Edit tour

Windows Analysis Report
1iC0WTxgUf.exe

Overview

General Information

Sample name:	1iC0WTxgUf.exe renamed because original name is a hash value
Original sample name:	530c28302405edb307c3c0e49c2bd5a7.exe
Analysis ID:	1576508
MD5:	530c28302405edb307c3c0e49c2bd5a7
SHA1:	8f3a2ced532a64e728ab74762785702e1e2a0f42
SHA256:	efeb8d13efff6fa8be497988a973920dc1ee48e134eed363a1924ecc82973976
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Abnormal high CPU Usage

Connects to a URL shortener service

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found evaded block containing many API calls

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1iC0WTxgUf.exe (PID: 1484 cmdline: "C:\Users\user\Desktop\1iC0WTxgUf.exe" MD5: 530C28302405EDB307C3C0E49C2BD5A7)

1iC0WTxgUf.exe (PID: 3892 cmdline: C:\Users\user\Desktop\1iC0WTxgUf.exe MD5: 795C7666E4950615A6BD5BCA64FF7135)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:15:15.348358+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49704	172.232.31.180	443	TCP
2024-12-17T08:15:20.799692+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49707	172.67.193.84	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1iC0WTxgUf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142RM	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/oxgBR?usid=26&utid=95814961422	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142D0yt	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142E1	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142Y1	Avira URL Cloud: Label: malware
Source: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Avira: detection malicious, Label: TR/Crypt.ULPM.Gen

Multi AV Scanner detection for submitted file

Source: 1iC0WTxgUf.exe	ReversingLabs: Detection: 84%
Source: 1iC0WTxgUf.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1iC0WTxgUf.exe

Joe Sandbox ML: detected

Source: 1iC0WTxgUf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 172.232.31.180:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.0.75:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040CBD0 FindFirstFileA,FindClose,		0_2_0040CBD0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9BFD0 FindFirstFileA,FindClose,		0_2_01F9BFD0

Source: unknown

DNS query: name: q.gs

Source: Joe Sandbox View

IP Address: 64.190.63.136 64.190.63.136

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49707 -> 172.67.193.84:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49704 -> 172.232.31.180:443

Source: global traffic	HTTP traffic detected: GET /oxgBR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Host: cutit.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheHost: publisher.linkvertise.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oxgBR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheHost: ww99.cutit.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oxgBR?usid=26&utid=9581496142 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.cutit.org
Source: global traffic	HTTP traffic detected: GET /EVnYC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Host: q.gsCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Code function: 0_2_0040D740 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_0040D740

Source: global traffic	HTTP traffic detected: GET /oxgBR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Host: cutit.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheHost: publisher.linkvertise.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oxgBR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheHost: ww99.cutit.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oxgBR?usid=26&utid=9581496142 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.cutit.org
Source: global traffic	HTTP traffic detected: GET /EVnYC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Host: q.gsCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: cutit.org
Source: global traffic	DNS traffic detected: DNS query: ww99.cutit.org
Source: global traffic	DNS traffic detected: DNS query: ww1.cutit.org
Source: global traffic	DNS traffic detected: DNS query: q.gs
Source: global traffic	DNS traffic detected: DNS query: publisher.linkvertise.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 17 Dec 2024 07:15:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4517Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 17 Dec 2024 07:15:37 GMTSet-Cookie: __cf_bm=j2wv9VHDMaWOcu0prtp_ZXuDURHG.2tm3enKSi30rAE-1734419722-1.0.1.1-HPihD2McldE6XnQAZ2UX9zY93rWTWZVDpkpTuWBj1zBP.mb_RLGMDoJChNzzn21ax_aCbWOk56GbtCCEFznXIA; path=/; expires=Tue, 17-Dec-24 07:45:22 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=NoneX-Frame-Options: sameoriginServer: cloudflareCF-RAY: 8f351f220d5f8c05-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Source: 1iC0WTxgUf.exe, 1iC0WTxgUf.exe, 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cli.re/gzBM75
Source: 1iC0WTxgUf.exe, 1iC0WTxgUf.exe, 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://q.gs/EVnYC
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538379901.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=95814961422
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142D0yt
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142E1
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142RM
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142Y1
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.cutit.org/oxgBR
Source: 1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.cutit.org/oxgBRU
Source: 1iC0WTxgUf.exe, 1iC0WTxgUf.exe, 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000002.00000003.1538379901.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000002.00000003.1538349427.0000000001FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cutit.org/oxgBR

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.232.31.180:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.0.75:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0043E330	0_2_0043E330
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_00406AB0	0_2_00406AB0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0043CD7F	0_2_0043CD7F
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0045CED0	0_2_0045CED0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_00403760	0_2_00403760
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_00403840	0_2_00403840
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0041F8C0	0_2_0041F8C0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0041F9A0	0_2_0041F9A0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_00425A40	0_2_00425A40
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FE60D0	0_2_01FE60D0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FA8BA0	0_2_01FA8BA0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F92B60	0_2_01F92B60
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FA8AC0	0_2_01FA8AC0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F92C40	0_2_01F92C40
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FAEC40	0_2_01FAEC40
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FC7530	0_2_01FC7530
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FC5F7F	0_2_01FC5F7F
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F95EB0	0_2_01F95EB0

Source: 1iC0WTxgUf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal84.winEXE@3/3@7/5

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Code function: 0_2_0040B140 FindResourceA,

0_2_0040B140

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

File created: C:\Users\user\Desktop\1iC0WTxgUf.exe

Jump to behavior

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1iC0WTxgUf.exe	ReversingLabs: Detection: 84%
Source: 1iC0WTxgUf.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

File read: C:\Users\user\Desktop\old_1iC0WTxgUf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1iC0WTxgUf.exe "C:\Users\user\Desktop\1iC0WTxgUf.exe"
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Process created: C:\Users\user\Desktop\1iC0WTxgUf.exe C:\Users\user\Desktop\1iC0WTxgUf.exe
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Process created: C:\Users\user\Desktop\1iC0WTxgUf.exe C:\Users\user\Desktop\1iC0WTxgUf.exe	Jump to behavior

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 1iC0WTxgUf.exe

Static file information: File size 2892482 > 1048576

Source: 1iC0WTxgUf.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x259e00

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0042A4BF push C900000Ah; ret	0_2_0042A4C9
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B2D1 push eax; ret	0_2_0040B2D3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B361 push eax; ret	0_2_0040B363
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B301 push eax; ret	0_2_0040B303
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B331 push eax; ret	0_2_0040B333
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B3E1 push eax; ret	0_2_0040B3E3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B381 push eax; ret	0_2_0040B383
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B3B1 push eax; ret	0_2_0040B3B3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B441 push eax; ret	0_2_0040B443
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B471 push eax; ret	0_2_0040B473
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B411 push eax; ret	0_2_0040B413
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B4D1 push eax; ret	0_2_0040B4D3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B4A1 push eax; ret	0_2_0040B4A3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B501 push eax; ret	0_2_0040B503
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A7E1 push eax; ret	0_2_01F9A7E3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A7B1 push eax; ret	0_2_01F9A7B3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A781 push eax; ret	0_2_01F9A783
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A761 push eax; ret	0_2_01F9A763
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A731 push eax; ret	0_2_01F9A733
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A701 push eax; ret	0_2_01F9A703
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A6D1 push eax; ret	0_2_01F9A6D3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A901 push eax; ret	0_2_01F9A903
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A8D1 push eax; ret	0_2_01F9A8D3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A8A1 push eax; ret	0_2_01F9A8A3
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A871 push eax; ret	0_2_01F9A873
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A841 push eax; ret	0_2_01F9A843
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A811 push eax; ret	0_2_01F9A813
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01FB36BF push C900000Ah; ret	0_2_01FB36C9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	File created: C:\Users\user\Desktop\1iC0WTxgUf.exe			Jump to dropped file
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	File created: C:\Users\user\Desktop\old_1iC0WTxgUf.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Evaded block: after key decision

graph_0-126926

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

API coverage: 8.7 %

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040CBD0 FindFirstFileA,FindClose,		0_2_0040CBD0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9BFD0 FindFirstFileA,FindClose,		0_2_01F9BFD0

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040B5F0 mov eax, dword ptr fs:[00000030h]		0_2_0040B5F0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A9F0 mov eax, dword ptr fs:[00000030h]		0_2_01F9A9F0

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Code function: 0_2_00407340 GetProcessHeap,HeapAlloc,RtlAllocateHeap,

0_2_00407340

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040AF90 SetUnhandledExceptionFilter,	0_2_0040AF90
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_0040AFA0 SetUnhandledExceptionFilter,	0_2_0040AFA0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A3A0 SetUnhandledExceptionFilter,	0_2_01F9A3A0
Source: C:\Users\user\Desktop\1iC0WTxgUf.exe	Code function: 0_2_01F9A390 SetUnhandledExceptionFilter,	0_2_01F9A390

Source: C:\Users\user\Desktop\1iC0WTxgUf.exe

Code function: 0_2_0041AD00 cpuid

0_2_0041AD00

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1iC0WTxgUf.exe	84%	ReversingLabs	Win32.Infostealer.Tinba
1iC0WTxgUf.exe	80%	Virustotal		Browse
1iC0WTxgUf.exe	100%	Avira	TR/Crypt.ULPM.Gen
1iC0WTxgUf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\1iC0WTxgUf.exe	100%	Avira	TR/Crypt.ULPM.Gen
C:\Users\user\Desktop\1iC0WTxgUf.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142RM	100%	Avira URL Cloud	malware
http://ww99.cutit.org/oxgBR	0%	Avira URL Cloud	safe
http://ww1.cutit.org/	100%	Avira URL Cloud	malware
http://ww1.cutit.org/oxgBR?usid=26&utid=95814961422	100%	Avira URL Cloud	malware
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142D0yt	100%	Avira URL Cloud	malware
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142E1	100%	Avira URL Cloud	malware
http://q.gs/EVnYC	0%	Avira URL Cloud	safe
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142Y1	100%	Avira URL Cloud	malware
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142	100%	Avira URL Cloud	malware
http://ww99.cutit.org/oxgBRU	0%	Avira URL Cloud	safe
https://cutit.org/oxgBR	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ww99.cutit.org	69.16.230.228	true	false	unknown
cutit.org	172.232.31.180	true	false	unknown
sedoparking.com	64.190.63.136	true	false	high
q.gs	172.67.193.84	true	false	unknown
publisher.linkvertise.com	104.18.0.75	true	false	high
ww1.cutit.org	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww99.cutit.org/oxgBR	false	Avira URL Cloud: safe	unknown
https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC	false		high
http://q.gs/EVnYC	false	Avira URL Cloud: safe	unknown
https://cutit.org/oxgBR	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww1.cutit.org/	1iC0WTxgUf.exe, 00000002.00000003.1538379901.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142RM	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142Y1	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cli.re/gzBM75	1iC0WTxgUf.exe, 1iC0WTxgUf.exe, 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, 1iC0WTxgUf.exe, 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmp	false		high
http://ww1.cutit.org/oxgBR?usid=26&utid=95814961422	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142D0yt	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142E1	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww99.cutit.org/oxgBRU	1iC0WTxgUf.exe, 00000002.00000003.1538279395.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.190.63.136	sedoparking.com	United States	11696	NBS11696US	false
172.67.193.84	q.gs	United States	13335	CLOUDFLARENETUS	false
69.16.230.228	ww99.cutit.org	United States	32244	LIQUIDWEBUS	false
104.18.0.75	publisher.linkvertise.com	United States	13335	CLOUDFLARENETUS	false
172.232.31.180	cutit.org	United States	20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576508
Start date and time:	2024-12-17 08:14:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1iC0WTxgUf.exe renamed because original name is a hash value
Original Sample Name:	530c28302405edb307c3c0e49c2bd5a7.exe
Detection:	MAL
Classification:	mal84.winEXE@3/3@7/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 47 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
64.190.63.136	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0512-3272-9af7-07db3dd99c21
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0501-483c-8aad-002891fb5a97
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0450-5851-9938-0bdfa7f33a56
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0450-17b0-8984-b4b272a22199
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0433-44f6-9e59-dc72adbb0086
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0425-1706-a2c8-02526792f211
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0426-044d-b465-1d078f2f97da
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0413-3653-b9c7-4bbc444bdc48
	uavINoSIQh.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0408-09d4-8f1c-1de8890559b5
	7DAKMhINGk.exe	Get hash	malicious	Simda Stealer	Browse	ww16.vofycot.com/login.php?sub1=20241112-0352-0187-b8de-fd2bfab34f87

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cutit.org	SecuriteInfo.com.Trojan.GenericKDZ.98125.20009.29397.exe	Get hash	malicious	Unknown	Browse	64.91.240.248
	qrxTjrTy5j.exe	Get hash	malicious	Unknown	Browse	69.16.230.42
	VIXfePT6im.exe	Get hash	malicious	Unknown	Browse	69.16.230.42
sedoparking.com	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	uavINoSIQh.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	7DAKMhINGk.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
q.gs	Jpd99za14I.exe	Get hash	malicious	Unknown	Browse	172.67.193.84
	qrxTjrTy5j.exe	Get hash	malicious	Unknown	Browse	172.67.193.84
	VIXfePT6im.exe	Get hash	malicious	Unknown	Browse	104.21.84.133
publisher.linkvertise.com	https://tiny.pl/wpxvh	Get hash	malicious	Unknown	Browse	172.64.164.4
publisher.linkvertise.com	https://tiny.pl/wpxvh	Get hash	malicious	Unknown	Browse	172.64.164.4

