BF44348F1881D9E50DAB346D730AA91CF88

Function 00780972 Relevance: 2.5, APIs: 1, Instructions: 1281memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000BC,00001000,00000004), ref: 0078098F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c0a94b87f156aed99cf6d480110563c6cbe46641c4493229cbd16636153aa47
Instruction ID: 024b244749d2e4740259f4ec524ade803deaf89b4dec13471571bc0acc4c31de
Opcode Fuzzy Hash: 3c0a94b87f156aed99cf6d480110563c6cbe46641c4493229cbd16636153aa47
Instruction Fuzzy Hash: 4DF231709021299BDB64CF08CD94BDDBBB6BF84349F1881D9D50DAB346D730AA91CF88

Function 00796632 Relevance: 2.5, APIs: 1, Instructions: 1272memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0000009E,00001000,00000004), ref: 0079664F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc7cd6a717d9db890970b0587fd6183609e8ca2374658964fe309e5eeae41dc9
Instruction ID: 812c6e58b07d90ddbbaf0b4b88945bfb65488049c828c9dcc08808611c664b99
Opcode Fuzzy Hash: fc7cd6a717d9db890970b0587fd6183609e8ca2374658964fe309e5eeae41dc9
Instruction Fuzzy Hash: 32F231709021289BDB69CF08CD94BDDBBB6BF84349F1481D9D50DAB356D730AA91CF88

Function 0078DEB2 Relevance: 2.5, APIs: 1, Instructions: 1257memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000038,00001000,00000004), ref: 0078DECC

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22c54504594a15ea54e3b305804400b49d886a9f38036a1b150e98cac3ab1f5f
Instruction ID: 132cba3d6ddca75d5a4f9206853a6a90f3d22786c486d9fc7f0c9f63e64f2257
Opcode Fuzzy Hash: 22c54504594a15ea54e3b305804400b49d886a9f38036a1b150e98cac3ab1f5f
Instruction Fuzzy Hash: 7BF23E719012289BDB69CF08CC95BDDBBB5BF44348F1881D9E54DAB346D730AA91CF88

Function 00413010 Relevance: 1.6, APIs: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00413058

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: FreeHeapStartup
String ID:
API String ID: 2645306408-0
Opcode ID: 793fe0e23c926e118c317851a62ca9fc2f271c520f6b2796c1a3be0fbcd07ad0
Instruction ID: 85eaebae8ecb59086afdba9375555a315fe97a6d3168c9436cec4943f927f23a
Opcode Fuzzy Hash: 793fe0e23c926e118c317851a62ca9fc2f271c520f6b2796c1a3be0fbcd07ad0
Instruction Fuzzy Hash: 9E4126729002055ADB10BBF59C067DE77B8AF04329F10467FE525F71C2DB7CAAC886A9

Function 00413569 Relevance: 1.6, APIs: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004135AB

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CrackInternet
String ID:
API String ID: 1381609488-0
Opcode ID: 658dbce22cafce58bf59a8bd09dcdeda872eb88c7ff47981754a46a1ee662e29
Instruction ID: e614fb814403e5dece979d69869864768b2494d54fb3b1e4180828ee4861d7d4
Opcode Fuzzy Hash: 658dbce22cafce58bf59a8bd09dcdeda872eb88c7ff47981754a46a1ee662e29
Instruction Fuzzy Hash: A6415F71D00209EFCB25DFA9D849AAEB7B8EF48708F04846EE115E7351D734AA91CB18

Function 00405192 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0731132f2c085ddfa4906626f7d310de20feb9acd7983381990d4f9d4327e38d
Instruction ID: 67fdade5f613ffbd55c1bcba6ed67b2f355c1f356c8aa0174c7c74f795b6b543
Opcode Fuzzy Hash: 0731132f2c085ddfa4906626f7d310de20feb9acd7983381990d4f9d4327e38d
Instruction Fuzzy Hash: 8B311931E006099BCB10DFA9C881BAEB7F4EF44315F2444AEE805E7281DB74AA41CF98

Function 00413C2C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000031), ref: 00413C88

Part of subcall function 00405552: ShellExecuteW.SHELL32(00000000,?,?,?,00000000,00413CAA), ref: 00405584

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: EnvironmentExecuteExpandShellStrings
String ID:
API String ID: 3420131149-0
Opcode ID: c51505f62ae0d60d765b208fd1d9be1b0dc86cce8ea40458f69f07a3423c06be
Instruction ID: 7c1f23a69d59edf966e54b30518460001e067b65124b0e8b2901e75b1d68294f
Opcode Fuzzy Hash: c51505f62ae0d60d765b208fd1d9be1b0dc86cce8ea40458f69f07a3423c06be
Instruction Fuzzy Hash: 0C016272900219ABEF10B795DC45FCE737DEB44358F044177BA04F3180D678AA098BA4

Function 00405552 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,?,?,?,00000000,00413CAA), ref: 00405584

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 008b087240dcf4241beb349bef6002c78aa6b1512e1df1ad9dd9a7f0ddd57d53
Instruction ID: d18ec08f8543c4dbb60dbc8c47ccdfc66d3fd6096a5b5cf377363826124ae3c7
Opcode Fuzzy Hash: 008b087240dcf4241beb349bef6002c78aa6b1512e1df1ad9dd9a7f0ddd57d53
Instruction Fuzzy Hash: 98E04F369001187BEF017BD4DC06BCD7769EB48758F008135FE01B71C1D674A65586A5

Function 00404EAB Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,-00000004), ref: 00404EC3

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8de547f49fd63792ecd1c3ec1873396ff74d5ae091e0cf02c82d7f9a26d6e923
Instruction ID: 46188779325abd20179e1254f5e46e5fa802359deee1d993e7d5786f3ad3df08
Opcode Fuzzy Hash: 8de547f49fd63792ecd1c3ec1873396ff74d5ae091e0cf02c82d7f9a26d6e923
Instruction Fuzzy Hash: 6FC08031240208BBFA100B55FC06FE3379CE750619F048071FD0CD9650D731FC504585

Function 00413B6C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00413010: WSAStartup.WS2_32(00000202,?), ref: 00413058

CoInitializeEx.COMBASE(00000000,00000002), ref: 00413B7B

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: InitializeStartup
String ID:
API String ID: 757567358-0
Opcode ID: 5fec628b651680302c66f62c61b06849b678b99d9a90760234df615ded1974c9
Instruction ID: 6401bba1a63e528685dd402c426a869b913f33cdd7edc6ad85fc1aed2aa27d7e
Opcode Fuzzy Hash: 5fec628b651680302c66f62c61b06849b678b99d9a90760234df615ded1974c9
Instruction Fuzzy Hash: 92C08C723C830024F1383BB26C0BF4C0680CB04B2AF30042FF201380C39EAEAD90046E

Function 00413EA0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

Part of subcall function 00413CAF: CreateMutexA.KERNEL32(00000000,00000001,?), ref: 00413CD6
Part of subcall function 00413CAF: ExitProcess.KERNEL32 ref: 00413CEC

ExitProcess.KERNEL32 ref: 00413EB7

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: ExitProcess$CreateMutex
String ID:
API String ID: 876306376-0
Opcode ID: d563ec539f073a063a248b7edb6121168ff304b69d91af3401d83f336c15bb41
Instruction ID: f214b6c546d575785904b22b39ee5774269018132e23d6b5c8a454dc11483360
Opcode Fuzzy Hash: d563ec539f073a063a248b7edb6121168ff304b69d91af3401d83f336c15bb41
Instruction Fuzzy Hash: 39B092A2024A0516E2803BFB9C0F78831481B4072AF54033AFA69641D27E6836A444FF

Function 007A4D80 Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 007A4E0B

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 719d1ed409448da2ad6b142b06b2317d0f302e47669c53cac2345cbf88c1876d
Instruction ID: 69e09e36a2ad8962a7bf792ff95ee88fc6a2152da214f98d7650f507184c0d72
Opcode Fuzzy Hash: 719d1ed409448da2ad6b142b06b2317d0f302e47669c53cac2345cbf88c1876d
Instruction Fuzzy Hash: 8E51CA74A00209EFCB08CF54D495AADBBB1FF89314F248298E9499B341D775EE81CB94

Non-executed Functions

Function 004145B8 Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 559timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E03: wvnsprintfA.SHLWAPI(?,00000040,00000000,?), ref: 00405E21

GlobalMemoryStatusEx.KERNEL32(?,80000004,?,?,?,?,?,?,?), ref: 0041486C
GetSystemMetrics.USER32(00000000), ref: 004148B2
GetSystemMetrics.USER32(00000001), ref: 004148BC
GetComputerNameW.KERNEL32(?,?), ref: 00414909
GetUserNameW.ADVAPI32(?,00000101), ref: 0041491A

Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041498B
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 00414A79
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00414A85
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00414AA0

Part of subcall function 004060C6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00413134,00000000), ref: 004060E8

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041481A

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

%S x%d, xrefs: 004146EC
%s\%s, xrefs: 00414BD5
, xrefs: 00414B3B
l=A, xrefs: 0041499B, 0041499F
%s\%s\%s, xrefs: 004146AC, 0041473A, 00414B70
%s(%S), xrefs: 00414C35
@, xrefs: 00414862