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NBS11696US	236236236.elf	Get hash	malicious	Unknown	Browse	64.190.63.222
	https://t.co/eSJUUrWOcO	Get hash	malicious	HTMLPhisher	Browse	216.198.79.1
	Payroll List.exe	Get hash	malicious	FormBook	Browse	64.190.63.222
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	64.190.63.222
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	64.190.63.136
CLOUDFLARENETUS	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse	104.17.25.14
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.84.67
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.65.156.157
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	172.67.129.27
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	https://tinyurl.com/5faazntx	Get hash	malicious	Unknown	Browse	104.18.111.161
	https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2d	Get hash	malicious	Unknown	Browse	104.21.16.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.18.0.75 172.232.31.180
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	104.18.0.75 172.232.31.180
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.18.0.75 172.232.31.180
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.18.0.75 172.232.31.180
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.18.0.75 172.232.31.180

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\1iC0WTxgUf.exe

Download File

Process:	C:\Users\user\Desktop\1iC0WTxgUf.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	modified
Size (bytes):	2892482
Entropy (8bit):	5.6154927625508915
Encrypted:	false
SSDEEP:	49152:6Fe5stXMv1aLDtYTCqJkN9EU4YxqyW0E67iafjJay3:6G22abkUvxqyW5Na7p3
MD5:	795C7666E4950615A6BD5BCA64FF7135
SHA1:	0B96A24A8758339DF792E343621FAB3519576427
SHA-256:	90567A08C18120E1007532FEC6E8D2861750F2E96A3B5E8C18ED83EA66B33C3C
SHA-512:	F3713D6245008E588E5EB0E85B9B786A238D5D4E006A52656A27FB56171ADBD5248779F1BDB61E469DA090066511178DA10DBBAB0836F984846E965E228329AD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................%.......p.z.....p.......@.....................................................................................@..........................................................................................................UPX0......p.............................UPX1......%...p...%.................@....rsrc....P.......B....%.............@....bss.... ........?6..M...M...M8.{M...M..SM...M..#M..XM\|._M...M^..M[..M'..M...M..uMP.LM...MP.MM}..M...M..oMo..Mi.GM...M..^M..iM...M;.wM...M..WM...M;.rM..uM.."M...Ml..M..SM..FM...M...M..:M...M#..M...M...M..GM{..M...M`.0M...Mw.*M@.?M..sMR.MM...M...MR.7M...Md.`M!.]M...M...M...M..\M..~M..vM2..M..wM..\|M..$M...M...M...M/.^MO./M_..Mz..M...Mv..MH.'M...M3.jM:..M...M...M...Ms..M/..Mr..M$..MC..M'.kM...M...M5..M...M...M...M..eM..%M...M%..M..:Ma.`M..AMw..M..}M...Mc..MF..M!..M...M,.0Mz..M]..M/.[M..\M<.fM'.1M...M..

C:\Users\user\Desktop\1iC0WTxgUf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\1iC0WTxgUf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\old_1iC0WTxgUf.exe (copy)

Download File

Process:	C:\Users\user\Desktop\1iC0WTxgUf.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2892482
Entropy (8bit):	5.6154927625508915
Encrypted:	false
SSDEEP:	49152:6Fe5stXMv1aLDtYTCqJkN9EU4YxqyW0E67iafjJay3:6G22abkUvxqyW5Na7p3
MD5:	795C7666E4950615A6BD5BCA64FF7135
SHA1:	0B96A24A8758339DF792E343621FAB3519576427
SHA-256:	90567A08C18120E1007532FEC6E8D2861750F2E96A3B5E8C18ED83EA66B33C3C
SHA-512:	F3713D6245008E588E5EB0E85B9B786A238D5D4E006A52656A27FB56171ADBD5248779F1BDB61E469DA090066511178DA10DBBAB0836F984846E965E228329AD
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................%.......p.z.....p.......@.....................................................................................@..........................................................................................................UPX0......p.............................UPX1......%...p...%.................@....rsrc....P.......B....%.............@....bss.... ........?6..M...M...M8.{M...M..SM...M..#M..XM\|._M...M^..M[..M'..M...M..uMP.LM...MP.MM}..M...M..oMo..Mi.GM...M..^M..iM...M;.wM...M..WM...M;.rM..uM.."M...Ml..M..SM..FM...M...M..:M...M#..M...M...M..GM{..M...M`.0M...Mw.*M@.?M..sMR.MM...M...MR.7M...Md.`M!.]M...M...M...M..\M..~M..vM2..M..wM..\|M..$M...M...M...M/.^MO./M_..Mz..M...Mv..MH.'M...M3.jM:..M...M...M...Ms..M/..Mr..M$..MC..M'.kM...M...M5..M...M...M...M..eM..%M...M%..M..:Ma.`M..AMw..M..}M...Mc..MF..M!..M...M,.0Mz..M]..M/.[M..\M<.fM'.1M...M..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):	5.61752656620716
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	1iC0WTxgUf.exe
File size:	2'892'482 bytes
MD5:	530c28302405edb307c3c0e49c2bd5a7
SHA1:	8f3a2ced532a64e728ab74762785702e1e2a0f42
SHA256:	efeb8d13efff6fa8be497988a973920dc1ee48e134eed363a1924ecc82973976
SHA512:	3dd68fd409caef4ebb65ce9302791ea23af0fb8816b7f3ab498a68964e142e54f7ddaa75a96745012ec278038be3d42865e4159bb1619e945a185a370417fa86
SSDEEP:	49152:S+UvTnuhKL7q4sxu5vLlsA8OvzaTaAivZNrTVpOpE5XJIFay3:wvTsp4nSnaVRRXS3
TLSH:	72D522F2949AC84FC7363F784250E435DE6480602F9E79DED68A3E155C683EF18D827A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................%.......p.z.....p.......@........................................................................

File Icon


Icon Hash:	176979b232797969

Static PE Info

General

Entrypoint:	0xd68a7a
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
mov edx, 00000000h
push ebx
or eax, esi
add esi, 4682C37Fh
pop edi
mov esi, eax
push edi
and esi, eax
sub esi, E677A4ADh
mov ecx, dword ptr [esp]
add esp, 04h
sub esi, B2645495h
and esi, esi
push ecx
mov eax, 3C5C84B6h
pop ebx
add eax, eax
add edx, 00000001h
inc esi
and eax, esi
cmp edx, 010027FDh
jne 00007FAD78F8A165h
add esi, eax
inc eax
push 00B0F000h
mov esi, dword ptr [esp]
add esp, 04h
mov eax, D090BDBDh
or ecx, ecx
mov edx, 00D68885h
or ecx, eax
sub eax, ecx
mov edi, 00000000h
dec ecx
inc ecx
call 00007FAD78F8A228h
sub eax, ecx
mov eax, 00B0F000h
mov edi, 6BD677D3h
and ecx, edi
mov ebx, 00B0F000h
mov ecx, edi
mov esi, 00D68885h
add edi, 5C8FFA8Eh
mov edi, edi
sub ecx, edi
mov edx, 00000000h
push ecx
pop edi
mov dl, byte ptr [ebx]
sub edi, edi
sub edi, 00000001h
add ecx, edi
mov byte ptr [eax], dl
sub edi, E0DB1A86h
sub edi, ecx
add ecx, D282BA22h
add eax, 00000001h
mov ecx, 37EA8887h
sub edi, B5F3F36Ch
sub edi, edi
add ebx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x99d0c2	0x88	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x969000	0x340c2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x70e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x70f000	0x25a000	0x259e00	beac5e0dd3067c0e4d170b7b5e766573	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x969000	0x35000	0x34200	63b52a89e260120116c277a408d2c18b	False	0.7753344199640287	data	7.107685343929994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9691d8	0x1b344	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9984833255555157
RT_ICON	0x98451c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.5053235537678931
RT_ICON	0x994d44	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.5764052905054322
RT_ICON	0x998f6c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.604149377593361
RT_ICON	0x99b514	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6573639774859287
RT_ICON	0x99c5bc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7562056737588653
RT_GROUP_ICON	0x99ca24	0x5a	Targa image data - Map 32 x 45892 x 1 +1	0.7777777777777778
RT_MANIFEST	0x99ca7e	0x644	XML 1.0 document, ASCII text, with CRLF line terminators	0.442643391521197

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:15:15.348358+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49704	172.232.31.180	443	TCP
2024-12-17T08:15:20.799692+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49707	172.67.193.84	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:15:13.314970970 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:13.315016031 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:13.315129042 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:13.330357075 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:13.330370903 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:14.587551117 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:14.587662935 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:14.847412109 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:14.847448111 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:14.847762108 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:14.847836971 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:14.851412058 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:14.895354986 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:15.346709013 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:15.346766949 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:15.346769094 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:15.346813917 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:15.352931976 CET	49704	443	192.168.2.8	172.232.31.180
Dec 17, 2024 08:15:15.352952003 CET	443	49704	172.232.31.180	192.168.2.8
Dec 17, 2024 08:15:15.591206074 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:15:15.710994005 CET	80	49705	69.16.230.228	192.168.2.8
Dec 17, 2024 08:15:15.711056948 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:15:15.711225033 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:15:15.830950022 CET	80	49705	69.16.230.228	192.168.2.8
Dec 17, 2024 08:15:16.876827955 CET	80	49705	69.16.230.228	192.168.2.8
Dec 17, 2024 08:15:16.876894951 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:15:17.399951935 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:15:17.520301104 CET	80	49706	64.190.63.136	192.168.2.8
Dec 17, 2024 08:15:17.520486116 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:15:17.520802021 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:15:17.640665054 CET	80	49706	64.190.63.136	192.168.2.8
Dec 17, 2024 08:15:18.796837091 CET	80	49706	64.190.63.136	192.168.2.8
Dec 17, 2024 08:15:18.797034979 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:15:19.583424091 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:15:19.703146935 CET	80	49707	172.67.193.84	192.168.2.8
Dec 17, 2024 08:15:19.703341007 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:15:19.705980062 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:15:19.825675011 CET	80	49707	172.67.193.84	192.168.2.8
Dec 17, 2024 08:15:20.799618006 CET	80	49707	172.67.193.84	192.168.2.8
Dec 17, 2024 08:15:20.799691916 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:15:21.064289093 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:21.064332962 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:21.064412117 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:21.064930916 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:21.064945936 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.290011883 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.290108919 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.297099113 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.297111034 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.297534943 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.297616005 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.298053980 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.343337059 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.725999117 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726042032 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726059914 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.726069927 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726082087 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726088047 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.726113081 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.726129055 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.726136923 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726166010 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:22.726186037 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.726224899 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.728993893 CET	49708	443	192.168.2.8	104.18.0.75
Dec 17, 2024 08:15:22.729013920 CET	443	49708	104.18.0.75	192.168.2.8
Dec 17, 2024 08:15:23.796545982 CET	80	49706	64.190.63.136	192.168.2.8
Dec 17, 2024 08:15:23.796634912 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:16:21.876657009 CET	80	49705	69.16.230.228	192.168.2.8
Dec 17, 2024 08:16:21.876791954 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:17:01.340161085 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:17:01.340240002 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:01.340290070 CET	49705	80	192.168.2.8	69.16.230.228
Dec 17, 2024 08:17:01.460136890 CET	80	49705	69.16.230.228	192.168.2.8
Dec 17, 2024 08:17:01.460459948 CET	80	49707	172.67.193.84	192.168.2.8
Dec 17, 2024 08:17:01.460556030 CET	49707	80	192.168.2.8	172.67.193.84
Dec 17, 2024 08:17:01.673438072 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:02.282682896 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:03.486005068 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:05.985836029 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:10.876465082 CET	49706	80	192.168.2.8	64.190.63.136
Dec 17, 2024 08:17:20.485935926 CET	49706	80	192.168.2.8	64.190.63.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:15:11.297861099 CET	63543	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:12.300710917 CET	63543	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:13.298574924 CET	63543	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:13.308167934 CET	53	63543	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:13.308190107 CET	53	63543	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:13.438638926 CET	53	63543	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:15.353734016 CET	63254	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:15.590281963 CET	53	63254	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:16.889781952 CET	52612	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:17.398978949 CET	53	52612	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:18.819210052 CET	59453	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:19.581996918 CET	53	59453	1.1.1.1	192.168.2.8
Dec 17, 2024 08:15:20.862911940 CET	51501	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:15:21.062962055 CET	53	51501	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:15:11.297861099 CET	192.168.2.8	1.1.1.1	0x843f	Standard query (0)	cutit.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:12.300710917 CET	192.168.2.8	1.1.1.1	0x843f	Standard query (0)	cutit.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.298574924 CET	192.168.2.8	1.1.1.1	0x843f	Standard query (0)	cutit.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:15.353734016 CET	192.168.2.8	1.1.1.1	0x7578	Standard query (0)	ww99.cutit.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:16.889781952 CET	192.168.2.8	1.1.1.1	0x1b69	Standard query (0)	ww1.cutit.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:18.819210052 CET	192.168.2.8	1.1.1.1	0xc407	Standard query (0)	q.gs	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:20.862911940 CET	192.168.2.8	1.1.1.1	0x29a4	Standard query (0)	publisher.linkvertise.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:15:13.308167934 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.31.180	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.308167934 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.25.148	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.308167934 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.4.213	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.308190107 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.31.180	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.308190107 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.25.148	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.308190107 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.4.213	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.438638926 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.25.148	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.438638926 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.31.180	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:13.438638926 CET	1.1.1.1	192.168.2.8	0x843f	No error (0)	cutit.org		172.232.4.213	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:15.590281963 CET	1.1.1.1	192.168.2.8	0x7578	No error (0)	ww99.cutit.org		69.16.230.228	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:17.398978949 CET	1.1.1.1	192.168.2.8	0x1b69	No error (0)	ww1.cutit.org	sedoparking.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:15:17.398978949 CET	1.1.1.1	192.168.2.8	0x1b69	No error (0)	sedoparking.com		64.190.63.136	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:19.581996918 CET	1.1.1.1	192.168.2.8	0xc407	No error (0)	q.gs		172.67.193.84	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:19.581996918 CET	1.1.1.1	192.168.2.8	0xc407	No error (0)	q.gs		104.21.84.133	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:21.062962055 CET	1.1.1.1	192.168.2.8	0x29a4	No error (0)	publisher.linkvertise.com		104.18.0.75	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:15:21.062962055 CET	1.1.1.1	192.168.2.8	0x29a4	No error (0)	publisher.linkvertise.com		104.18.1.75	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cutit.org