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: System$KeyboardLayoutListMetricsNamewvnsprintf$ByteCharComputerDevicesDisplayEnumFreeGlobalHeapInfoLocalMemoryMultiStatusTimeUserWide
String ID: $%S x%d$%s(%S)$%s\%s$%s\%s\%s$@$l=A
API String ID: 375986244-4245113576
Opcode ID: 9978e68bb9819ef7fd30dcb5c34c97ff33be2dc4cf0c4f32a4b81d9b13fe43eb
Instruction ID: 63ff94530e6feffdfb7e96b5c04adaf04086d6c0553b814bd94c6ab8dbfd29ed
Opcode Fuzzy Hash: 9978e68bb9819ef7fd30dcb5c34c97ff33be2dc4cf0c4f32a4b81d9b13fe43eb
Instruction Fuzzy Hash: DC126472900218ABDF10EBA5DC45BDE7779EB48314F0144BAFA08B7181DB78AF858F94

Function 0040D611 Relevance: 18.3, APIs: 12, Instructions: 327fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040D634
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D668
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D6B3
SetFilePointer.KERNEL32(?,0000000C,00000000,00000000), ref: 0040D6EB
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D6FF
SetFilePointer.KERNEL32(?,00000038,00000000,00000000), ref: 0040D72E
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D742

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: File$Read$Pointer$Create
String ID:
API String ID: 974188869-0
Opcode ID: 8a4ad88e3ab9d38b818211dc3e193142bc454c36bee6eecd4d783f39b308e044
Instruction ID: 84ebc060d0621895f24b80f2e4f6a002ceadae2b21af062f922643ae4e17e730
Opcode Fuzzy Hash: 8a4ad88e3ab9d38b818211dc3e193142bc454c36bee6eecd4d783f39b308e044
Instruction Fuzzy Hash: 83C17E72D00119AFDB14DF94D8809EEBBB9FF88300F14847AE955B7290D735AE45CBA4

Function 004118BB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?), ref: 004119AA
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7), ref: 00411A27
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7), ref: 00411A5A
FindClose.KERNEL32(00000000,?,?,?), ref: 00411ABF
FindNextFileW.KERNEL32(?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?), ref: 00411B3E
FindClose.KERNEL32(?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?,?,?,?,00000000), ref: 00411B4F

Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC

Strings

%s%s, xrefs: 00411A74, 00411B0F
%s\%s\%s\%s, xrefs: 0041191A, 00411A9F
%s%s\, xrefs: 004119EE
%s\%s\%s, xrefs: 00411AF1

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Find$File$CloseFirstNext$wvnsprintf
String ID: %s%s$%s%s\$%s\%s\%s$%s\%s\%s\%s
API String ID: 943964047-654875542
Opcode ID: dd70484e7b8f062de1627af05d2bb0e73b74333fcc5ca2cf95427de7cffbf31e
Instruction ID: ea2d4c6f06bba6889578ba78540cc3033c32bd1741134c71fc68db188b5883d4
Opcode Fuzzy Hash: dd70484e7b8f062de1627af05d2bb0e73b74333fcc5ca2cf95427de7cffbf31e
Instruction Fuzzy Hash: 10614A72900218AADB21EB90DC45EDE777DEB04314F4445B7FA08B3091E738AB898F68

Function 00410ED8 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344comencryptionCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00401000,00000000,00004401,00401010,?), ref: 00410F3A
CoTaskMemFree.COMBASE(?), ref: 00410FEB
CoTaskMemFree.COMBASE(?), ref: 00411002
CredEnumerateW.ADVAPI32(?,00000000,?,?), ref: 00411145
CryptUnprotectData.CRYPT32(004115DF,00000000,0000004A,00000000,00000000,00000000,?), ref: 00411201
LocalFree.KERNEL32(?), ref: 004112B1
CredFree.ADVAPI32(?), ref: 004112C7

Strings

J, xrefs: 004111B6
%s\%s\%s, xrefs: 00411047

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Free$CredTask$CreateCryptDataEnumerateInstanceLocalUnprotect
String ID: %s\%s\%s$J
API String ID: 847491909-3392352968
Opcode ID: cabbff06b2101c33da73da649a489b026c12fe618483aefe325a352881240ba3
Instruction ID: f20f3bdc523f32172019d99ea4a9c5d2acc98d4ba874119d7bf4abe8c2f71e7c
Opcode Fuzzy Hash: cabbff06b2101c33da73da649a489b026c12fe618483aefe325a352881240ba3
Instruction Fuzzy Hash: 57C16E72D00119AFCF10DFA5D881AEEB7B9EF48314F14406BE604B7291DB79AE85CB58

Function 00405836 Relevance: 13.6, APIs: 9, Instructions: 69processCOMMON

Download Yara Rule

APIs

RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 00405849
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 00405869
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040587E
OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 00405896
OpenProcessToken.ADVAPI32(00000000,0000000A,?), ref: 004058A9
CloseHandle.KERNEL32(?), ref: 004058C1
CloseHandle.KERNEL32(00000000), ref: 004058C8
Process32NextW.KERNEL32(00000000,0000022C), ref: 004058DA
CloseHandle.KERNEL32(00000000), ref: 004058E6

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CloseHandle$NextOpenProcessProcess32$AdjustCreatePrivilegeSnapshotTokenToolhelp32
String ID:
API String ID: 4144978764-0
Opcode ID: 288efba21ccabab0d353f82fcd98234522787933f75711a39f8c2e4291eeda84
Instruction ID: 621fd83d4662feb52ae53584e4e942dca7b79aa80e7d553c684b4606091f2438
Opcode Fuzzy Hash: 288efba21ccabab0d353f82fcd98234522787933f75711a39f8c2e4291eeda84
Instruction Fuzzy Hash: 22118E32A41215BBEB206B60AC4DBEF3BB8EB05B54F048076F901E61D0D7789D59DE68

Function 004108E4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 171fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(QRA,?,00000000,00000000,00000000), ref: 0041092E
FindNextFileW.KERNEL32(?,?), ref: 00410B08
FindClose.KERNEL32(?), ref: 00410B19

Strings

QRA, xrefs: 0041092B
%s\%s, xrefs: 004109FD
QRA, xrefs: 00410906, 00410997, 004109CB, 00410AB3
%s\%s\%s, xrefs: 00410AB7

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: %s\%s$%s\%s\%s$QRA$QRA
API String ID: 3541575487-3613279923
Opcode ID: 0673e515e73f1fe6bb11bff91bb11307f776c28c320290fa16475a6bbf37cf96
Instruction ID: bf7924639df49b3f9cf932feb5dce01370ee5a3f54a8194052eeded70ea7b8fc
Opcode Fuzzy Hash: 0673e515e73f1fe6bb11bff91bb11307f776c28c320290fa16475a6bbf37cf96
Instruction Fuzzy Hash: 6851B37290021AABDF24EF50C8459EEB775EF54354F10406AEA04772D1D778AEC58B98

Function 00405750 Relevance: 9.1, APIs: 6, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(000000FF,00000003(TokenIntegrityLevel),00000000,00000000,?,00000000), ref: 00405768
GetTokenInformation.ADVAPI32(000000FF,00000003(TokenIntegrityLevel),00000000,?,?,00000000), ref: 004057A5
DuplicateTokenEx.ADVAPI32(000000FF,00000024,00000000,00000002,00000002,000000FF,00000000), ref: 004057D4
AdjustTokenPrivileges.ADVAPI32(000000FF,00000000,00000000,00000000,00000000,00000000), ref: 004057F3
NtSetInformationThread.NTDLL(000000FE,00000005,000000FF,00000004), ref: 00405803
CloseHandle.KERNEL32(000000FF), ref: 0040580F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Token$Information$AdjustCloseDuplicateHandlePrivilegesThread
String ID:
API String ID: 611535677-0
Opcode ID: b9e9d181e24312ca3cdbdf2eca6f523f2d8d4b095f2b28e937357d39b6af328c
Instruction ID: 227ccfd11fb12c717d30c07917c2268877481373599fd8ad21870a49e25d02be
Opcode Fuzzy Hash: b9e9d181e24312ca3cdbdf2eca6f523f2d8d4b095f2b28e937357d39b6af328c
Instruction Fuzzy Hash: C4212C72900609BFEB20AFA1DC89E9B7B7DEB44754F10843AFA05A5190D7349E90DB94

Function 004058F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,0041551C,00000000), ref: 00405903
GetTokenInformation.ADVAPI32(0041551C,0000000A(TokenIntegrityLevel),?,00000038,?), ref: 00405920
NtCreateToken.NTDLL(0041551C,000F01FF,0041803C,00000002,?,?,?,00418024,?,00000000,?,0041A800,User32 ), ref: 0040599A
CloseHandle.KERNEL32(0041551C), ref: 004059A5

Strings

User32 , xrefs: 0040592F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Token$CloseCreateHandleInformationOpenProcess
String ID: User32
API String ID: 791112728-31512923
Opcode ID: 8b4807e47cd7d9c0ab678ae9e597a5b8f2ae17fa3ec1aff7756dee87ef57a2b3
Instruction ID: 449fceeca6f02f62c474ee06d4cec9e5ea51b23d83900698e46271b5417625ee
Opcode Fuzzy Hash: 8b4807e47cd7d9c0ab678ae9e597a5b8f2ae17fa3ec1aff7756dee87ef57a2b3
Instruction Fuzzy Hash: DF212C75D4020DBEEB01CF94DC45AEEBBBDEB48700F10412AFA10F6290D7B45A49CB65

Function 007A50C4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007A54D9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007A54EE
UnhandledExceptionFilter.KERNEL32(007AA180), ref: 007A54F9
GetCurrentProcess.KERNEL32(C0000409), ref: 007A5515
TerminateProcess.KERNEL32(00000000), ref: 007A551C

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 239cc5bb6e247c8b1f3cce5c7a26aa655069520aed34f52955300488d9cf4947
Instruction ID: 18b5e9626fba571128c3c30d75ea272174d823823029d75777a691923218220b
Opcode Fuzzy Hash: 239cc5bb6e247c8b1f3cce5c7a26aa655069520aed34f52955300488d9cf4947
Instruction Fuzzy Hash: 3D21D4B4410204EFD761DF68E9446593BA0FB8A321F80C119E50A93A60EBBC5D85CF2E

Function 00407656 Relevance: 6.1, APIs: 4, Instructions: 104memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(004010C4,00000000,00004401,004010D4,00000000), ref: 00407688
SysAllocString.OLEAUT32(?), ref: 004076BD
SysAllocString.OLEAUT32(00413DD7), ref: 004076E4
VariantClear.OLEAUT32(?), ref: 0040774D

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: AllocString$ClearCreateInstanceVariant
String ID:
API String ID: 1533990153-0
Opcode ID: 21ae9dc6ccabbf0237440588804318c15eb7717ecb859a93fa846122d7a12a7d
Instruction ID: d989e8f11c9b4fc0ee7ab9285f716e1cb7648385bfeb727a4384310e233b5fb2
Opcode Fuzzy Hash: 21ae9dc6ccabbf0237440588804318c15eb7717ecb859a93fa846122d7a12a7d
Instruction Fuzzy Hash: C0313875E00208AFCF00EFE4C8899DEBB79EF49314F1044AAE901FB290DB75AA458B54

Function 00410D22 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 004059B0: RegOpenKeyExW.ADVAPI32(80000002,00000001,00000000,00000001,00000000,?,?,?), ref: 004059DB
Part of subcall function 004059B0: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 004059F4
Part of subcall function 004059B0: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 00405A1E
Part of subcall function 004059B0: RegCloseKey.ADVAPI32(00000000), ref: 00405A33

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00410DF9
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00410EC4

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

%S\%S\%s, xrefs: 00410D8F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: FreeQueryValue$CloseCryptDataHeapLocalOpenUnprotect
String ID: %S\%S\%s
API String ID: 1170349874-688238448
Opcode ID: 23367135cf618639a9a6bbe0c38b83fb558316127c41b7a8f9599740e9569a74
Instruction ID: 61974f6221aaa33da51fb8b4332ca456937d8993f373d9cc068e8b2d38f05129
Opcode Fuzzy Hash: 23367135cf618639a9a6bbe0c38b83fb558316127c41b7a8f9599740e9569a74
Instruction Fuzzy Hash: 4D517D72D00218AFCF10EBA5DC45EEEBBB9EF48314F14446AF905B7251D778AA84CB94

Function 00404CE1 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00415460,00000000,00000104), ref: 00404D1F
FindNextFileW.KERNEL32(00000031,?), ref: 00404DF8
FindClose.KERNEL32(00000031), ref: 00404E09

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9d64c5089cf14b4a96ce550f7ce1266c8fa2eb8d575155b75a5d0b30425f4508
Instruction ID: 3ee7f45571ec2e728f2d45caa32b95f4a36e807a3dbe421b590e3191cc866bd4
Opcode Fuzzy Hash: 9d64c5089cf14b4a96ce550f7ce1266c8fa2eb8d575155b75a5d0b30425f4508
Instruction Fuzzy Hash: E131A37240015AABDF219F61DD45BEF7778AF80314F14007AFE00B21E1DB389EA58B98

Function 007A4B40 Relevance: 3.1, APIs: 2, Instructions: 117libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 007A4BAD

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: db61b9b9f382132f461e048fe4f0cf894bc94ff5cbe9208f56b214efccfd4e23
Instruction ID: 0499112fb87adadc1840ab0f4fe0e7ecc1b63a423e09ac322512921c4978a43a
Opcode Fuzzy Hash: db61b9b9f382132f461e048fe4f0cf894bc94ff5cbe9208f56b214efccfd4e23
Instruction Fuzzy Hash: 835184B4D01209DFCB04CF98C884BADBBB2FF89314F248659D815AB355D775AA81CF94

Function 00411FC7 Relevance: 3.1, APIs: 2, Instructions: 97encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00412074
LocalFree.KERNEL32(?,?,?,004121DC,00000000,?,?), ref: 00412096

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 38d28ae3e0e395046ee51ea414fa60c357db4448f3fa60973f9418c10d68782e
Instruction ID: d40dfb0f535090772b9fe0eae1febc21ddc0b2eafc90de01a658c335882751cd
Opcode Fuzzy Hash: 38d28ae3e0e395046ee51ea414fa60c357db4448f3fa60973f9418c10d68782e
Instruction Fuzzy Hash: 1731E775800189AEDF258F7886446DFBFB6EB4E744F00411BDA51E2216C3B99AD3CB1E

Function 00404911 Relevance: 3.0, APIs: 2, Instructions: 41encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,00411D31), ref: 00404933
LocalFree.KERNEL32(00000001,00403AEC,?,?,00411D31,00000001,?,?,?,?,?,?,?,?,00000000,00000104), ref: 00404960

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: daddabe56ba01ab0a22bf5a4db6c56f94cdad8289dcfc64dffa5827e9870c4fd
Instruction ID: eff705749294552a49cb4206b8a8151450b07a935f9774916d4ace2d366a322e
Opcode Fuzzy Hash: daddabe56ba01ab0a22bf5a4db6c56f94cdad8289dcfc64dffa5827e9870c4fd
Instruction Fuzzy Hash: 51F014B1900209BFDF109FA9CC85CEFBBBDEB85344B10447AF941A3250D3719E809B64

Function 0040A856 Relevance: 2.7, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

I@, xrefs: 0040A861, 0040AA50
I@, xrefs: 0040AA55

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID: I@$I@
API String ID: 0-1008241598
Opcode ID: 9cec92ef4e791106ecc81ca5f9fd656491a685019501de78ba6063891f0cc789
Instruction ID: aa87177d6922c40db767e09e7f7300f8604da9cde321312a12b3189cf78b8dcd
Opcode Fuzzy Hash: 9cec92ef4e791106ecc81ca5f9fd656491a685019501de78ba6063891f0cc789
Instruction Fuzzy Hash: D881DF71D081A59FDB1DCF6D84904ADFFF1AE9A240748C29ED8A5AB387C2389514CFB1

Function 007A4F20 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 007A4FB4
CloseHandle.KERNEL32(00000000), ref: 007A4FC4

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0918ba0efda8a7d5d509f8b693bcf2007239f4c3fa7ac6d29940f89961ebd616
Instruction ID: 609a045c782a2321b6ee6935b76d78a2d1b0faec7dd8b78a52baa914e08193e7
Opcode Fuzzy Hash: 0918ba0efda8a7d5d509f8b693bcf2007239f4c3fa7ac6d29940f89961ebd616
Instruction Fuzzy Hash: 2921C574A00208EFCB04CF54C498AA9BBB1FB89304F24D699E8095B351C3B9EE85CF81

Function 00416E8E Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 00416EAB

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3cf1fedbdff5723513f479be4ed969bcb2ac4b1f9bb60681a2d7a451bed1a486
Instruction ID: cc9333183fa8c00dccd2b6004e22b404908c773762507ea227cbcdaa759150bb
Opcode Fuzzy Hash: 3cf1fedbdff5723513f479be4ed969bcb2ac4b1f9bb60681a2d7a451bed1a486
Instruction Fuzzy Hash: 6521D8709452188ECF38CD60A8463EE7375572230EF2654BFE28596200DA3CEAC78B5B

Function 00406418 Relevance: 1.5, APIs: 1, Instructions: 15timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00406428

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 94fb4f433fb7da04c7912a50c4e658d83ca068ef18c375c02743d519853954a0
Instruction ID: 9d2192f2e320e058be2c2fda52b9328630a0c2766cdf8855c04a576f05d35507
Opcode Fuzzy Hash: 94fb4f433fb7da04c7912a50c4e658d83ca068ef18c375c02743d519853954a0
Instruction Fuzzy Hash: A7D0A776A00314EFDB10AF58EC05F44B7F85B05210F0181AAB5D5C31C0D670A5804F66

Function 00416E6D Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(80000004,0000005A,?,00000010,?,00414AE1,?,?,80000004,?), ref: 00416E86

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 492bb2610ae7a41e0d722d4a2fa9f85706a9627eede23f664937886feea1bbda
Instruction ID: 012795880ae3241001a3ff6f5d3db474ef08a8b0ec5b54ed7dba30c2656240b6
Opcode Fuzzy Hash: 492bb2610ae7a41e0d722d4a2fa9f85706a9627eede23f664937886feea1bbda
Instruction Fuzzy Hash: 06D0C93214420CBAEF111A41EC06F893B65EB09721F108025F618180E19AB36960AA88