publisher.linkvertise.com

ww99.cutit.org

ww1.cutit.org

q.gs

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	69.16.230.228	80	3892	C:\Users\user\Desktop\1iC0WTxgUf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:15:15.711225033 CET	186	OUT	GET /oxgBR HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Cache-Control: no-cache Host: ww99.cutit.org Connection: Keep-Alive
Dec 17, 2024 08:15:16.876827955 CET	276	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 17 Dec 2024 07:15:16 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww1.cutit.org/oxgBR?usid=26&utid=9581496142 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	64.190.63.136	80	3892	C:\Users\user\Desktop\1iC0WTxgUf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:15:17.520802021 CET	209	OUT	GET /oxgBR?usid=26&utid=9581496142 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Cache-Control: no-cache Connection: Keep-Alive Host: ww1.cutit.org
Dec 17, 2024 08:15:18.796837091 CET	189	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49707	172.67.193.84	80	3892	C:\Users\user\Desktop\1iC0WTxgUf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:15:19.705980062 CET	152	OUT	GET /EVnYC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Host: q.gs Cache-Control: no-cache
Dec 17, 2024 08:15:20.799618006 CET	898	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 17 Dec 2024 07:15:20 GMT Content-Type: text/html Content-Length: 143 Connection: keep-alive Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DShhsGJxxltbHO0pjkONi%2Fi1IT5kxw4nnSxzI2UzQYVJnwu0xa2vhXL7csfUYu0%2F3DJiW6qO7FbP1gI7CabFa%2FKrG3OTdblKLdmDZLuRHVVN7Eh1K1Wr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f351f15ff5e42cd-EWR alt-svc: h2=":443"; ma=60 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	172.232.31.180	443	3892	C:\Users\user\Desktop\1iC0WTxgUf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:15:14 UTC	157	OUT	GET /oxgBR HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Host: cutit.org Cache-Control: no-cache
2024-12-17 07:15:15 UTC	318	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Tue, 17 Dec 2024 07:15:15 GMT Content-Type: text/html Content-Length: 142 Connection: close Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.cutit.org/oxgBR Cache-Control: no-store, max-age=0
2024-12-17 07:15:15 UTC	142	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.18.0.75	443	3892	C:\Users\user\Desktop\1iC0WTxgUf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:15:22 UTC	237	OUT	GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Cache-Control: no-cache Host: publisher.linkvertise.com Connection: Keep-Alive
2024-12-17 07:15:22 UTC	624	IN	HTTP/1.1 403 Forbidden Date: Tue, 17 Dec 2024 07:15:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4517 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 17 Dec 2024 07:15:37 GMT Set-Cookie: __cf_bm=j2wv9VHDMaWOcu0prtp_ZXuDURHG.2tm3enKSi30rAE-1734419722-1.0.1.1-HPihD2McldE6XnQAZ2UX9zY93rWTWZVDpkpTuWBj1zBP.mb_RLGMDoJChNzzn21ax_aCbWOk56GbtCCEFznXIA; path=/; expires=Tue, 17-Dec-24 07:45:22 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None X-Frame-Options: sameorigin Server: cloudflare CF-RAY: 8f351f220d5f8c05-EWR alt-svc: h3=":443"; ma=86400
2024-12-17 07:15:22 UTC	745	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE
2024-12-17 07:15:22 UTC	1369	IN	Data Raw: 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 Data Ascii: k rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', f
2024-12-17 07:15:22 UTC	1369	IN	Data Raw: 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 64 65 74 61 69 6c 22 3e 54 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 75 73 69 6e 67 20 61 20 73 65 63 75 72 69 74 79 20 73 65 72 76 69 63 65 20 74 6f 20 70 72 6f 74 65 63 74 20 69 74 73 65 6c 66 20 66 72 6f 6d 20 6f 6e 6c 69 6e 65 20 61 74 74 61 63 6b 73 2e 20 54 68 65 20 61 63 74 69 6f 6e 20 79 6f 75 20 6a 75 73 74 20 70 65 72 66 6f 72 6d 65 64 20 74 72 69 67 67 65 72 65 64 20 74 68 65 20 73 65 Data Ascii: <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the se
2024-12-17 07:15:22 UTC	1034	IN	Data Raw: 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 Data Ascii: id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1iC0WTxgUf.exePID: 1484, Parent PID: 4084

General

Target ID:	0
Start time:	02:15:09
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\1iC0WTxgUf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1iC0WTxgUf.exe"
Imagebase:	0x400000
File size:	2'892'482 bytes
MD5 hash:	530C28302405EDB307C3C0E49C2BD5A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 1iC0WTxgUf.exePID: 3892, Parent PID: 1484

General

Target ID:	2
Start time:	02:15:09
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\1iC0WTxgUf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1iC0WTxgUf.exe
Imagebase:	0x400000
File size:	2'892'482 bytes
MD5 hash:	795C7666E4950615A6BD5BCA64FF7135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1iC0WTxgUf.exePID: 1484, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	323
Total number of Limit Nodes:	40

Executed Functions

Function 0040CBD0 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,004122A4,?,004023F0,00000000), ref: 0040CBEC
FindClose.KERNEL32(00000000,?,?,004122A4,?,004023F0,00000000), ref: 0040CBF8

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c00e2105ecc9a42210df76298d796d2c98af70f43de7b7442e998dfa8c5a4d6d
Instruction ID: b6d770ddae04b2a65a0208faa526ad890ad69bd03923240b9f4e3cbf9e65c1ca
Opcode Fuzzy Hash: c00e2105ecc9a42210df76298d796d2c98af70f43de7b7442e998dfa8c5a4d6d
Instruction Fuzzy Hash: ABD0A7B644020253CB2122BA2C829CF725C5B8435CF404BABF62AF71E1F678EA904669

Function 00407340 Relevance: 2.5, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00407346
HeapAlloc.KERNEL32(00000000,00000000), ref: 0040734C

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 71c8bb397300a2ec98a85e2a9517822de63f269b3bd78d8ef5f964835f30b907
Instruction ID: 86af24108ca81dc7991541a252e630d5732568c65e495a36e3c27521db029aa8
Opcode Fuzzy Hash: 71c8bb397300a2ec98a85e2a9517822de63f269b3bd78d8ef5f964835f30b907
Instruction Fuzzy Hash: 04B0026465430835D54473B75C07F17755C474D7DDF4004657705B91D258E9E80040BD

Function 00402189 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 0040219C
CopyFileA.KERNEL32(00000000,00000000,000000FF), ref: 00402219
GetCurrentProcess.KERNEL32(00000000,004142F0,004142F0,000000FF,004142F0,004142F0), ref: 004022C1
TerminateProcess.KERNEL32(00000000,00000000,004142F0,004142F0,000000FF,004142F0,004142F0), ref: 004022C7

Strings

!, xrefs: 004021C2

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: FileProcess$CopyCurrentMoveTerminate
String ID: !
API String ID: 1606378885-2040151947
Opcode ID: 85730c00616e7aa88c50fde6691587428df64d554575c87f8ff52a89fc2c41a1
Instruction ID: 977d4101561ccfd88836dc27509831d6c9870572d57f55b4357d44abc3d1cc2b
Opcode Fuzzy Hash: 85730c00616e7aa88c50fde6691587428df64d554575c87f8ff52a89fc2c41a1
Instruction Fuzzy Hash: 5241CF70A00109ABCB00EBA6E982ACEB77DAF50349F50417BB510F72E5DB7CEE558758

Function 00408820 Relevance: 6.3, APIs: 5, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,?,?,004088E5), ref: 00408825
TlsGetValue.KERNEL32(00000000,?,?,004088E5), ref: 00408844
LocalAlloc.KERNEL32(00000040), ref: 00408857
TlsSetValue.KERNEL32(00000000,00000040), ref: 00408872
SetLastError.KERNEL32(00000000), ref: 00408878

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: ec3e637c03f6bc23e8b06f94060b79e23039758f34d06e98c892f4ff3d7b7ef5
Instruction ID: e59f79d80365a3e3fb04450aaf497140d8717a935e245749f86687b9e21ad49f
Opcode Fuzzy Hash: ec3e637c03f6bc23e8b06f94060b79e23039758f34d06e98c892f4ff3d7b7ef5
Instruction Fuzzy Hash: E8E0303295062157C72233B66C42A9B3558AA487ECB40823AFA907B7F2CA3D9C0156AD

Function 0040881F Relevance: 6.3, APIs: 5, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,?,?,004088E5), ref: 00408825
TlsGetValue.KERNEL32(00000000,?,?,004088E5), ref: 00408844
LocalAlloc.KERNEL32(00000040), ref: 00408857
TlsSetValue.KERNEL32(00000000,00000040), ref: 00408872
SetLastError.KERNEL32(00000000), ref: 00408878

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: bb20245ef22a7d6f40216144569e6972df66727ff42a53c437d2256ee92b8ad9
Instruction ID: 8dc0e7b286f4c0757728a67b5893bf4d504377c1db71ad195630fefe0bf8a4e1
Opcode Fuzzy Hash: bb20245ef22a7d6f40216144569e6972df66727ff42a53c437d2256ee92b8ad9
Instruction Fuzzy Hash: CCF0303695052156C72233B26C42A9E35146B487ECB40823EFA907B6F2CA3D8C019A9D

Function 00408F60 Relevance: 6.1, APIs: 4, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,00409E29,?,?,00000000,?,00409EAB), ref: 00408F76
GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,00409E29,?,?,00000000,?,00409EAB), ref: 00408F7F
GetConsoleMode.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,00409E29,?,?,00000000,?,00409EAB), ref: 00408F97
GetConsoleOutputCP.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,00409E29,?,?,00000000,?,00409EAB), ref: 00408FA2

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Console$ErrorFileLastModeOutputWrite
String ID:
API String ID: 1666348767-0
Opcode ID: 7e1423d0293c3c8450814a5c97954341b7d247c2fd516e911c28d118bd2fb17a
Instruction ID: 5e54fb8b93e84e2e52b0b7574cfecd6202988ffbac3a19b6b106e2902cad099e
Opcode Fuzzy Hash: 7e1423d0293c3c8450814a5c97954341b7d247c2fd516e911c28d118bd2fb17a
Instruction Fuzzy Hash: 470184316202076AE710A5B58B459AFB69FDB25344F14047BF680F26C5EEBCCF40425D

Function 00409110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408F30: CloseHandle.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F40
Part of subcall function 00408F30: GetLastError.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F49

CreateFileW.KERNEL32(00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?,?,00409CBA,00000000,?,00000000,?), ref: 00409303
GetLastError.KERNEL32(00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?,?,00409CBA,00000000,?,00000000,?), ref: 0040934C

Part of subcall function 00409090: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090A7
Part of subcall function 00409090: GetLastError.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090B4
Part of subcall function 00409090: GetLastError.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090BD

Strings

TAA, xrefs: 0040916F

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateHandlePointer
String ID: TAA
API String ID: 3997052936-2085441596
Opcode ID: d3733ddfb0e7e577c0298c18dc4c769054a820b33424577d6719cffb3e13174b
Instruction ID: fbde2ecdfd33b0e042bed72ccb3b961f932e12b2e3e8bcd5fa2ac64c2f73668e
Opcode Fuzzy Hash: d3733ddfb0e7e577c0298c18dc4c769054a820b33424577d6719cffb3e13174b
Instruction Fuzzy Hash: 4261A175A0410A9BE710DF94C944BABB7B2FB95350F248177D8057B3EAC3389D41CB99

Function 00401F10 Relevance: 4.5, APIs: 3, Instructions: 43
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000010,?,00000044), ref: 00401F5D
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000010,?,00000044), ref: 00401F65
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000010,?,00000044), ref: 00401F6D

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: c1ebc20cf536f56b8f844b2457054eedeab59e7b4e2f0bfceddc6bf52f73e124
Instruction ID: bb889614db706db821f7bd80dc415af9ecb11a68ed2442f3ba657f91dc1de66e
Opcode Fuzzy Hash: c1ebc20cf536f56b8f844b2457054eedeab59e7b4e2f0bfceddc6bf52f73e124
Instruction Fuzzy Hash: 81F0307294021966DB01E6D58D42FDEB3AC9B08384F504037BB05FB191D7BCAE4847EC

Function 0040900F Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 00409027
GetLastError.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 00409034
GetLastError.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 0040903D

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: f4c837c30341bf957ae10746e550b6b0f85f292638af98aaa8813219fdd00d61
Instruction ID: bbf8a9c75fbbc8451ac7977a2e78ec84ac2944bfbf94f7c87fe414d31b96ef7c
Opcode Fuzzy Hash: f4c837c30341bf957ae10746e550b6b0f85f292638af98aaa8813219fdd00d61
Instruction Fuzzy Hash: 2BE04F70900248AADB10EBB18946B8E77749F84358F204AAAF150B71D6C7BC9A809759

Function 00409010 Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 00409027
GetLastError.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 00409034
GetLastError.KERNEL32(?,00000000,00000000,00000001,?,004090E1,?,?,?,?,0040A053,?,?,?), ref: 0040903D

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: f357eb8abede550e99fef2870db49b0a8a8914b11ee927893b7b85a3906b5492
Instruction ID: 064df41d2300e6b33a0c3cfcc2995e9c0e8f02a5d7ba02c8bdb54f807d45b736
Opcode Fuzzy Hash: f357eb8abede550e99fef2870db49b0a8a8914b11ee927893b7b85a3906b5492
Instruction Fuzzy Hash: C4E04870900208AADB10EBF18D4378EB6789F84358F204569B550B72C6D7BC9A805759

Function 00409090 Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090A7
GetLastError.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090B4
GetLastError.KERNEL32(?,00000000,00000000,00000002,?,00409331,00000000,?,FFFFFFFF,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 004090BD

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 16f9fb025df47edaceb564dc37a91d79f97368f173510a5821229960cf516944
Instruction ID: 3e6a962845f3011f357bc5b94b4c558c47dee004cc95fec290fdb19e31e715bc
Opcode Fuzzy Hash: 16f9fb025df47edaceb564dc37a91d79f97368f173510a5821229960cf516944
Instruction Fuzzy Hash: E6E04870900208A6DB10FBF18D4674EB6745F84358F204A69B550B72C6D6B89A805759

Function 0040904F Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 00409068
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 00409072
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 0040907B

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 5d7c99ba943189ba79efb52a068e283cf43ae01a7b06849f9c56d686b1e95311
Instruction ID: 37d4942cd1f63b906c899cff13af82457780df02a5d3095b079d0b0d4d523347
Opcode Fuzzy Hash: 5d7c99ba943189ba79efb52a068e283cf43ae01a7b06849f9c56d686b1e95311
Instruction Fuzzy Hash: FDE086709001446ADB04EBB18842AAE7368AFC4358F10867FF994A62D2C67CCE849636

Function 00409050 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 00409068
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 00409072
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00409103,00000000,00000000,?,?,?,?,0040A053,?,?,?), ref: 0040907B

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: ddc71fc693b9be56bac7002ca11ce5b803b11c986a3015bb4f7bca4cdf806e8b
Instruction ID: a7df7561e7ca9b8e103536b4cd9243158dd27780c66679509c921c4baf12c9f6
Opcode Fuzzy Hash: ddc71fc693b9be56bac7002ca11ce5b803b11c986a3015bb4f7bca4cdf806e8b
Instruction Fuzzy Hash: C1E0803050010466DB04FBE18D0295FB35CDFC4358F10856EFE94672C1D57CDE449576

Function 00409D90 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TAA, xrefs: 00409E74
TAA, xrefs: 00409DCE
TAA, xrefs: 00409E55

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA$TAA
API String ID: 0-3156008175
Opcode ID: 5e2c7e79995b2c56898a416ea621a614e0d6973d165c2e7c0942b4028db62f40
Instruction ID: 29cd27ea3d2a4b46e5796f197d47ddee37a5df3511032d0530e90066fc304b40
Opcode Fuzzy Hash: 5e2c7e79995b2c56898a416ea621a614e0d6973d165c2e7c0942b4028db62f40
Instruction Fuzzy Hash: 53318D347041059FCB04DF58D984A89BBB6FBD9310B24C07AE805EB3A5D734DD418789

Function 00409EC0 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TAA, xrefs: 00409F85
TAA, xrefs: 00409EFE
TAA, xrefs: 00409FA4

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA$TAA
API String ID: 0-3156008175
Opcode ID: 8748c715d46707d2efa6cd81ed7216c42a31401661493585b55b414748257218
Instruction ID: a7d6640e56e4a58b1b431662ec99de768a11d7d198c79bcbc812a19760f4df14
Opcode Fuzzy Hash: 8748c715d46707d2efa6cd81ed7216c42a31401661493585b55b414748257218
Instruction Fuzzy Hash: 91217E747041069FCB04DF48D994A9ABBB6FBD9310B24C07AE805EB3A5D778ED818B48

Function 00409C10 Relevance: 3.8, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TAA, xrefs: 00409C9D
TAA, xrefs: 00409C2C
TAA, xrefs: 00409C7A

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA$TAA
API String ID: 0-3156008175
Opcode ID: 4fb5ddc4b6ab07874e225e53ba391a3718b34b088c9971a158e86a0cdc13088b
Instruction ID: 5d7164e282253a550d28661d1a007b63ea5862aefe256644566d20db0e1fe3f7
Opcode Fuzzy Hash: 4fb5ddc4b6ab07874e225e53ba391a3718b34b088c9971a158e86a0cdc13088b
Instruction Fuzzy Hash: B4115E70B082019BE7109F69E98869676E5BBD2304B24C03B9811AF3E6D33DCC41839D

Function 00409CD0 Relevance: 3.8, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TAA, xrefs: 00409D5D
TAA, xrefs: 00409CEC
TAA, xrefs: 00409D3A

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA$TAA
API String ID: 0-3156008175
Opcode ID: 54db76e4a82ab5dff3fd7f2918ad4cb1fb1d56d7db6c3992cdfa21705980e24e
Instruction ID: 331b10a44ea7a6a2718a0d373256a13008f50e6e0f261d447f880c9a8982c88b
Opcode Fuzzy Hash: 54db76e4a82ab5dff3fd7f2918ad4cb1fb1d56d7db6c3992cdfa21705980e24e
Instruction Fuzzy Hash: C7112E317842059BD7249F6DAC886927765BFA2300B24C1379815AF3ABE63CDD41875D

Function 00408FDF Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,-00000018,00409F59,?,?,00000000,?,00409FDB,00010000), ref: 00408FF1
GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,-00000018,00409F59,?,?,00000000,?,00409FDB,00010000), ref: 00408FFA

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: a7b5118fc1088943d4a9fbb1ea9edf3d9942a46e451f9963f6ea781a498db719
Instruction ID: 47271d9290f7a1c40665a6210213aff9e8fa2383538dc1c31fb3fd4cb0793cc2
Opcode Fuzzy Hash: a7b5118fc1088943d4a9fbb1ea9edf3d9942a46e451f9963f6ea781a498db719
Instruction Fuzzy Hash: 43D05EB1540148B9EB10A6A14DC6EAF23AC9B8038CF1408AEF040F25E7E6BC8E445636

Function 00408FE0 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,-00000018,00409F59,?,?,00000000,?,00409FDB,00010000), ref: 00408FF1
GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,-00000018,00409F59,?,?,00000000,?,00409FDB,00010000), ref: 00408FFA

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 8877fdc0519c7a4cc03b06452ca6108a2666c8a5f0125462a5deaadd6e7f0f08
Instruction ID: 16ec41326e9365faac48314f316602aaf6d68e7eb541853544c3ca001c6ebae0
Opcode Fuzzy Hash: 8877fdc0519c7a4cc03b06452ca6108a2666c8a5f0125462a5deaadd6e7f0f08
Instruction Fuzzy Hash: 05D05B7150010879EA10A6D54D87E6F725CDB8438CF10086AB540F21D7F5F89E405277

Function 00409FF0 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

TAA, xrefs: 0040A073
TAA, xrefs: 0040A015

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA
API String ID: 0-1195183021
Opcode ID: 0d75a516953a9fe3f85621269eb82ea4f08c0ad6de64ca4b8ad2c706676fcc06
Instruction ID: 51807a1b2122040739a1ee4006eeeedf0ec76e91885c5e9f45fab3e4fc954ae2
Opcode Fuzzy Hash: 0d75a516953a9fe3f85621269eb82ea4f08c0ad6de64ca4b8ad2c706676fcc06
Instruction Fuzzy Hash: A3019271B043089BD7109E2DD888B5736A9EBD1354F28C037E804EF3A9D67ADC5187AA

Function 0040A090 Relevance: 2.5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

Strings

TAA, xrefs: 0040A0F0
TAA, xrefs: 0040A0A6

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA
API String ID: 0-1195183021
Opcode ID: a8cccd9735913dd047e710a45a3c693ce12f8ce5d48114d8fcb3192fb12e75cf
Instruction ID: c23f76c0cd0550e240eab5971925b9a70b7712a52495b4c00582062789fd8e38
Opcode Fuzzy Hash: a8cccd9735913dd047e710a45a3c693ce12f8ce5d48114d8fcb3192fb12e75cf
Instruction Fuzzy Hash: 59F01D712192498BD7109F5CD98865237A1BBD2300724C077D415EF7A9E73EDCA1571E

Function 00408F30 Relevance: 2.5, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F40
GetLastError.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F49

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 8f274d99a147e50b54a23f130a6af21b789104eaeca9aa044c09992f31765023
Instruction ID: de3a684bfb8de0e994f23643041a810b84f4080b94aa493572bcd5a4d69fd675
Opcode Fuzzy Hash: 8f274d99a147e50b54a23f130a6af21b789104eaeca9aa044c09992f31765023
Instruction Fuzzy Hash: E3C0121020030222DD0032BB2A8260A628D08AA3CCB004C3FBB85B22C3BCBDC880102D

Function 00408F2F Relevance: 2.5, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F40
GetLastError.KERNEL32(?,00000000,?,00409158,?,00000001,?,?,00409CBA,00000000,?,00000000,?,0040CD4A,?), ref: 00408F49

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 4b7ba673113eedc8633e88e2f3c97baf2f607fc7a1734be6edc83b1c47b91784
Instruction ID: d3185bb3960970b58c6ab97da122e02abbfcbe02429927c111e3f04b41fdad41
Opcode Fuzzy Hash: 4b7ba673113eedc8633e88e2f3c97baf2f607fc7a1734be6edc83b1c47b91784
Instruction Fuzzy Hash: 6FC01220A0824611DE1133F62A8224A52460CA63CCB008C7FFBC5B66D3EDBCC484502D

Function 00407360 Relevance: 2.5, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00407555,?,00414E04,004084C3,?,?,00413A94,00407074,?,00414324,00407085,0040709A,004062DA), ref: 00407366
HeapFree.KERNEL32(00000000,00000000,?,?,00407555,?,00414E04,004084C3,?,?,00413A94,00407074,?,00414324,00407085,0040709A), ref: 0040736C

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b3fd2990f69cfc92f55bb57551e7c34e8dec46aac9d4717318da0e4d3ab60f81
Instruction ID: 1eb9f0d1c59b80b3e689ec80b790dbb5469c768de38cdc21b3ebf7bfe617d84e
Opcode Fuzzy Hash: b3fd2990f69cfc92f55bb57551e7c34e8dec46aac9d4717318da0e4d3ab60f81
Instruction Fuzzy Hash: 92B0026465430C35D54472B75C07F17754C4B4D7DDF404465BB05B91D298E9E804007D

Function 004050F0 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,00000000,?,?,?,?,00409BE3,?,?,00000000,0040CD3A,?,?,00000000), ref: 0040514E

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c561c42d8472489699f78180848a425270f1fa11a0a3b7fb3aee6b01ac95943
Instruction ID: d3f86761436e4769f37e886df23de5ca6ec870c105c3a365da0caaa363da37b1
Opcode Fuzzy Hash: 9c561c42d8472489699f78180848a425270f1fa11a0a3b7fb3aee6b01ac95943
Instruction Fuzzy Hash: 29216230A0191AABCB10EB99E951ADEB7B5EF44344F104136E801F7391DB34EE05CB98

Function 00402380 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00401F80: GetModuleFileNameA.KERNEL32(00000000,00000000,00000200,00000000), ref: 00401FE9

Part of subcall function 0040CBD0: FindFirstFileA.KERNEL32(?,?,004122A4,?,004023F0,00000000), ref: 0040CBEC
Part of subcall function 0040CBD0: FindClose.KERNEL32(00000000,?,?,004122A4,?,004023F0,00000000), ref: 0040CBF8

DeleteFileA.KERNEL32(00000000,00000000), ref: 0040241E

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: File$Find$CloseDeleteFirstModuleName
String ID:
API String ID: 3801553910-0
Opcode ID: a79f544b9dafa49e35823a337a884e47ce4017714d9367e60a040fa1b72ad9e1
Instruction ID: 3e9fb154fd0bdebf0ea1e714c26e85ccbf2130d33045713b0fe4156c11de1d91
Opcode Fuzzy Hash: a79f544b9dafa49e35823a337a884e47ce4017714d9367e60a040fa1b72ad9e1
Instruction Fuzzy Hash: 8721F1309001099BDB10FBB6D9825CD777CAF40348F60847FA411B76D2EB7CDA598A59