Function 007A5B09 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00035AC7), ref: 007A5B0E

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf0380885927d80152fafb068e2e38a1448bd77a53e2b0c2640bfec31c28d5a3
Instruction ID: 52cbd6ad20da741451a9a5655261218dc6c3373671ffda77b0962f78cb40da5d
Opcode Fuzzy Hash: cf0380885927d80152fafb068e2e38a1448bd77a53e2b0c2640bfec31c28d5a3
Instruction Fuzzy Hash: 7F9002A0761A009A874227B05C498066AA05ACA702746C6547005D4154EB6840049A26

Function 0040A2A0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

UUUU, xrefs: 0040A32A

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 47e17f6eb2f6ed35542de6a4c203a3b3d24fb82f53f471f5337a6533c5149852
Instruction ID: 8ce0b6fa30e06822d17ffbceaa72673f25687c9f49871aa502c7412ad644dc10
Opcode Fuzzy Hash: 47e17f6eb2f6ed35542de6a4c203a3b3d24fb82f53f471f5337a6533c5149852
Instruction Fuzzy Hash: CB51A333F205240BE75C866D8C2A76D3AD287C4354F1E4279E956E72D2D8BCDE12D394

Function 00408406 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

FH@, xrefs: 004084DE, 00408535, 004085B6

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID: FH@
API String ID: 0-3307908349
Opcode ID: eba58216cf352b7931a6f12906384ae6f21cbea08298cad6a557a78378606dc1
Instruction ID: 5d692aa64f1d02948a3fba6f80e0249745d5ed7c23a60299a5f2d1b3268d9ccc
Opcode Fuzzy Hash: eba58216cf352b7931a6f12906384ae6f21cbea08298cad6a557a78378606dc1
Instruction Fuzzy Hash: 7F617F70E0066A9EDB15CFAEC8906AEFFF1FF89301F14816AD555E3241D678A601CFA0

Function 0040A759 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

UUUU, xrefs: 0040A7B5

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: fe74a95da04a3da5957119185af521d6831f355d274b42a1a7b6e0e1e4b16eb0
Instruction ID: 1b809dd5407cdfa181b2f36f59f0f85b0af94b7e88463b934ea3cc36f223f438
Opcode Fuzzy Hash: fe74a95da04a3da5957119185af521d6831f355d274b42a1a7b6e0e1e4b16eb0
Instruction Fuzzy Hash: 21212C323745150BF79CE93D8C0776B62D2DBC8264B18CA3AAA66C72C1DC7CE9138285

Function 00405108 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

gR@, xrefs: 00405185

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID: gR@
API String ID: 0-1284012785
Opcode ID: 1bf41191eea62a3d51b1ebc75e6daf2de291ca19e34a7d679d4947561c48509c
Instruction ID: 70ef8581f865f0112264750e87cdc896a5a700d15b24c2966dd795d3664bc740
Opcode Fuzzy Hash: 1bf41191eea62a3d51b1ebc75e6daf2de291ca19e34a7d679d4947561c48509c
Instruction Fuzzy Hash: 0A119131A10A04EFCB21DF69C880BABB3F5EF44354B14487AD846E7251E734AE40CB84

Function 00407CEF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289f2053dfa9c8ca239bfff4ed5d862ef5a3f26f2a123b0f2921e60597c983e9
Instruction ID: 6f7324b15eca2b7b96dab9f736eed971c045b4517cab1c08fd2209b19b6e3684
Opcode Fuzzy Hash: 289f2053dfa9c8ca239bfff4ed5d862ef5a3f26f2a123b0f2921e60597c983e9
Instruction Fuzzy Hash: 1FF18832A146959FD740CFAEDCD0489BBF3EFC920175EC6A8C6545B366C2347A12CBA4

Function 004040BB Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b310c85ba78bd130b6d947e25122e94d9fd7f65a3e45bbfc28b2ae52817406
Instruction ID: 806ef46059b39e71137c6a37a0d5405ef7dec956314bec1b2ce83c269c788100
Opcode Fuzzy Hash: a7b310c85ba78bd130b6d947e25122e94d9fd7f65a3e45bbfc28b2ae52817406
Instruction Fuzzy Hash: 83D172B1E1020A9FDB54DFA9D481ADDBBF0BF0D314F10456AE518FB281E775AA808B54

Function 0040A4D4 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f8a48aecfb97492cb446f1ed1ed734e4917f1bc2179caba97a06dca3b7bf3e
Instruction ID: ec769a8d708e545d2d17ded63e2c92bfaf155a030af962b35be15012192d49a3
Opcode Fuzzy Hash: 66f8a48aecfb97492cb446f1ed1ed734e4917f1bc2179caba97a06dca3b7bf3e
Instruction Fuzzy Hash: 6A71A276B503019BCB08DFEAF9D291A7361EB58340F49817AEE026B2B1D6747B21CB45

Function 00407AA0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6aeb10b79cc9689488747f47cd5120282e3b2ecb0f1b3d475f73ce1d6f941e8
Instruction ID: c52894c21cce98a5b3e3be7a8c82c8448c5d44fd66a7b6e0b5206e9568c8f8a0
Opcode Fuzzy Hash: e6aeb10b79cc9689488747f47cd5120282e3b2ecb0f1b3d475f73ce1d6f941e8
Instruction Fuzzy Hash: 2C61643160C5A04ED71CCF2A84BD475FBE2AFC920134E82EFD49B4F2A2C6389565DB65

Function 0040821E Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceb65251ef5f374cc1676978594b672cbf917856a3a8c51848abcda614c3d36
Instruction ID: 99e0d7b0a9de723bba338dea900c8a8687d99cdd99ccb4afe0071543674cb564
Opcode Fuzzy Hash: 5ceb65251ef5f374cc1676978594b672cbf917856a3a8c51848abcda614c3d36
Instruction Fuzzy Hash: 2F61BC71E0464A9BD715CFA9C0C06EEFBF1EF99300F54C1ADC989A7346C274A959CBA0

Function 0040881D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb87ecb3a1000084d9293c3e741e807016fcaee7161e8a27ba20a818466f514b
Instruction ID: 777ffbebf7581f0ae84988816b3b3784bbe2ec13b3104a3b9d140de91e986b4e
Opcode Fuzzy Hash: fb87ecb3a1000084d9293c3e741e807016fcaee7161e8a27ba20a818466f514b
Instruction Fuzzy Hash: A6419522F051895FDB098AAD98516EEBF719F96310F4940AEE481FB383C974DA09C7E1

Function 0040795E Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660f38a9e7a8f2821e6550479c5de09e585330eaaeef16a5887133e29895604e
Instruction ID: d8afc9364d1788d87b36511f3b298ec2c8d48509b9e0938bb4da120c49f6a260
Opcode Fuzzy Hash: 660f38a9e7a8f2821e6550479c5de09e585330eaaeef16a5887133e29895604e
Instruction Fuzzy Hash: 6F31D4B37605201BE70C9E7DDCA23EA66C1E789318F46463DC997D72D0D26C994686C8

Function 00403DFA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49da9b4152dcc3c3c9f53b880ea02307f24100b3f3ace170fc16e5d65d613d31
Instruction ID: e4598f198c1ebe2c8d5ed442411fc326abb90028f457679b4f86855f8050cae0
Opcode Fuzzy Hash: 49da9b4152dcc3c3c9f53b880ea02307f24100b3f3ace170fc16e5d65d613d31
Instruction Fuzzy Hash: 262181322314109BC748DF3DEC9968A37E2E38935871AC63DD51AD72A0EF38E402CB48

Function 00415B50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a0c9c23e36e7928c497b593758381672b939dfc3bcbd3f81601b2ea83f3f8c
Instruction ID: 8a4452ef7110f5f205f0f63f16211c95a03bb306aef0532b39cacefe1c6f7b48
Opcode Fuzzy Hash: f8a0c9c23e36e7928c497b593758381672b939dfc3bcbd3f81601b2ea83f3f8c
Instruction Fuzzy Hash: E201A477F2052416F74C98BACC5136AA1479BC4261F1EC6399E69D72C9CCB4CC1142D0

Function 007A4960 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Function 004075F1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Function 00407605 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92737c4d31cfb72025dec89eae0fb42358f12c3dfe317aacb3237dbb5ec58c0
Instruction ID: d8bc9acd7da5fb0c73b53ea44bd5ea9bf3d426c042c7258b91cd9e99573d7f24
Opcode Fuzzy Hash: c92737c4d31cfb72025dec89eae0fb42358f12c3dfe317aacb3237dbb5ec58c0
Instruction Fuzzy Hash: E9C00839661940CFCA55CF08C194E00B3F4FB59760B068491E905CB732C234ED40DA40

Function 00407621 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940

Function 007A6615 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,007A5331), ref: 007A661D
__mtterm.LIBCMT ref: 007A6629