Function 00404AD0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00404AE6

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: a8429c9fb71ca2eee19bd2b5da853392bc9ecc96035a4e2ad6dbb7a962620a8e
Instruction ID: 8668621161ff85f4688893ebe78a86cb5a31a9f26558256c830987c2dee529d6
Opcode Fuzzy Hash: a8429c9fb71ca2eee19bd2b5da853392bc9ecc96035a4e2ad6dbb7a962620a8e
Instruction Fuzzy Hash: 3EF0F4B0A04204DBD711DBD9DA4578EB3F4AB44349F1440B6D605B72E1D678EF04DB9A

Function 0040BEEF Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

D$A, xrefs: 0040BF14

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: D$A
API String ID: 0-2028039342
Opcode ID: b6628395b658e55c5c837456db42903f6e313071886f527379c9d06979955953
Instruction ID: 6a09ce918ec4f4952b42f17593b44b6d33b46f683426e051765fca7cb6675ea3
Opcode Fuzzy Hash: b6628395b658e55c5c837456db42903f6e313071886f527379c9d06979955953
Instruction Fuzzy Hash: ACF0A0727004149FCB00EA5EC881A8BB7E8EF4535471440BAE104E7352D774EE098B99

Function 0040BEF0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

D$A, xrefs: 0040BF14

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: D$A
API String ID: 0-2028039342
Opcode ID: eb32ab28c594c37f47dd6cb160035726ef88d61f01fcf2e2ed1e1753d24bf0d0
Instruction ID: 749a490fd3b23600571b89b61c57f56287cbe47e177aa169166ba58e5f1a2f41
Opcode Fuzzy Hash: eb32ab28c594c37f47dd6cb160035726ef88d61f01fcf2e2ed1e1753d24bf0d0
Instruction Fuzzy Hash: 2AF0A0327005149FCB00EA8EC882A8BB3ECEF84354B5440B6E604E7351E6B4EE058B99

Function 00407860 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 2756da6422c4a4fb1a4cf5a0a53fa8a1a75f3680513a27726cccdf470ce740a7
Instruction ID: b69b4ac7eb598f4c06a8dcc64aa7554d6671a07a9a2045bb85b7027eebb324fd
Opcode Fuzzy Hash: 2756da6422c4a4fb1a4cf5a0a53fa8a1a75f3680513a27726cccdf470ce740a7
Instruction Fuzzy Hash: 84C1F674E04606CFDB10DF58C584B9EB7F1BB48314F2486BAE915AB391C738AE41CB96

Function 00407CE0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d824371fede7b6c45edcebe55f4bd7f4aed99052ff95627514ea552154fef930
Instruction ID: 7aab19a6a82f5d6f2e742c853dd97bc7e79273425c4b0314b0993a9bfec6eed2
Opcode Fuzzy Hash: d824371fede7b6c45edcebe55f4bd7f4aed99052ff95627514ea552154fef930
Instruction Fuzzy Hash: D231CB70B082018BD754DE29C5C0B66B3A1BF84314F18C57AD9599B38AD778EC85CB9A

Function 00404C30 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 59037475fd155a482e5a62e630a7d5894d36e4ecc0293a6776fcb02a92f07c92
Instruction ID: f426aa74437352e114858e9a7265d3c49340466cf0c49e10ac52247323db11ce
Opcode Fuzzy Hash: 59037475fd155a482e5a62e630a7d5894d36e4ecc0293a6776fcb02a92f07c92
Instruction Fuzzy Hash: 14215CB030A5018BE3209E2DC88461AB6E1AFD0344B15453EEBD1EB3D1DB38ED429789

Function 00407BF0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf441eb76e10deed5cc82f090eadcc5c4ad23a3239685db264a57fc3d30b13d
Instruction ID: d871636fa5d7cf43c325b4df59a9e2ec7d989ddb8e2058b1dd42d92be0892578
Opcode Fuzzy Hash: ddf441eb76e10deed5cc82f090eadcc5c4ad23a3239685db264a57fc3d30b13d
Instruction Fuzzy Hash: EA311474A082019FE710DF19C580A5AF7E1FF88314F24CABAE8889B355D739EC45DB86

Function 0040CD00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b76e3309e470aa54ec7860e08e304e445b18ba572101e5574426ecc20eaf5a0
Instruction ID: 9be14f816ee4fc389cee1bad8bad6446b88409d80e6bdeefba41a25bed2c55f2
Opcode Fuzzy Hash: 1b76e3309e470aa54ec7860e08e304e445b18ba572101e5574426ecc20eaf5a0
Instruction Fuzzy Hash: 55210335A0415D8BDB20DB15CD88ACDB7B9AF85304F1042F6D888B3251D6B66EC5CF59

Function 0040CC10 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64e2dd46f2612eeef2655a56e04516730032f6ce19d9f1cfcf63ed10964e621
Instruction ID: 5c59a35e6e16528c49b31edc67dff44608829c9b9c7a156613b7b71352cdb5eb
Opcode Fuzzy Hash: e64e2dd46f2612eeef2655a56e04516730032f6ce19d9f1cfcf63ed10964e621
Instruction Fuzzy Hash: CF212B31A0011D8BDB20EB95CC85BCEB3A99FC4314F1102F7D408B3291D9F89EC88A59

Function 00407D42 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80474d53d8746d5fc15e21a479998b666e1f0781f18ccc68acdc2f8e463d9570
Instruction ID: 6a85f5bc11cc1f64ca7b0d8b735abc22ef27422e6e7f299797994b1310b49f58
Opcode Fuzzy Hash: 80474d53d8746d5fc15e21a479998b666e1f0781f18ccc68acdc2f8e463d9570
Instruction Fuzzy Hash: 1921B870B042018BDB54DE59C1C4A66F3A2FF84714F18C5BAD9099F38AD778EC84CB9A

Function 00406670 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b9dd3cb3a1f39be1a6da9e80c3f80b8cc061680a728e506c9451d1a555fd9
Instruction ID: 0864ca5b04c2769887b6d9357d042df8fb86663a7cb1a9ca62877de9e2e9772a
Opcode Fuzzy Hash: 163b9dd3cb3a1f39be1a6da9e80c3f80b8cc061680a728e506c9451d1a555fd9
Instruction Fuzzy Hash: 8F011D6532451082D629297D1C6D2B702469B4136CB175C3FE003B77E6C83EDD3752AE

Function 00407500 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31c819c156f354e2b5c7111c16825a531ed05a3dbb542af1af4cde972ae882a
Instruction ID: c011174cc7f6886c9b2b8c4b8da9cef7ef0049b38afd6999f321335a024f7e7e
Opcode Fuzzy Hash: e31c819c156f354e2b5c7111c16825a531ed05a3dbb542af1af4cde972ae882a
Instruction Fuzzy Hash: 1DF0EC35604B109FD324CF2AC484B42B3E0EF48329F14C97A98599BBA5C378F881DF55

Function 004090CF Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: fb93ac02be2b1b4337f020ec637fe9853dce1b70996f550062dd840b2f89bfcd
Instruction ID: a6474941357681142c29cd0b60755786d987bdce75da65f465cd0dd467d4fefe
Opcode Fuzzy Hash: fb93ac02be2b1b4337f020ec637fe9853dce1b70996f550062dd840b2f89bfcd
Instruction Fuzzy Hash: CDE04F76B001146BC700EAAF488198FEBF99FC825472444BEF108E3352D6758E018794

Function 004090D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 24b9d5f8d3e75d1dde91d3f34cf7cc5e82a5428f66484c88b21ae2446e93f15d
Instruction ID: ff6be8c59ad0690555e0bdd8975f6dc6db77971b47642a92abf2d4b335dfed85
Opcode Fuzzy Hash: 24b9d5f8d3e75d1dde91d3f34cf7cc5e82a5428f66484c88b21ae2446e93f15d
Instruction Fuzzy Hash: 23E01A76B002146BC700EAEE988198FF7F99BC8654B10447AA608E3302E5759E0187A5

Function 0040FE57 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11619e9dc0b695727ad16f0b8d88c9f4ace06167db76e271ea258c2c83a2b39
Instruction ID: 6a40e7ac55affb6d02ec4f7310c2d2055dc028f317bc9f9accffb0bf9885dd4e
Opcode Fuzzy Hash: c11619e9dc0b695727ad16f0b8d88c9f4ace06167db76e271ea258c2c83a2b39
Instruction Fuzzy Hash: 27E01A357100099BCB00EAE9E98298E77B5AF84354F200076E801F72C5CA38ED008664

Function 00409BC0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a458b7f8a0a6f9312e5b16e85df32c0238ab0793265dfebe5429ac29cb2c1d4
Instruction ID: 5769353e307432eb47bc76689703cbedcd35e4e7461d5211f0250b1a1a6eb80d
Opcode Fuzzy Hash: 3a458b7f8a0a6f9312e5b16e85df32c0238ab0793265dfebe5429ac29cb2c1d4
Instruction Fuzzy Hash: ECE08C3632031047EB349A1998853DA73D9EFCC320F4440BAAE19E7383D6786C1987E3

Function 00409E90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab80f76162070029032e32b6b47482bccdc6471b78007e15be8f24d2d152a89b
Instruction ID: 22f366534dd5bc50e1e8ff292aac7f8493e7cc46ed49dca21222df37d835e5ae
Opcode Fuzzy Hash: ab80f76162070029032e32b6b47482bccdc6471b78007e15be8f24d2d152a89b
Instruction Fuzzy Hash: 1DD05E725002187BD711EB84DC81ECEBBACDF05264F000066AA05A3241D2706E40C7E5

Function 00409FC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab80f76162070029032e32b6b47482bccdc6471b78007e15be8f24d2d152a89b
Instruction ID: 7c9fbb8cb1c611448c79c9a6bf0767d7fd5b00f67adce62892cdc148ec3d9442
Opcode Fuzzy Hash: ab80f76162070029032e32b6b47482bccdc6471b78007e15be8f24d2d152a89b
Instruction Fuzzy Hash: 17D05E72500218ABDB11DB84DC81ECEBBACDB05264F000066AA45A3241D2706E40C7E5

Function 0040FF0E Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f6289b4f0d92862713f69029bdb8d08f94c75dd29d544d9731ffb18eaa84c8
Instruction ID: afc853210c1cdf66b00935258e506e6ec146a2eaa66ac701c7178a780ca0fe0b
Opcode Fuzzy Hash: 58f6289b4f0d92862713f69029bdb8d08f94c75dd29d544d9731ffb18eaa84c8
Instruction Fuzzy Hash: 80C01222B1000503CB11B7FEA4930CD63A84F44359310847FE403F21C2DE7CC81845BC

Function 004087E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dffbf9aea51b8be75411cb6cb8b2b8188108574a0087406c30a01eb87b501b
Instruction ID: 21ff9b9423dbeb2d42e1a38ee45d82564a1068a57674b886a77b0860f703fc1d
Opcode Fuzzy Hash: 27dffbf9aea51b8be75411cb6cb8b2b8188108574a0087406c30a01eb87b501b
Instruction Fuzzy Hash: 05C04CA06006004BC6407BB66D8A54E65957A88309360443EB144D739ADF384401455C

Function 00402492 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf740addcec07bb0216c7e1353418296c7b3f4a6a7e40ca4cda3834624186245
Instruction ID: 89e68c26e0da62d653c818a45514acca47735ccf74818470604e8dd374824218
Opcode Fuzzy Hash: bf740addcec07bb0216c7e1353418296c7b3f4a6a7e40ca4cda3834624186245
Instruction Fuzzy Hash: 47A0021494E7866BCB4633F2091618819901C462583C501EBFC90E90D388BC544D412F

Non-executed Functions

Function 0040D740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0040D7F8
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 0040D811
InternetReadFile.WININET(?,?,00001389,?), ref: 0040D832

Part of subcall function 00404370: GetOEMCP.KERNEL32(?,?,?,?,00401694,00000000,00000001,?,?,00000000,00000000,?,?,?,?,00000000), ref: 004043E3

Part of subcall function 00404EC0: GetOEMCP.KERNEL32(00000000,?,?,?,004041BD,00000000,?,?,?,?,004049B3,00000000,?,?,?,?), ref: 00404F01

Part of subcall function 00404E50: GetOEMCP.KERNEL32(?,?,00000000,?,0040D8D3,00000000,00000001,00000000,?,?,00001389,?,?,?,00000000,00000000), ref: 00404E92

InternetCloseHandle.WININET(?), ref: 0040D8F6
InternetCloseHandle.WININET(?), ref: 0040D8FE

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, xrefs: 0040D751

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
API String ID: 3121278467-2759677928
Opcode ID: 1e29e82b67999b5c1ea241c82b88a386ff2bd9b8148375461da42e6f0600d494
Instruction ID: e5eb285b21e476ac6d201a33ca2c25e8ba340444dd1b42a4f136925409b67bcc
Opcode Fuzzy Hash: 1e29e82b67999b5c1ea241c82b88a386ff2bd9b8148375461da42e6f0600d494
Instruction Fuzzy Hash: A151EB74D0021A9ADB21EB52CC42BDEB3B8EF44349F5040FAB605B62D1D7789F858F59

Function 01F9BFD0 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,004122A4,?,01F917F0,00000000), ref: 01F9BFEC
FindClose.KERNEL32(00000000,?,?,004122A4,?,01F917F0,00000000), ref: 01F9BFF8

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c00e2105ecc9a42210df76298d796d2c98af70f43de7b7442e998dfa8c5a4d6d
Instruction ID: 709551fe7774cf7cd6d358f0906532f09c59764931f30e3b7d2c473ce65b9bdb
Opcode Fuzzy Hash: c00e2105ecc9a42210df76298d796d2c98af70f43de7b7442e998dfa8c5a4d6d
Instruction Fuzzy Hash: F3D0A7B295020313DF2271FD2C91DDF725C5BC4314F044A85F629D7180F977D6918EA1

Function 0043E330 Relevance: 2.3, Strings: 1, Instructions: 1054COMMON

Download Yara Rule

Strings

SS, xrefs: 0043E9FD

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: SS
API String ID: 0-573381670
Opcode ID: 1caafce28094b7f3239f546207c9e70a788a57bcea43cedcc37fe0810a849677
Instruction ID: 0c4f7943070cbf30a865c510d6c8365d7c6b5b6f6c0ea367064b1750d2379869
Opcode Fuzzy Hash: 1caafce28094b7f3239f546207c9e70a788a57bcea43cedcc37fe0810a849677
Instruction Fuzzy Hash: CE929125E242068ADF04DBB9D4687FEB671EF4C310F14E13BDC1267392D27D894A9B1A

Function 01FC7530 Relevance: 2.3, Strings: 1, Instructions: 1053COMMON

Download Yara Rule

Strings

SS, xrefs: 01FC7BFD

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: SS
API String ID: 0-573381670
Opcode ID: 234087c2a68913048c2d51ce1291f1bef505b7f84557af040a168c7972ea9ac4
Instruction ID: 16e4314cd72bf9c2539e5da2883346a3e97dea361f63fcfa2fc053d90c55e555
Opcode Fuzzy Hash: 234087c2a68913048c2d51ce1291f1bef505b7f84557af040a168c7972ea9ac4
Instruction Fuzzy Hash: C992F329E24207CADF05DBBCC6683FDBB71EF94720F04C92ED50167296D3B68942AB15

Function 01FC5F7F Relevance: 2.2, Strings: 1, Instructions: 906COMMON

Download Yara Rule

Strings

I, xrefs: 01FC6273

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: ad5ff3caf1a21b3cc5719dc2805dfd8e18e0c8fbe7f054ddd0d872f2a920075d
Instruction ID: 70d8e54076597817f52263732701928cb815f1f7ac35c8d1450faa8e30379ae9
Opcode Fuzzy Hash: ad5ff3caf1a21b3cc5719dc2805dfd8e18e0c8fbe7f054ddd0d872f2a920075d
Instruction Fuzzy Hash: DC728665D0818BCECF16CAFC86540FDFFB29F57524F1C8689D4A0A7396C2269906EF21

Function 0043CD7F Relevance: 2.2, Strings: 1, Instructions: 906COMMON

Download Yara Rule

Strings

I, xrefs: 0043D073

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4b3c1d37a9b7105f7cde9307f14c78572d0f7c9a2c2b9e1c62c9171e90379830
Instruction ID: e69ad79731f42585693c90254294018710c9d7746c4c334e7f803c33f0400c6f
Opcode Fuzzy Hash: 4b3c1d37a9b7105f7cde9307f14c78572d0f7c9a2c2b9e1c62c9171e90379830
Instruction Fuzzy Hash: DB729375D0928A8ECF15CABD84940FEFFB25B1F310F189197D4A17B3D6C2289906DB29

Function 0040B140 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0040B146

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 27290344b71386094c6150c10e5ba3af6ffcbb7aa33e3c10512505393f41d44b
Instruction ID: b0d01ddab0dcffeda4ca72902b852536490fc7903367718964e2fbb5382b3b7c
Opcode Fuzzy Hash: 27290344b71386094c6150c10e5ba3af6ffcbb7aa33e3c10512505393f41d44b
Instruction Fuzzy Hash: 80A002C05243083AF81873A79C0BC37759CC4C2BDC740456D7D01A259268F9FC0040F9

Function 01F9A390 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0040ADC0,?,01F9A036), ref: 01F9A399

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 950566c23f00ded5e8d7bfc52e2f297d0d20b5bc7b5e942e377effe94d4bfa1a
Instruction ID: aefbf229a3aef46d0056fabbcddb3a52ff27f2b83d21510320c7afc878da7180
Opcode Fuzzy Hash: 950566c23f00ded5e8d7bfc52e2f297d0d20b5bc7b5e942e377effe94d4bfa1a
Instruction Fuzzy Hash: 4AA0025063434A53EE0472AD2C1694E72CD495495DB8044713501F3681DDA9F81044FF

Function 0040AF90 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0040ADC0,?,0040AC36), ref: 0040AF99

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 950566c23f00ded5e8d7bfc52e2f297d0d20b5bc7b5e942e377effe94d4bfa1a
Instruction ID: 931faed722bb3fb7c5ee59d210f340d5199b7217c70e59f9b912faa8cdfdf078
Opcode Fuzzy Hash: 950566c23f00ded5e8d7bfc52e2f297d0d20b5bc7b5e942e377effe94d4bfa1a
Instruction Fuzzy Hash: CFA0025063434953D90872AE180790A72CD4944B8D78044763D01F7AD299BCF81000BE

Function 01F9A3A0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,01F99FFD,?,01F9648A,01F9649A,01F956DA,?,01F90AB2,00000000), ref: 01F9A3A5

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 40fbf3f2004cb55a3d711e383b879ecaa65172d0c6901e782c605e39abc23a91
Instruction ID: 84b07ac71d536fe08cd2b1692854432d8a5e43a88030936ad93b41e2792f4454
Opcode Fuzzy Hash: 40fbf3f2004cb55a3d711e383b879ecaa65172d0c6901e782c605e39abc23a91
Instruction Fuzzy Hash: 58A0020026834923F94472966C13B4D758C47519ADF400050A605551C19CC2E40044F7

Function 0040AFA0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0040ABFD,?,0040708A,0040709A,004062DA,?,004016B2,00000000), ref: 0040AFA5

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 40fbf3f2004cb55a3d711e383b879ecaa65172d0c6901e782c605e39abc23a91
Instruction ID: b8b4b26b0db1e3e6f8d93d7d1fcc156ca41ffa4908ae0189e3f343b0063c2932
Opcode Fuzzy Hash: 40fbf3f2004cb55a3d711e383b879ecaa65172d0c6901e782c605e39abc23a91
Instruction Fuzzy Hash: 07A0020026834823E44872975803B05758C4741BDDF400065BE05695D218E5E40000BE

Function 01FA8BA0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ebd792bcb3a36e27e26b482a46b427b12587962f0e322e1880a4262ae34b3a
Instruction ID: 0022653d1d85206e48cd8a1c5e530b861860b23eabb8b17d14b8903d8203733c
Opcode Fuzzy Hash: 90ebd792bcb3a36e27e26b482a46b427b12587962f0e322e1880a4262ae34b3a
Instruction Fuzzy Hash: EA21D3B2B016064B8B08DE3ECD8556EB7E3ABC8600F58C63D9949D7385DA71DC158B82

Function 01F92C40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b22eeb9b3af0e6112254074e3746d18cf762d9e6e1071ec62d5f148c1a01e0
Instruction ID: 11a1594086bb1b7791405a0fb62cc73e503dccc0cccc06c61f56066ba4e57d18
Opcode Fuzzy Hash: b0b22eeb9b3af0e6112254074e3746d18cf762d9e6e1071ec62d5f148c1a01e0
Instruction Fuzzy Hash: 7721D132F002165B9B0CEE7ECD8556EB7E3BBC8610F58C62D9949D7389DA71DC058B82

Function 01FAEC40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e80079de06823897951b8b4b06351382aa3037f00725fc5f0e3727ddbca4c4d
Instruction ID: 0c1210f626a014db852d88afbd48290a8f01abe4d88605b267118b7d086dba0d
Opcode Fuzzy Hash: 3e80079de06823897951b8b4b06351382aa3037f00725fc5f0e3727ddbca4c4d
Instruction Fuzzy Hash: 80317E757505018BD718DF2CEC8530A3AE2F7EA309F18C630E915C76B8DB75A819AB50

Function 01F95EB0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb6a9670f35bce615c762f62bb5bb51ed2e5eb32715b1220265124c3571a8d7
Instruction ID: 516074345eb22d4c6417e357eaece1e290071baf1c7c80072ff8c378259c2e56
Opcode Fuzzy Hash: fbb6a9670f35bce615c762f62bb5bb51ed2e5eb32715b1220265124c3571a8d7
Instruction Fuzzy Hash: A2310A717205058BE758CF2DFC8478677E2B7C975AF28C635D924CB2B8DB3698218B48

Function 00406AB0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb6a9670f35bce615c762f62bb5bb51ed2e5eb32715b1220265124c3571a8d7
Instruction ID: 5bca7291bf59406a9e0ab9c08bfc99644265b10755d7d7090c9dbd6603ad0080
Opcode Fuzzy Hash: fbb6a9670f35bce615c762f62bb5bb51ed2e5eb32715b1220265124c3571a8d7
Instruction Fuzzy Hash: 07311C717205018BD358CF2DFC8478677E2B7C9349F29C634D924DB2B8DB35A8218B48

Function 00403840 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b22eeb9b3af0e6112254074e3746d18cf762d9e6e1071ec62d5f148c1a01e0
Instruction ID: cc767f426579d0800c68189a922befc19794d1c06e7436dc1fbf189c43a6ef3b
Opcode Fuzzy Hash: b0b22eeb9b3af0e6112254074e3746d18cf762d9e6e1071ec62d5f148c1a01e0
Instruction Fuzzy Hash: 4221B472F042054B8B08DE3ECD8556EBBD3ABC8600F58C63E9949E73C9D974DD058786

Function 0041F9A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ebd792bcb3a36e27e26b482a46b427b12587962f0e322e1880a4262ae34b3a
Instruction ID: c1f623a2b91677ed8d94105c987641c858d443f1c2b14066d49298572e7bac43
Opcode Fuzzy Hash: 90ebd792bcb3a36e27e26b482a46b427b12587962f0e322e1880a4262ae34b3a
Instruction Fuzzy Hash: 9E21D371B002154B8B08DE3ECD8556EB7E3AFC8600F59C63E9949D7384DA74DC0AC786

Function 00425A40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e80079de06823897951b8b4b06351382aa3037f00725fc5f0e3727ddbca4c4d
Instruction ID: 5eba3bad484574217c4a3727816ef1cab74f0e7b2ea4b59144fa2d66b4fad649
Opcode Fuzzy Hash: 3e80079de06823897951b8b4b06351382aa3037f00725fc5f0e3727ddbca4c4d
Instruction Fuzzy Hash: E8315C357505018BD718DF2DEC8670B36E2F7EA309F28C634E915C76B8DB74A81AAB50

Function 01F92B60 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aeb576201087f71be3c157f3b07e69f63ba37d2cccc4fa1a9ea97786d7ad5b1
Instruction ID: 3752715316d82318e93781f82f928881896509685cf83248bc14c5444b361179
Opcode Fuzzy Hash: 0aeb576201087f71be3c157f3b07e69f63ba37d2cccc4fa1a9ea97786d7ad5b1
Instruction Fuzzy Hash: 8721D072B002164B9B0CEE7ECD8456EB7E3ABC8610F19C63D9949D7385DE71DC068781

Function 01FA8AC0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e9acf342599469acf4fb141352183b589c9214a0b841181ea648555d36f7b5
Instruction ID: c4e5a75843b7f0ce8a18759beb80546f10be18c01dc612cd97cf3f8a1ef3e2d9
Opcode Fuzzy Hash: 34e9acf342599469acf4fb141352183b589c9214a0b841181ea648555d36f7b5
Instruction Fuzzy Hash: 9221C1B2B012164B8B0CDE7EC98456EB6E3ABC8640F49C63D9949D7384DEB198068681

Function 00403760 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aeb576201087f71be3c157f3b07e69f63ba37d2cccc4fa1a9ea97786d7ad5b1
Instruction ID: bff3b945e754ea8f53e63047e15c0b29ce31a33237b04b93bd7d2bfed69102c0
Opcode Fuzzy Hash: 0aeb576201087f71be3c157f3b07e69f63ba37d2cccc4fa1a9ea97786d7ad5b1
Instruction Fuzzy Hash: 9A21A472B042164BCB0CDE7EC94456EB6D7ABC8600F19C63E9949E73C4DE709D068686

Function 0041F8C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e9acf342599469acf4fb141352183b589c9214a0b841181ea648555d36f7b5
Instruction ID: 18cb95e432ea895f81178e74ba9cefa9c89d82fe88b2564ab66a071d3ea006c5
Opcode Fuzzy Hash: 34e9acf342599469acf4fb141352183b589c9214a0b841181ea648555d36f7b5
Instruction Fuzzy Hash: 5A21B671B012164B8B0CDE7EC94466EF7D3ABCC600F59C63E9949DB385DE709C0AC686