Part of subcall function 007A6362: DecodePointer.KERNEL32(00000004,007A678B,?,007A5331), ref: 007A6373
Part of subcall function 007A6362: TlsFree.KERNEL32(00000002,007A678B,?,007A5331), ref: 007A638D
Part of subcall function 007A6362: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,007A678B,?,007A5331), ref: 007A6C23
Part of subcall function 007A6362: _free.LIBCMT ref: 007A6C26
Part of subcall function 007A6362: DeleteCriticalSection.KERNEL32(00000002,76EF5810,?,007A678B,?,007A5331), ref: 007A6C4D

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007A663F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007A664C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007A6659
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007A6666
TlsAlloc.KERNEL32(?,007A5331), ref: 007A66B6
TlsSetValue.KERNEL32(00000000,?,007A5331), ref: 007A66D1
__init_pointers.LIBCMT ref: 007A66DB
EncodePointer.KERNEL32(?,007A5331), ref: 007A66EC
EncodePointer.KERNEL32(?,007A5331), ref: 007A66F9
EncodePointer.KERNEL32(?,007A5331), ref: 007A6706
EncodePointer.KERNEL32(?,007A5331), ref: 007A6713
DecodePointer.KERNEL32(007A64E6,?,007A5331), ref: 007A6734
__calloc_crt.LIBCMT ref: 007A6749
DecodePointer.KERNEL32(00000000,?,007A5331), ref: 007A6763
GetCurrentThreadId.KERNEL32 ref: 007A6775

Strings

FlsAlloc, xrefs: 007A6639
FlsGetValue, xrefs: 007A6641
KERNEL32.DLL, xrefs: 007A6618
FlsSetValue, xrefs: 007A664E
FlsFree, xrefs: 007A665B

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 814aa18a6c8fef730e53cf24bb78f6f86b7ca81c8605b44ba1845c6885a8da56
Instruction ID: fbddf77bf767cb1a0270eddca731c5901e26842e4bd404519163d3cafe3cf770
Opcode Fuzzy Hash: 814aa18a6c8fef730e53cf24bb78f6f86b7ca81c8605b44ba1845c6885a8da56
Instruction Fuzzy Hash: 19314371940310EBDB21AF74AD0CA1A3FA4EBE7760B19CB16E410931B0E77D9841CF5A

Function 00771012 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 73windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F00), ref: 0077103B
LoadCursorW.USER32(00000000,00007F00), ref: 0077104B
GetStockObject.GDI32(00000000), ref: 00771056
RegisterClassW.USER32(00000003), ref: 00771071
MessageBoxW.USER32(00000000,ghfgfngfnfgng4356345,ghk445fdg,00000010), ref: 0077108C
CreateWindowExW.USER32(00000000,ghk445fdg,hjgk,hgj456,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007710C5
ShowWindow.USER32(?,00000000), ref: 007710D4
UpdateWindow.USER32(?), ref: 007710DE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007710EE
TranslateMessage.USER32(?), ref: 007710FC
DispatchMessageW.USER32(?), ref: 00771106

Strings

ghk445fdg, xrefs: 00771066, 00771080, 007710BE
hjgk,hgj456, xrefs: 007710B9
ghfgfngfnfgng4356345, xrefs: 00771085

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: Message$Window$Load$ClassCreateCursorDispatchIconObjectRegisterShowStockTranslateUpdate
String ID: ghfgfngfnfgng4356345$ghk445fdg$hjgk,hgj456
API String ID: 2734574773-3954598336
Opcode ID: 5cada1a3ba475c714c27c5260af52c3b75f6cadbe001525e951d910ff2189cae
Instruction ID: e34ce5f6339e24239c35d254c0e216dd7b9a8a947514402fb0197f8d5fdec988
Opcode Fuzzy Hash: 5cada1a3ba475c714c27c5260af52c3b75f6cadbe001525e951d910ff2189cae
Instruction Fuzzy Hash: 5321EDB4A4430CFBEB548FA0DC59FAD7BB4EB89701F208114F605BA2C0D7B9A544CB69

Function 004158F7 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000001), ref: 00415918
GetMonitorInfoW.USER32(?,?), ref: 0041597F
CreateCompatibleDC.GDI32(?), ref: 0041599C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004159AA
SelectObject.GDI32(?,00000000), ref: 004159B7
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,40CC0020), ref: 004159D4
GetCursorInfo.USER32(?), ref: 004159E5
GetIconInfo.USER32(?,?), ref: 004159F2
DrawIcon.USER32(?,?,?,?), ref: 00415A0C

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

DeleteObject.GDI32(?), ref: 00415ABD
DeleteDC.GDI32(?), ref: 00415AC6

Strings

(, xrefs: 00415978

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Info$CompatibleCreateDeleteIconMonitorObject$BitmapCursorDrawFreeFromHeapPointSelect
String ID: (
API String ID: 265149036-3887548279
Opcode ID: 960edca231de8e156615f46315c9ec6b5a0806d22cdf4613aaf9fa20cff76dd2
Instruction ID: 977c3bf0a044a8a20248cdf5c9f61e8bce22bd1014bcf420fbffb512a4ba3380
Opcode Fuzzy Hash: 960edca231de8e156615f46315c9ec6b5a0806d22cdf4613aaf9fa20cff76dd2
Instruction Fuzzy Hash: 19510472900109EFDF10AFA4DD48ADEBB79FF48354F10806AF905B6160DB35AE45DBA8

Function 0041538E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 246registryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004153C6

Part of subcall function 00405721: SHGetFolderPathW.SHELL32(00000000,004153DA,00000000,00000000,?,?,004153DA,?,0000001A), ref: 00405748

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,000F003F,00413DD7), ref: 00415417

Part of subcall function 00405662: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000031,00000000), ref: 0040568B
Part of subcall function 00405662: Process32NextW.KERNEL32(00000000,0000022C), ref: 004056B7

RegCloseKey.ADVAPI32(00413DD7), ref: 0041546A
SHGetFolderPathW.SHELL32(00000000,0000001A,?,00000000,?), ref: 00415533
SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 00415547
SHGetFolderPathW.SHELL32(00000000,00000021,?,00000000,?), ref: 0041555B
SHGetFolderPathW.SHELL32(00000000,00000005,?,00000000,?), ref: 0041556F
CloseHandle.KERNEL32(?), ref: 0041564C

Strings

p, xrefs: 00415417

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: FolderPath$Close$CreateHandleNameNextOpenProcess32SnapshotToolhelp32User
String ID: p
API String ID: 3969033429-2181537457
Opcode ID: 924a323fa76a1090de7a96ea6f10674524437ed1f40757f51c06702636f56135
Instruction ID: 7a52210d9c567d5fd2296ea13022ca8b3bd9af4c8aad6b8387a35ee1e3cfdfc0
Opcode Fuzzy Hash: 924a323fa76a1090de7a96ea6f10674524437ed1f40757f51c06702636f56135
Instruction Fuzzy Hash: 66914872900519EBDF21DFD0CC85EEEBBB8FB89304F1041AAE605A2190DB759A858F58

Function 007A639F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,007ABBF0,00000008,007A64A7,00000000,00000000,?,?,007A556B,007A5196,?,?,007A445D,?), ref: 007A63B0
__lock.LIBCMT ref: 007A63E4

Part of subcall function 007A6D36: __mtinitlocknum.LIBCMT ref: 007A6D4C
Part of subcall function 007A6D36: __amsg_exit.LIBCMT ref: 007A6D58
Part of subcall function 007A6D36: EnterCriticalSection.KERNEL32(]Dz,]Dz,?,007A63E9,0000000D), ref: 007A6D60

InterlockedIncrement.KERNEL32(007AD320), ref: 007A63F1
__lock.LIBCMT ref: 007A6405
___addlocaleref.LIBCMT ref: 007A6423

Strings

]Dz, xrefs: 007A63B6
KERNEL32.DLL, xrefs: 007A63AB

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$]Dz
API String ID: 637971194-3240989328
Opcode ID: abdc8df70c2647b0777e55f8b559ad2ff6c046c353a265a340970a34cec5229c
Instruction ID: f49e9c0f3754d3f823320086cd40013f7190b0d59c6ebfb9a4fd6e560ce942b1
Opcode Fuzzy Hash: abdc8df70c2647b0777e55f8b559ad2ff6c046c353a265a340970a34cec5229c
Instruction Fuzzy Hash: 1A018471544700EFD7209F75D80A749BBE0BF86324F108A0DE496577A1DBBCAA44CB16

Function 00405662 Relevance: 12.1, APIs: 8, Instructions: 63processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000031,00000000), ref: 0040568B
Process32NextW.KERNEL32(00000000,0000022C), ref: 004056B7
OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 004056D0
OpenProcessToken.ADVAPI32(00000000,?,0000001A), ref: 004056E4
DuplicateTokenEx.ADVAPI32(0000001A,?,00000000,00000002,00000001,0041A7F8), ref: 004056FA
CloseHandle.KERNEL32(0000001A), ref: 00405703
CloseHandle.KERNEL32(00000000), ref: 0040570A
CloseHandle.KERNEL32(00000000), ref: 00405711