Function 01FE60D0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfba68b455c9d2cd484c208e31e540f9bdc4ac9f624e025a2ff0850e99d38e17
Instruction ID: 943c9e6609cc78c560f964e5490e6e101776225d78471c50ac17503d7846b14b
Opcode Fuzzy Hash: dfba68b455c9d2cd484c208e31e540f9bdc4ac9f624e025a2ff0850e99d38e17
Instruction Fuzzy Hash: 93210ABBD3081CC66F5B8658CC4C154ABE2A9B1A74B0C462ECA41D3352E33EEA458694

Function 0045CED0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfba68b455c9d2cd484c208e31e540f9bdc4ac9f624e025a2ff0850e99d38e17
Instruction ID: d56c4874c342fecf12705fc3fd2155ca999a7aefe0af823499d470a1c8c010d7
Opcode Fuzzy Hash: dfba68b455c9d2cd484c208e31e540f9bdc4ac9f624e025a2ff0850e99d38e17
Instruction Fuzzy Hash: 2421CF37920A188F8F1886648CC0559F3A3A986757329427FCC51E73C2E33CEE4E869C

Function 0041AD00 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31ddf51e7f55e23ed3c70adf41e10783dfa9160ccffc950b82ead93f5e11f9b
Instruction ID: 09f583309889b0a78b5c5c4ae5711d13c79bc57c97b5424f3016fbb327bb73f3
Opcode Fuzzy Hash: d31ddf51e7f55e23ed3c70adf41e10783dfa9160ccffc950b82ead93f5e11f9b
Instruction Fuzzy Hash: B411C8394187805ADB02DB68F8463CB7FA1BB6730CF08458AE451973E2C37C89D8E796

Function 01F9A9F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce1dc0e4554c1f3db785e4d883f15130780931387aa3c39bc21e43d259004ea
Instruction ID: 691ae678673183ff96a341cf0a0ab9c9b08bbe0644b03b81fb2cb57b8d77effc
Opcode Fuzzy Hash: fce1dc0e4554c1f3db785e4d883f15130780931387aa3c39bc21e43d259004ea
Instruction Fuzzy Hash: 9CF0A838A10249EFDB00EF98D68098CFBF4EB08264F118095EC46E7321D234EE40DB40

Function 0040B5F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce1dc0e4554c1f3db785e4d883f15130780931387aa3c39bc21e43d259004ea
Instruction ID: aed6b168c0062cc165d81befd02394fc8b7b85c5a4d1b54edc5b16b48e4cd749
Opcode Fuzzy Hash: fce1dc0e4554c1f3db785e4d883f15130780931387aa3c39bc21e43d259004ea
Instruction Fuzzy Hash: 90F09B38A10608EFCB00CF98D58198CBBF4EB08328F1044A6E845E7351D334AE409B85

Function 01F910D0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 01F9C2A0: GetFileAttributesA.KERNEL32(00000000,?,01F911E1,00000000,00000000,00000000,00000000), ref: 01F9C2AD

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 01F91207

Strings

SOFTWARE\Microsoft, xrefs: 01F91238
iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf, xrefs: 01F9114C, 01F9118E
.exe, xrefs: 01F9119E
yeah, xrefs: 01F9122D, 01F91232
T"A, xrefs: 01F91176
ProgramData\Microsoft\, xrefs: 01F91134
coreinstalled2, xrefs: 01F91233
D"A, xrefs: 01F9115C

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: .exe$D"A$ProgramData\Microsoft\$SOFTWARE\Microsoft$T"A$coreinstalled2$iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf$yeah
API String ID: 3401506121-4280551177
Opcode ID: 1afce400f2e7446da664eb03a72d901e32a36061753d53bec5e006dda8a77cf0
Instruction ID: 7962ba375ead3b442ddb90878a439c72f652c1f2e1e169c6ab85848de94b59de
Opcode Fuzzy Hash: 1afce400f2e7446da664eb03a72d901e32a36061753d53bec5e006dda8a77cf0
Instruction Fuzzy Hash: 9F41A370E1010AABEF44FFE4CD90BCDB7B9EF50304F508166D518EB254EB76AA468B94

Function 01F910CF Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 01F9C2A0: GetFileAttributesA.KERNEL32(00000000,?,01F911E1,00000000,00000000,00000000,00000000), ref: 01F9C2AD

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 01F91207

Strings

SOFTWARE\Microsoft, xrefs: 01F91238
iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf, xrefs: 01F9114C, 01F9118E
.exe, xrefs: 01F9119E
yeah, xrefs: 01F9122D, 01F91232
T"A, xrefs: 01F91176
ProgramData\Microsoft\, xrefs: 01F91134
coreinstalled2, xrefs: 01F91233
D"A, xrefs: 01F9115C

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: .exe$D"A$ProgramData\Microsoft\$SOFTWARE\Microsoft$T"A$coreinstalled2$iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf$yeah
API String ID: 3401506121-4280551177
Opcode ID: febdaf6c46127ac39140f42b82f59c30f71220ce14a45e7625cff05b46233f06
Instruction ID: 11cb406b3bcfd5765703653ad1fbe842d2feb7b301d559b6d020df8888dac613
Opcode Fuzzy Hash: febdaf6c46127ac39140f42b82f59c30f71220ce14a45e7625cff05b46233f06
Instruction Fuzzy Hash: 0A419270E1010AABEF40FFE4CD90BCDB7B9EF50304F508166D518EB250EB76AA468B94

Function 00401CCF Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 0040CEA0: GetFileAttributesA.KERNEL32(00000000,?,00401DE1,00000000,00000000,00000000,00000000), ref: 0040CEAD

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401E07

Strings

D"A, xrefs: 00401D5C
SOFTWARE\Microsoft, xrefs: 00401E38
coreinstalled2, xrefs: 00401E33
ProgramData\Microsoft\, xrefs: 00401D34
.exe, xrefs: 00401D9E
T"A, xrefs: 00401D76
iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf, xrefs: 00401D4C, 00401D8E
yeah, xrefs: 00401E2D, 00401E32

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: .exe$D"A$ProgramData\Microsoft\$SOFTWARE\Microsoft$T"A$coreinstalled2$iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf$yeah
API String ID: 3401506121-4280551177
Opcode ID: 0b729d5ac2df1fdbe1913b4806aad9684babafcdb1c7b327b09311c67c62a8c1
Instruction ID: d57faac4e379b6b6a3d4cb972cb0b490a2fb48aa7090c8370285ce96ad79931b
Opcode Fuzzy Hash: 0b729d5ac2df1fdbe1913b4806aad9684babafcdb1c7b327b09311c67c62a8c1
Instruction Fuzzy Hash: F241CB70E101099BDB00EFE5C9917CEBBB9EF40309F50817AE514FB291DB789A458B98

Function 00401CD0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 0040CEA0: GetFileAttributesA.KERNEL32(00000000,?,00401DE1,00000000,00000000,00000000,00000000), ref: 0040CEAD

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401E07

Strings

D"A, xrefs: 00401D5C
SOFTWARE\Microsoft, xrefs: 00401E38
coreinstalled2, xrefs: 00401E33
ProgramData\Microsoft\, xrefs: 00401D34
.exe, xrefs: 00401D9E
T"A, xrefs: 00401D76
iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf, xrefs: 00401D4C, 00401D8E
yeah, xrefs: 00401E2D, 00401E32

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: .exe$D"A$ProgramData\Microsoft\$SOFTWARE\Microsoft$T"A$coreinstalled2$iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf$yeah
API String ID: 3401506121-4280551177
Opcode ID: b092cdedddf022eb99e7e18ae1f2d8150b5afb1ff6546a1893b0d951b6f3600c
Instruction ID: 5a1edb74f4a431eea3a4e33c9315e8347f1935b45c70a5397b457ae548f1e1f4
Opcode Fuzzy Hash: b092cdedddf022eb99e7e18ae1f2d8150b5afb1ff6546a1893b0d951b6f3600c
Instruction Fuzzy Hash: 1A41ED30E101099BDB00EFE5C9917CEBBB9EF40308F50817AE514FB291DB78AA45CB98

Function 01F9A3D0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(00414260), ref: 01F9A3DA
GetModuleHandleA.KERNEL32(00000000,00414260), ref: 01F9A3EA
GetCurrentProcessId.KERNEL32(00414260), ref: 01F9A4BB

Strings

TAA, xrefs: 01F9A4B1
tAA, xrefs: 01F9A43E
dAA, xrefs: 01F9A45A
p_@, xrefs: 01F9A4C5
tAA, xrefs: 01F9A41D
`BA, xrefs: 01F9A3D4

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: CurrentHandleInfoModuleProcessStartup
String ID: TAA$`BA$dAA$p_@$tAA$tAA
API String ID: 4098904731-249161119
Opcode ID: 9ac8512c1c713e5b3138b62bea2e9e075aa055ffa426ec7e674379c30ffe4eca
Instruction ID: 3561fee1959a15cbe5762f6c31e6963b4df703e74ca6a264166c4a591ac73b2f
Opcode Fuzzy Hash: 9ac8512c1c713e5b3138b62bea2e9e075aa055ffa426ec7e674379c30ffe4eca
Instruction Fuzzy Hash: D0213BB46042069FFF40FBADFC4879A37A1BBE5345B11C175E5048B334EB7A98818B59

Function 01FC43D0 Relevance: 15.0, Strings: 12, Instructions: 45COMMON

Download Yara Rule

Strings

|GV, xrefs: 01FC447A
`9A, xrefs: 01FC442E
TOV, xrefs: 01FC441A
|GV, xrefs: 01FC446B
`=B, xrefs: 01FC4442
TOV, xrefs: 01FC43EE
TOV, xrefs: 01FC4404
0=B, xrefs: 01FC4438
|OV, xrefs: 01FC43DD
|FV, xrefs: 01FC444C
TOV, xrefs: 01FC43D6
|FV, xrefs: 01FC445B

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0=B$TOV$TOV$TOV$TOV$`9A$`=B$|FV$|FV$|GV$|GV$|OV
API String ID: 0-2572438103
Opcode ID: 7a1a3a587705047683e29592b939ac6213811e7b4c64c1b3670f129d7c7a2cba
Instruction ID: 8c14ccd1e4612a2f7b292bcd306fab091a5a62f41aecba7bbf0443b9d3d42a97
Opcode Fuzzy Hash: 7a1a3a587705047683e29592b939ac6213811e7b4c64c1b3670f129d7c7a2cba
Instruction Fuzzy Hash: 0A0128B47402401BE7049BA8E8A13877DE2F399344F804539FA1ACF3C4DB65CC059F95

Function 0040AFD0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(00414260), ref: 0040AFDA
GetModuleHandleA.KERNEL32(00000000,00414260), ref: 0040AFEA
GetCurrentProcessId.KERNEL32(00414260), ref: 0040B0BB

Strings

TAA, xrefs: 0040B0B1
dAA, xrefs: 0040B05A
tAA, xrefs: 0040B01D
`BA, xrefs: 0040AFD4
tAA, xrefs: 0040B03E

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CurrentHandleInfoModuleProcessStartup
String ID: TAA$`BA$dAA$tAA$tAA
API String ID: 4098904731-2967456534
Opcode ID: 9ac8512c1c713e5b3138b62bea2e9e075aa055ffa426ec7e674379c30ffe4eca
Instruction ID: 6d446a7218ea6caff59fd528cba093fa56e2948afde29826009be741a65db01b
Opcode Fuzzy Hash: 9ac8512c1c713e5b3138b62bea2e9e075aa055ffa426ec7e674379c30ffe4eca
Instruction Fuzzy Hash: 85213DB02042049FC740FB6AE84578736A1FBD5349B10C13BF414AB3A5DB7D98818B9E

Function 01FC4DE0 Relevance: 11.5, Strings: 9, Instructions: 250COMMON

Download Yara Rule

Strings

pxV, xrefs: 01FC50F2
`xV, xrefs: 01FC50BA
\xV, xrefs: 01FC515D
\xV, xrefs: 01FC51F0
LxV, xrefs: 01FC5059
<xV, xrefs: 01FC502C
\xV, xrefs: 01FC518E
xV, xrefs: 01FC4FE7
\xV, xrefs: 01FC5086

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: xV$<xV$LxV$\xV$\xV$\xV$\xV$`xV$pxV
API String ID: 0-15338477
Opcode ID: b949703924b056e20abd784ad3eccb1401bdb91e0cbc1d0d40e0c949c252b115
Instruction ID: f2dccdcb456a4cccda83b9860916951ec158604587be99b498760dbf8d474f1d
Opcode Fuzzy Hash: b949703924b056e20abd784ad3eccb1401bdb91e0cbc1d0d40e0c949c252b115
Instruction Fuzzy Hash: BFC10474A0011A8BCB25EB59D890BCEB7B5FF58304F1082E9D648A7351CB75AE85CF91

Function 01F9CB40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 01F9CBF8
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 01F9CC11
InternetReadFile.WININET(?,?,00001389,?), ref: 01F9CC32

Part of subcall function 01F93770: GetOEMCP.KERNEL32(?,?,?,?,01F90A94,00000000,00000001,?,?,00000000,00000000,?,?,?,?,00000000), ref: 01F937E3