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CloseHandle$OpenProcessToken$CreateDuplicateNextProcess32SnapshotToolhelp32
String ID:
API String ID: 3292448913-0
Opcode ID: a2706c85aca0541312226067f5d2733b4dfed527a6ba5c4ceb9f6ef4114542b9
Instruction ID: d1fd8e19b9ea3247be9f77e8ce275ec634d9c5db201f2df05c7f63bf9e51eaf8
Opcode Fuzzy Hash: a2706c85aca0541312226067f5d2733b4dfed527a6ba5c4ceb9f6ef4114542b9
Instruction Fuzzy Hash: 99119032900515FBDB116BA4DC8DEDB7BB8EB48351F104176F621A20A1D7354A81DF6D

Function 004131BB Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 202networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC

gethostbyname.WS2_32(?), ref: 004133C6
DnsQuery_A.DNSAPI(?,00000001,00000002,?,00000000,00000000), ref: 004133F0
inet_ntoa.WS2_32(?), ref: 0041342E
DnsFree.DNSAPI(00000000,00000001), ref: 00413449

Strings

link, xrefs: 0041324B
pro, xrefs: 00413259

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: FreeQuery_gethostbynameinet_ntoawvnsprintf
String ID: link$pro
API String ID: 3295049255-2616294489
Opcode ID: 045e133d47ac88580c665aacfaf8e3db3c41d6694abbf577b760372e7ea348a6
Instruction ID: 7d109828660f677fbe1903f41f5432d556e214821793483ce54f1a277a5bc00b
Opcode Fuzzy Hash: 045e133d47ac88580c665aacfaf8e3db3c41d6694abbf577b760372e7ea348a6
Instruction Fuzzy Hash: 5C717272D00118ABDB21EFA5CC45ADFBBB9EF44305F0081B6EA05B7141D7786B498F98

Function 0040FD2B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE20
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE49
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE6E
GetPrivateProfileStringW.KERNEL32(?,00000000,00000000,?,0000FFFF,?), ref: 0040FEEB

Strings

, xrefs: 0040FDA7
, xrefs: 0040FD8C

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: PrivateProfileString
String ID: $
API String ID: 1096422788-227171996
Opcode ID: 96352c368fbae6d2e604c92080f5f374570bf7a16415aa76f73c6bb17155fea8
Instruction ID: 4bcdd06559af57f3a18aa75212f78c00efbe9c848d9a626a581925e0767f4e7f
Opcode Fuzzy Hash: 96352c368fbae6d2e604c92080f5f374570bf7a16415aa76f73c6bb17155fea8
Instruction Fuzzy Hash: 1E512D72901119AAEF20EBE0DC45EEEB37DEF04314F14447BBA05F3591E778AA498B54

Function 0040B7D2 Relevance: 10.6, APIs: 7, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0040B7FC
CopyFileW.KERNEL32(?,?,00000000), ref: 0040B82C
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0040B849
GetFileSize.KERNEL32(?,00000000), ref: 0040B85B
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 0040B885
CloseHandle.KERNEL32(?), ref: 0040B8B9
DeleteFileW.KERNEL32(?), ref: 0040B8DA

Part of subcall function 00404C33: GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 00404C4A

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: File$Create$CloseCopyDeleteHandlePathReadSizeTemp
String ID:
API String ID: 2441216986-0
Opcode ID: 5cde616fb5c3efed58da4bb7fb09baae2c060ff0f539486901b99e14cd691bdc
Instruction ID: 7c42100144d45914e9297fa56b25ebb1347f1c04ecc592c3643096512dc84bbf
Opcode Fuzzy Hash: 5cde616fb5c3efed58da4bb7fb09baae2c060ff0f539486901b99e14cd691bdc
Instruction Fuzzy Hash: 9231707294421D7EEB10AFA59C88EDE7B7CEB54314F0080B6F914A72E0D7359E458B68

Function 00405595 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000035,?,?,?,?,00413A65,?,00000035,?), ref: 004055A5
GetTokenInformation.ADVAPI32(00000035,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,00413A65,?,00000035,?), ref: 004055BE
GetTokenInformation.ADVAPI32(00000035,00000019(TokenIntegrityLevel),00000000,?,?,00000035,?,?,?,?,00413A65,?,00000035,?), ref: 004055F3
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,00413A65,?,00000035,?), ref: 004055FF
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,00413A65,?,00000035,?), ref: 0040560C
CloseHandle.KERNEL32(00000035,?,?,?,?,00413A65,?,00000035,?), ref: 00405657

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Token$AuthorityInformation$CloseCountHandleOpenProcess
String ID:
API String ID: 2447973151-0
Opcode ID: 8e5a2c07dcb05d72aa895c2322314f2ed1911261ab06a30e74bfad54bc2c1be2
Instruction ID: efd7c50f993448333591d6de82e587b9959ddcf8b0942f83b87ffec69861eda7
Opcode Fuzzy Hash: 8e5a2c07dcb05d72aa895c2322314f2ed1911261ab06a30e74bfad54bc2c1be2
Instruction Fuzzy Hash: BA219D70541504BEFF216B90DC88AEF7B6AEB12350F640877F505F22E0D63A9E819E1D

Function 00404B10 Relevance: 9.1, APIs: 6, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B27
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040EE99,?), ref: 00404B3A
CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B65
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B78
CloseHandle.KERNEL32(?,?,?,?,?,0040EE99,?), ref: 00404B87
CloseHandle.KERNEL32(?,?,?,?,?,0040EE99,?), ref: 00404B90

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: File$CloseCreateHandle$MappingSizeView
String ID:
API String ID: 2246244431-0
Opcode ID: 5f155232a6646b183a63d33a187dcf7d7451c11ffa5c6e8337a98a603e46b336
Instruction ID: a5cce8ab798561b9d34a8d8371e3b839bcf71193e68395df42d84d91d4c577ad
Opcode Fuzzy Hash: 5f155232a6646b183a63d33a187dcf7d7451c11ffa5c6e8337a98a603e46b336
Instruction Fuzzy Hash: 4F115EB0140645BEDB315F62CC4DE5BBFBDEBD5B20B10892EF556A22E0D270A880CA24

Function 007A799B Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 007A79A7

Part of subcall function 007A64CC: __getptd_noexit.LIBCMT ref: 007A64CF
Part of subcall function 007A64CC: __amsg_exit.LIBCMT ref: 007A64DC

__amsg_exit.LIBCMT ref: 007A79C7
__lock.LIBCMT ref: 007A79D7
InterlockedDecrement.KERNEL32(?), ref: 007A79F4
_free.LIBCMT ref: 007A7A07
InterlockedIncrement.KERNEL32(03211660), ref: 007A7A1F

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 2ee706187f3e899d3ed0e159b92ea3223b33c052d765eeb2f576ca54bb3119f5
Instruction ID: b16279dd9bdb553f1490d6e45083c96aefc685467326c24904a4d9d133bb9180
Opcode Fuzzy Hash: 2ee706187f3e899d3ed0e159b92ea3223b33c052d765eeb2f576ca54bb3119f5
Instruction Fuzzy Hash: 4E01C432905611EBDB29AF689809B5E73A0BBC7720F048315E41067691EB3C6D41CFD5

Function 00410397 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionNamesW.KERNEL32(?,0000FFFF,?), ref: 0041048E
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 004104CE
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 004104F1
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00410514

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

;MA, xrefs: 00410402, 00410416

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: PrivateProfile$String$FreeHeapNamesSection
String ID: ;MA
API String ID: 2696703033-2473825069
Opcode ID: d62af84dadb8aeb0cd767306cd763f2b7af0cc5cd4c31ce0c62e74ab7763d04b
Instruction ID: ca2be330a2425339e36bd4ad192777fe90c5f7ef25b94e226df5f8c55297d755
Opcode Fuzzy Hash: d62af84dadb8aeb0cd767306cd763f2b7af0cc5cd4c31ce0c62e74ab7763d04b
Instruction Fuzzy Hash: F9512C72900119ABDF20EBA0DC45AFEB379EF44314F44447BFA05B7181EB78AE858B59

Function 00416916 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,00000031), ref: 00416932

Part of subcall function 0040B4B3: CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0040B4BD

CredFree.ADVAPI32(?,?), ref: 00416B33

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

Name:%lsComment: %lsUser:%lsData: , xrefs: 004169A2
%2.2X , xrefs: 00416A01
%-50s %s, xrefs: 00416A70

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CredFree$CreateEnumerateGlobalHeapStream
String ID: %-50s %s$%2.2X $Name:%lsComment: %lsUser:%lsData:
API String ID: 1001871379-3138396605
Opcode ID: 2401751eb88739c885c15fd53acb714d68e7c2f50a4fcf00982f6b5b26fd4f3d
Instruction ID: 6ab3aa2b8b6f7ef3ca89290d3b3c0aa47683973965a1ba494867f240cd4163d2
Opcode Fuzzy Hash: 2401751eb88739c885c15fd53acb714d68e7c2f50a4fcf00982f6b5b26fd4f3d
Instruction Fuzzy Hash: 69616172D10119ABCF10EFA5C8819EEB7B9EF04314F15447BE505B7251DB38AE868BA8

Function 00405BA3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?,00000000,00000000,%s\%s\%s,?,?,?), ref: 00405BC5
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405BED
RegCloseKey.ADVAPI32(?), ref: 00405C4E

Part of subcall function 00404EAB: RtlAllocateHeap.NTDLL(00000008,-00000004), ref: 00404EC3

RegEnumValueW.ADVAPI32(00000064,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000064,?), ref: 00405C33

Strings

p, xrefs: 00405BC5

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: AllocateCloseEnumHeapInfoOpenQueryValue
String ID: p
API String ID: 691525546-2181537457
Opcode ID: 55dbc965931b86bd302de6135924febe7d29aa3ec2cc84c16f3282715dc9fca4
Instruction ID: 559e2e5736a9b18d769bac7e7b774088cfa7331c56084f597a9c19479372ca08
Opcode Fuzzy Hash: 55dbc965931b86bd302de6135924febe7d29aa3ec2cc84c16f3282715dc9fca4
Instruction Fuzzy Hash: 7D2107B1A01228BFDB119F95DD88DEFBFBCEF49754B104066F509E2240D7349A41CBA4

Function 00405AE5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,80000002,00000000,00000000,?,0000000C,00414BA8,80000002,?,00000000,80000004,?,80000004,00000101), ref: 00405B02
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405B2A
RegCloseKey.ADVAPI32(?), ref: 00405B8B

Part of subcall function 00404EAB: RtlAllocateHeap.NTDLL(00000008,-00000004), ref: 00404EC3

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000104,?), ref: 00405B70

Strings

p, xrefs: 00405B02

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: AllocateCloseEnumHeapInfoOpenQuery
String ID: p
API String ID: 79905894-2181537457
Opcode ID: fcc0f04dcc2990d29ea97bfc5bf1f946e5fbdeeb452cb9ad7d8b28dd5c7e85df
Instruction ID: 4659c6dd2db164814af5c74531739fe8379935b17861b01e63ab91215f33c974
Opcode Fuzzy Hash: fcc0f04dcc2990d29ea97bfc5bf1f946e5fbdeeb452cb9ad7d8b28dd5c7e85df
Instruction Fuzzy Hash: 6D212A71901118BFDB219F96DD48DEFBFBCEF49754B004066F809E2250D734AA41CBA4

Function 004059B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,00000001,00000000,00000001,00000000,?,?,?), ref: 004059DB
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 004059F4
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 00405A1E
RegCloseKey.ADVAPI32(00000000), ref: 00405A33

Strings

p, xrefs: 004059DB

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: p
API String ID: 1586453840-2181537457
Opcode ID: 1e1a48a50e87a1d6d4d9f908bd0cd47c7c24171afe7967bd192c0825355f52d0
Instruction ID: 181d92b4c8150ffe79d116bba498cf6b0d4d091711c9081e6bb2855d3830407c
Opcode Fuzzy Hash: 1e1a48a50e87a1d6d4d9f908bd0cd47c7c24171afe7967bd192c0825355f52d0
Instruction Fuzzy Hash: E4112671A00508BFDB219F95CC88DEFBF7AFB84754B508166F901A2260E3349E50DF64

Function 00404BC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?,00414138,?,00000000,?), ref: 00404BE8
WriteFile.KERNEL32(00000000,?,8AA,00000000,00000000,?,00414138,?,00000000,?), ref: 00404C0B
CloseHandle.KERNEL32(00000000,?,00414138,?,00000000,?), ref: 00404C18
DeleteFileW.KERNEL32(00000000,?,00414138,?,00000000,?), ref: 00404C26

Strings

8AA, xrefs: 00404C04

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: File$CloseCreateDeleteHandleWrite
String ID: 8AA
API String ID: 656945655-1031823992
Opcode ID: a0ec578e906b5ba35e8b491669ca7ef15f49042a5f37ecc34628d32a2ccd2aa2
Instruction ID: e312bcca5666c2f4f790f24bab3cad1eb1922108b339b2b114f4ebf39fa5c7da
Opcode Fuzzy Hash: a0ec578e906b5ba35e8b491669ca7ef15f49042a5f37ecc34628d32a2ccd2aa2
Instruction Fuzzy Hash: 6D01AD71409248BFEF111FA08C48FEE3B68EB45360F048179FA50621E0D3754E458B64

Function 0040647D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00413E64,?), ref: 0040648D
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00413E64,?), ref: 004064A1
FileTimeToSystemTime.KERNEL32(?,d>A,?,?,?,00413E64,?), ref: 004064BA

Strings

d>A, xrefs: 004064AA
d>A, xrefs: 00406496

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Time$FileSystem
String ID: d>A$d>A
API String ID: 2086374402-2582024514
Opcode ID: adc8e36154be0d079bfb275c6732458b9ef8cff690ff206a2f1399756dcc4060
Instruction ID: 62224ee6774ae8b78034f3a60de505545d6ba04fca9e53ab2c9371a3c230174a
Opcode Fuzzy Hash: adc8e36154be0d079bfb275c6732458b9ef8cff690ff206a2f1399756dcc4060
Instruction Fuzzy Hash: 1CF0FF7AD0011DFBCF019FA9D8489CEBBBCEA48655B0181A6EA19A3114D634A6498BA4

Function 00413EC6 Relevance: 7.7, APIs: 5, Instructions: 160memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000000,00000000,?,00000000,00000031), ref: 00413EE3
LoadLibraryA.KERNEL32(?), ref: 00413F58
VirtualProtect.KERNEL32(00000000,?,00000002,?), ref: 00413FCD
VirtualFree.KERNEL32(?,?,00004000), ref: 00413FFE
VirtualProtect.KERNEL32(?,?,?,?), ref: 0041403F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Virtual$Protect$AllocFreeLibraryLoad
String ID:
API String ID: 90962928-0
Opcode ID: f791cf7a9550d6329176ee1bda85158125c2f50f71a086ac02e9e1274acc6c29
Instruction ID: 19d78efe76cc26541039a5d7913da310be6636b7ff9dc4ba670cb481fcde2d22
Opcode Fuzzy Hash: f791cf7a9550d6329176ee1bda85158125c2f50f71a086ac02e9e1274acc6c29
Instruction Fuzzy Hash: 6751A175A00705AFDB20CF55CC84FE67BB5FF88315F14846AEA059B251D738EA82CB58

Function 00414082 Relevance: 7.6, APIs: 5, Instructions: 89synchronizationthreadCOMMON

Download Yara Rule

APIs

PathFindExtensionA.SHLWAPI(?,?,00000000,00000031), ref: 00414102

Part of subcall function 00413EC6: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000000,00000000,?,00000000,00000031), ref: 00413EE3
Part of subcall function 00413EC6: VirtualProtect.KERNEL32(00000000,?,00000002,?), ref: 00413FCD

CreateThread.KERNEL32(00000000,00000000,004050F0,00000000,00000000,00000000), ref: 004140D1
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004140E1
CloseHandle.KERNEL32(00000000), ref: 004140E8
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004140F5

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Virtual$AllocCloseCreateExtensionFindFreeHandleObjectPathProtectSingleThreadWait
String ID:
API String ID: 248983594-0
Opcode ID: ea3605a9d323946bc61b7faccc9b8e1bfbca0fb761fb71cf2cad8dcc6b35fc97
Instruction ID: 1fd631035d38c11dd4dca8261721d85a0394e2d27002a17067acf375899f0d5c
Opcode Fuzzy Hash: ea3605a9d323946bc61b7faccc9b8e1bfbca0fb761fb71cf2cad8dcc6b35fc97
Instruction Fuzzy Hash: 642125728001187ADB106B649C89DEF376DDB81368F14013FFA10B62C1DA388EC586AC

Function 007A8C83 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 007A8C91

Part of subcall function 007A510D: __FF_MSGBANNER.LIBCMT ref: 007A5126
Part of subcall function 007A510D: __NMSG_WRITE.LIBCMT ref: 007A512D
Part of subcall function 007A510D: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,007A445D,?), ref: 007A5152

_free.LIBCMT ref: 007A8CA4

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: e62985e7e6789076ed1bc6b4840851d40973ade6df2e44df0c42a207d78d8494
Instruction ID: c135799619e70c89f0f78ac3a8c813dfec2b818690833b2681f378ca661ab166
Opcode Fuzzy Hash: e62985e7e6789076ed1bc6b4840851d40973ade6df2e44df0c42a207d78d8494
Instruction Fuzzy Hash: CA110832902A11EBCB312B34EC0865A37969FC33B0F244755F8459A150EE3CCD408BB6

Function 007A825A Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 007A8266

Part of subcall function 007A64CC: __getptd_noexit.LIBCMT ref: 007A64CF
Part of subcall function 007A64CC: __amsg_exit.LIBCMT ref: 007A64DC

__getptd.LIBCMT ref: 007A827D
__amsg_exit.LIBCMT ref: 007A828B
__lock.LIBCMT ref: 007A829B
__updatetlocinfoEx_nolock.LIBCMT ref: 007A82AF

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: dd125564e6e9fcfa156f6af8895a4d1da27018628faace160713f42e4c19e748
Instruction ID: 200ac39e248fcefc6df6e1b94e90becd37db1dce45cd6637707d3a632952dd11
Opcode Fuzzy Hash: dd125564e6e9fcfa156f6af8895a4d1da27018628faace160713f42e4c19e748
Instruction Fuzzy Hash: D6F09032A44B10DBDBB0BB74980AB6D37A07F83720F188709F515A76D2DF2C5D408A5B

Function 004112D2 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 257libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000,?,00000031), ref: 0041131F

Part of subcall function 00405192: LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D

FreeLibrary.KERNEL32(00000000), ref: 004115AB

Part of subcall function 00416E8E: RtlGetVersion.NTDLL(?), ref: 00416EAB

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

4, xrefs: 0041158D
8, xrefs: 00411589

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Library$FreeLoad$HeapVersion
String ID: 4$8
API String ID: 2294480396-97111398
Opcode ID: e96ea99d3d67079c3c40f3da4a3396d77189df7c1f4810a95be94a213226a20b
Instruction ID: da08ae2bdbddc67e45404d6be35d999ed2b863f5bf8dbd1cc8a5796a08cd29d6
Opcode Fuzzy Hash: e96ea99d3d67079c3c40f3da4a3396d77189df7c1f4810a95be94a213226a20b
Instruction Fuzzy Hash: 97918F71D00618ABCF21DB95CC45AEFBBBAEF84700F14456BE505B7261D7399E80CBA8

Function 00414E86 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,?,00000000,?,?,00415240,00000000,?,?,00000000,00000000,?,00000000,?), ref: 00414F48
CloseHandle.KERNEL32(?,?,00415240,00000000,?,?,00000000,00000000,?,00000000,?), ref: 00414FE2

Strings

@RA, xrefs: 00414F9E
@RA, xrefs: 00414EB4, 00414EB7

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: CloseFolderHandlePath
String ID: @RA$@RA
API String ID: 1943059022-724470139
Opcode ID: 9db2bd3b9ce3174623cf6424b750cee39d999d3e999ed14b03181c7b8e0b245a
Instruction ID: 7d3bd842f0370e2a21f54626ff5449ef890e8a7442342d7b05add279836dd212
Opcode Fuzzy Hash: 9db2bd3b9ce3174623cf6424b750cee39d999d3e999ed14b03181c7b8e0b245a
Instruction Fuzzy Hash: 23413A7290011AAFCF10DF95CC949EFBBB9FF48304F10446AE611B6290DB399E91CBA4

Function 00410C0E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00410C17

Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC

Part of subcall function 004108E4: FindFirstFileW.KERNEL32(QRA,?,00000000,00000000,00000000), ref: 0041092E
Part of subcall function 004108E4: FindNextFileW.KERNEL32(?,?), ref: 00410B08

Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40

Strings

A, xrefs: 00410C20
\\?\%c:, xrefs: 00410C52
%s\%c, xrefs: 00410C6B

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: FileFind$DrivesFirstFreeHeapLogicalNextwvnsprintf
String ID: %s\%c$A$\\?\%c:
API String ID: 1843991470-1503768234
Opcode ID: a1edfc6e9cabf554445d2a185e10a61f255003450b096631e2ac9218a3463a49
Instruction ID: 2679cea3a276ca4328893308c8c2b4d0c4727979c0711d4b4784de73a077c24f
Opcode Fuzzy Hash: a1edfc6e9cabf554445d2a185e10a61f255003450b096631e2ac9218a3463a49
Instruction Fuzzy Hash: 4801B172A00608BBEB15AB94D9466DEBBB5DF00318F10406BE900762C2D7B95EC19FE9

Function 00404A7C Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,?,?,0040F3AD,?,?,00000000), ref: 00404A98
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?,?,?), ref: 00404AA7
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?), ref: 00404AC8
CloseHandle.KERNEL32(00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?,?,?), ref: 00404ADB

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: b028bbf5e78a84a3989ba24cfca3f53e27e424d55d47b694da6f965884ede5ee
Instruction ID: 35ced7b7e6b8fcb80760e5361844cac7ae60d847a3c82796c2aff2ab1ebf9c76
Opcode Fuzzy Hash: b028bbf5e78a84a3989ba24cfca3f53e27e424d55d47b694da6f965884ede5ee
Instruction Fuzzy Hash: C2F081B1640218BFFB119FA4DC89FEB366CEB04354F004179FA01A62D0D7B49E018B68

Function 00415ADA Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00415B18
GetWindowDC.USER32(00000000,?,?,?,00413DC6,?), ref: 00415B21
EnumDisplayMonitors.USER32(00000000,00000000,004158F7,?,?,?,?,00413DC6,?), ref: 00415B34
ReleaseDC.USER32(00000000,00000000), ref: 00415B3C

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: Window$DesktopDisplayEnumMonitorsRelease
String ID:
API String ID: 3138938612-0
Opcode ID: 09942aec3327468421f9ad7013ce1eabb26cd18543247e64c5682214829e7bf5
Instruction ID: 79ebf71b1ab3dc720c427369539a26d712b4a8fa409b07612e71690da23c6d59
Opcode Fuzzy Hash: 09942aec3327468421f9ad7013ce1eabb26cd18543247e64c5682214829e7bf5
Instruction Fuzzy Hash: 670121B2900118AF9B10DFA5DC889EFBFBCFF89751B004126F902E2110D7345A41CBA4

Function 00404C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 00404C4A

Strings

"AA, xrefs: 00404C87
%08x.%s, xrefs: 00404C6F

Memory Dump Source

Source File: 00000000.00000002.2107276262.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd

Similarity

API ID: PathTemp
String ID: "AA$%08x.%s
API String ID: 2920410445-3318964645
Opcode ID: c89cc8e68427bbb63d604f05537d755ce9629acc9bc5e5b3f558cfa4640d61b0
Instruction ID: a8c78cdc698b28e01514b2981d1d0c4832bbd0bd718657f1769f43814eb44599
Opcode Fuzzy Hash: c89cc8e68427bbb63d604f05537d755ce9629acc9bc5e5b3f558cfa4640d61b0
Instruction Fuzzy Hash: F7F08CF160512867EF206A258C45AEB231CDBC1308F0580B7BB04B62C1C67D9E9686A8

Function 007A6B7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,007A6BB8,00000000,00000000,00000000,00000000,00000000,007A7681,?,007A5A5E,00000003,007A6C95,007ABC40,0000000C,007A6D51,]Dz), ref: 007A6B8A
__invoke_watson.LIBCMT ref: 007A6BA6

Strings

]Dz, xrefs: 007A6BA3

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: ]Dz
API String ID: 4034010525-3219158738
Opcode ID: a58abab4c5cd0933b1016a3fcd90b5e2346e381d307a25c01d427331c07e2a1a
Instruction ID: a341a9404c5f1b4474ba8471716c8c20c92b228c957d0c62c3637073c76ff66f
Opcode Fuzzy Hash: a58abab4c5cd0933b1016a3fcd90b5e2346e381d307a25c01d427331c07e2a1a
Instruction Fuzzy Hash: AFE0ECB2000109FBDF022FA1DC09CAA3F6AEB96750B594460FD14C5031E73AC871DBA5

Function 007A55C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 007A55CA

Part of subcall function 007A5597: GetModuleHandleW.KERNEL32(mscoree.dll,]Dz,007A55CF,]Dz,?,007A6CA6,000000FF,0000001E,007ABC40,0000000C,007A6D51,]Dz,]Dz,?,007A63E9,0000000D), ref: 007A55A1
Part of subcall function 007A5597: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007A55B1

ExitProcess.KERNEL32 ref: 007A55D3

Strings

]Dz, xrefs: 007A55C7

Memory Dump Source

Source File: 00000000.00000002.2107350122.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2107335308.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107428905.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107445842.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107519452.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_NLRpif3sEB.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: ]Dz
API String ID: 2427264223-3219158738
Opcode ID: 6a4a52c7647a3a0698b12d84ad6488c459b0c1d82df7ac45c35798237ef07522
Instruction ID: ee597b200325d2df145ac888f6c71ebba8e5ff53bdd4191530df45c5dfe49c32
Opcode Fuzzy Hash: 6a4a52c7647a3a0698b12d84ad6488c459b0c1d82df7ac45c35798237ef07522
Instruction Fuzzy Hash: 48B09231000248FFCB012F12DC0E85E3F2BEBC23A0B108021F81809031EF7AAEA6DA95

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NLRpif3sEB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
NLRpif3sEB.exe

Function 004129A8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 155
networkfileCOMMON

Function 00413CAF Relevance: 12.2, APIs: 8, Instructions: 169
synchronizationCOMMON

Function 004064C7 Relevance: 54.8, APIs: 17, Strings: 14, Instructions: 569
libraryCOMMON

Function 007A452D Relevance: 22.6, APIs: 15, Instructions: 129
COMMON

Function 00412E5D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153
networkCOMMON

Function 007A435C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
memorywindowCOMMON

Function 0041701B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Function 007A43C0 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Function 007A0942 Relevance: 2.8, APIs: 1, Instructions: 1539
memoryCOMMON

Function 0079B342 Relevance: 2.8, APIs: 1, Instructions: 1533
memoryCOMMON

Function 007913D2 Relevance: 2.8, APIs: 1, Instructions: 1527
memoryCOMMON

Function 00794982 Relevance: 2.8, APIs: 1, Instructions: 1524
memoryCOMMON

Function 0078C2B2 Relevance: 2.7, APIs: 1, Instructions: 1494
memoryCOMMON

Function 0079EEC2 Relevance: 2.7, APIs: 1, Instructions: 1416
memoryCOMMON

Function 0077A282 Relevance: 2.7, APIs: 1, Instructions: 1416
memoryCOMMON