Part of subcall function 01F942C0: GetOEMCP.KERNEL32(00000000,?,00413020,?,01F935BD,00000000,?,?,?,?,01F93DB3,00000000,?,00413020,00413020,?), ref: 01F94301

Part of subcall function 01F94250: GetOEMCP.KERNEL32(?,?,00000000,?,01F9CCD3,00000000,00000001,00000000,?,?,00001389,?,?,?,00000000,00000000), ref: 01F94292

InternetCloseHandle.WININET(?), ref: 01F9CCF6
InternetCloseHandle.WININET(?), ref: 01F9CCFE

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, xrefs: 01F9CB51

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
API String ID: 3121278467-2759677928
Opcode ID: e32779da7ec875d62d922458c2a4a1873d67fd7c72f8982f63df70cc835da1cd
Instruction ID: e7939c5ebf159b56702486de6c676d646cf9d28b16156328144dcf3411d8bad8
Opcode Fuzzy Hash: e32779da7ec875d62d922458c2a4a1873d67fd7c72f8982f63df70cc835da1cd
Instruction Fuzzy Hash: 40510970D0021A9AEF22FF55CD90BDEB7B8EF14344F5040E5A608A7660DB72AF868F51

Function 01F999C0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,01F97985), ref: 01F999CE
GetStdHandle.KERNEL32(000000F5,?,01F97985), ref: 01F999E3
GetStdHandle.KERNEL32(000000F4,?,01F97985), ref: 01F999F8

Strings

47A, xrefs: 01F99A7E
t0A, xrefs: 01F99AA0
t0A, xrefs: 01F99B17
47A, xrefs: 01F99AC7

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Handle
String ID: 47A$47A$t0A$t0A
API String ID: 2519475695-1502439107
Opcode ID: 20d75c4ab9284809afed2bfaabde842ed709339444abbdfa2a25d917fe1eae70
Instruction ID: 09ad4b05c4bf6efe5012d7fcad9e16973f9eb30cc1b870682a4f9e75cdce24d6
Opcode Fuzzy Hash: 20d75c4ab9284809afed2bfaabde842ed709339444abbdfa2a25d917fe1eae70
Instruction Fuzzy Hash: E8414B34B0414A8FFF00FF58EC4069A7262F7D5748B25C23DA5118B678EBBA9942C748

Function 0040A5C0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00408585), ref: 0040A5CE
GetStdHandle.KERNEL32(000000F5,?,00408585), ref: 0040A5E3
GetStdHandle.KERNEL32(000000F4,?,00408585), ref: 0040A5F8

Strings

47A, xrefs: 0040A67E
47A, xrefs: 0040A6C7
t0A, xrefs: 0040A6A0
t0A, xrefs: 0040A717

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Handle
String ID: 47A$47A$t0A$t0A
API String ID: 2519475695-1502439107
Opcode ID: 20d75c4ab9284809afed2bfaabde842ed709339444abbdfa2a25d917fe1eae70
Instruction ID: ef9f98f135ddff26811f6b4f01080f1b802519376c5ec46646358c97a97b9c35
Opcode Fuzzy Hash: 20d75c4ab9284809afed2bfaabde842ed709339444abbdfa2a25d917fe1eae70
Instruction Fuzzy Hash: 08415A747042459FD700EB69EC40B9A3272BBD0344B28C23AA4516B7E9EB3DAD52C75E

Function 0040F4FF Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

$A, xrefs: 0040F571
$A, xrefs: 0040F762
$A, xrefs: 0040F5C2
$A, xrefs: 0040F554
$A, xrefs: 0040F5AD
$A, xrefs: 0040F55C
$A, xrefs: 0040F76C
D$A, xrefs: 0040F779

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A$ $A$ $A$D$A
API String ID: 0-2258019133
Opcode ID: f6292a220ab3c144034c27f1123dbc8f3f3af1e05437d712f5bfa866173b4f56
Instruction ID: 23a6670e0147a4e751b271641a679751570700be20a8c826d3cdefa4e1437c24
Opcode Fuzzy Hash: f6292a220ab3c144034c27f1123dbc8f3f3af1e05437d712f5bfa866173b4f56
Instruction Fuzzy Hash: 1D81EC74D0114C9BDB00EFD5D991ACEBBB9EF44308F10817AE500B7296D778AE4ACB98

Function 0040F500 Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

$A, xrefs: 0040F571
$A, xrefs: 0040F762
$A, xrefs: 0040F5C2
$A, xrefs: 0040F554
$A, xrefs: 0040F5AD
$A, xrefs: 0040F55C
$A, xrefs: 0040F76C
D$A, xrefs: 0040F779

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A$ $A$ $A$D$A
API String ID: 0-2258019133
Opcode ID: b4f8394a77bc46313f805f02199b6072cc307e9b5caee6de4151d8d438f9ae96
Instruction ID: 36e2cbe7fe930c20778a5cb25bacd31e9dc75cbc7e5931309fdabc44107ed369
Opcode Fuzzy Hash: b4f8394a77bc46313f805f02199b6072cc307e9b5caee6de4151d8d438f9ae96
Instruction Fuzzy Hash: 6A81DB74D0114C9BDB00EFD5D991ACEBBB9EF44308F10817AE501B7296D778AE4ACB98

Function 01F9E900 Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

D$A, xrefs: 01F9EB79
$A, xrefs: 01F9EB62
$A, xrefs: 01F9E954
$A, xrefs: 01F9E95C
$A, xrefs: 01F9EB6C
$A, xrefs: 01F9E9C2
$A, xrefs: 01F9E971
$A, xrefs: 01F9E9AD

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A$ $A$ $A$D$A
API String ID: 0-2258019133
Opcode ID: adab06e05071d245d5f8336cd892dac628f072a6abaafee6797695fef5cf04c8
Instruction ID: d5e95b8a1625408bdd3ed5475c4749d5f473cfb65d4370d56897a14d5d4ea13f
Opcode Fuzzy Hash: adab06e05071d245d5f8336cd892dac628f072a6abaafee6797695fef5cf04c8
Instruction Fuzzy Hash: 7A81F934D0114EABEF01FFD4DD90ACEBBBAAF54304F608062D514A7324DB76AE468B90

Function 01F9E8FF Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

D$A, xrefs: 01F9EB79
$A, xrefs: 01F9EB62
$A, xrefs: 01F9E954
$A, xrefs: 01F9E95C
$A, xrefs: 01F9EB6C
$A, xrefs: 01F9E9C2
$A, xrefs: 01F9E971
$A, xrefs: 01F9E9AD

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A$ $A$ $A$D$A
API String ID: 0-2258019133
Opcode ID: c0241b662cc16649e7760f4c88ece2a4dc1db97a18d240902d99ee665878b094
Instruction ID: 0a4063f3e1e0bd26338f0604b60ccbf9455a1196677aa14e869c2a8ac4fd66b1
Opcode Fuzzy Hash: c0241b662cc16649e7760f4c88ece2a4dc1db97a18d240902d99ee665878b094
Instruction Fuzzy Hash: AC81F934D0114EABEF01FFE4DD90ACEBBB6AF54304F608162D504A7225D776AE468B90

Function 01FB1160 Relevance: 10.1, Strings: 8, Instructions: 80COMMON

Download Yara Rule

Strings

A, xrefs: 01FB11B1
pA, xrefs: 01FB11D9
`A, xrefs: 01FB11CF
PA, xrefs: 01FB11C5
pA, xrefs: 01FB1251
0A, xrefs: 01FB11BB
PA, xrefs: 01FB1247
PZ, xrefs: 01FB12AB

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: A$0A$PA$PA$PZ$`A$pA$pA
API String ID: 0-202189810
Opcode ID: 0f098aaf4702ea6a94b64c08949f7b132cb8f2da70019bfa0b0f5ba0ea5bf9f6
Instruction ID: d3814dd9ec7ba3eed20319d3cf3ec17bf7c918b11e5a44629b3731d6ccf50253
Opcode Fuzzy Hash: 0f098aaf4702ea6a94b64c08949f7b132cb8f2da70019bfa0b0f5ba0ea5bf9f6
Instruction Fuzzy Hash: 733142B0A55204CF9380DF6DA95A7863AE1F76A340F10853BB14CCB321E7F598C9AF95

Function 0207E320 Relevance: 9.2, Strings: 7, Instructions: 421COMMON

Download Yara Rule

Strings

p@, xrefs: 0207E40A, 0207E555, 0207E636, 0207E78C, 0207E846
iter class, xrefs: 0207E817
exists, xrefs: 0207E75D
lgX, xrefs: 0207E3DB
write, xrefs: 0207E431, 0207E57C
$hX, xrefs: 0207E607
File "%s" does not exist, xrefs: 0207E471, 0207E5BC

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $hX$File "%s" does not exist$exists$iter class$lgX$p@$write
API String ID: 0-2648232504
Opcode ID: e239598ae9ac9167070c3518481d6d53abffb65348afe839d501462ee7ebdd18
Instruction ID: 53ea9d106cf39ed0daa9bf4cfb0edefa6cac94cb9504299a43ada9e6e6f51737
Opcode Fuzzy Hash: e239598ae9ac9167070c3518481d6d53abffb65348afe839d501462ee7ebdd18
Instruction Fuzzy Hash: 0412AE74E01208DBDB10EFA8C584A8EBBF2FF48304F6081A9D815AB355D775AE45EF85

Function 01F9EBA0 Relevance: 9.0, Strings: 7, Instructions: 219COMMON

Download Yara Rule

Strings

$A, xrefs: 01F9EE5F
$A, xrefs: 01F9EE76
&A, xrefs: 01F9ED39
D$A, xrefs: 01F9EE69
$A, xrefs: 01F9EC2A
$A, xrefs: 01F9EC15
$A, xrefs: 01F9EC0D

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A$D$A$&A
API String ID: 0-895439832
Opcode ID: 4709fd550304090436b2d986a20ab3778216f36849e2a98fb89a6e60c2d87d2b
Instruction ID: 6d78a0588b1d55b1524c6ca2d2dfda688943d912584be6a640d98a35b2f930dd
Opcode Fuzzy Hash: 4709fd550304090436b2d986a20ab3778216f36849e2a98fb89a6e60c2d87d2b
Instruction Fuzzy Hash: EC91B934D0120E9BEF01FFD4DD90ACEBBB6AF54304F604166D514AB265DB72AE46CB90

Function 00427F60 Relevance: 8.8, Strings: 7, Instructions: 80COMMON

Download Yara Rule

Strings

A, xrefs: 00427FB1
pA, xrefs: 00428051
PA, xrefs: 00427FC5
`A, xrefs: 00427FCF
PA, xrefs: 00428047
pA, xrefs: 00427FD9
0A, xrefs: 00427FBB

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: A$0A$PA$PA$`A$pA$pA
API String ID: 0-2706859774
Opcode ID: 0f098aaf4702ea6a94b64c08949f7b132cb8f2da70019bfa0b0f5ba0ea5bf9f6
Instruction ID: d7a90a14c4092424e225e95f22d705b7f8f44652e623df0cc239691cb8372661
Opcode Fuzzy Hash: 0f098aaf4702ea6a94b64c08949f7b132cb8f2da70019bfa0b0f5ba0ea5bf9f6
Instruction Fuzzy Hash: B33147B0A55204CF9380DF6DA95A3463AE1F766344B51853BB14CCB321E3F898C9AF99

Function 01F90990 Relevance: 7.6, APIs: 5, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?,00000000), ref: 01F909FD
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 01F90A1E
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 01F90A36
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 01F90A72
RegCloseKey.ADVAPI32(?,00000000,00000001,?,?,00000000,00000000,?,?,?,?,00000000,?,00000000,00000000), ref: 01F90AA8

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseQueryValue$Open
String ID:
API String ID: 4082589901-0
Opcode ID: ee7ccb10c0f234961aa9c38694839e7a0bd89e46a806b6b3629d912f844ba51e
Instruction ID: a4aeb8be0d8de98a74b4052d591d7a84d70780cb467863e9fb1310df1b65acbb
Opcode Fuzzy Hash: ee7ccb10c0f234961aa9c38694839e7a0bd89e46a806b6b3629d912f844ba51e
Instruction Fuzzy Hash: 1C319771A00159ABFF22FA58CC81BDE767DDF54380F1041A2F548E6250DAB69EC48AA4

Function 00401590 Relevance: 7.6, APIs: 5, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?,00000000), ref: 004015FD
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 0040161E
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00401636
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00401672
RegCloseKey.ADVAPI32(?,00000000,00000001,?,?,00000000,00000000,?,?,?,?,00000000,?,00000000,00000000), ref: 004016A8

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseQueryValue$Open
String ID:
API String ID: 4082589901-0
Opcode ID: edf0df0a5bb6c5c8aa50bc8d1d021be57945f99c23e02fe8bacf702e362ed3b4
Instruction ID: f6879b41b9b4c4f0b71ac12d9fec265e1ed28802e0bbcf59a9dc75bd23dc144e
Opcode Fuzzy Hash: edf0df0a5bb6c5c8aa50bc8d1d021be57945f99c23e02fe8bacf702e362ed3b4
Instruction Fuzzy Hash: 01316171A00154ABDB21AA55CC82BDA727CDF44384F1040B7F545F72E0D6B99EC48A68

Function 01F90ACF Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01F90B14
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01F90B32
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01F90B51
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 01F90B8C
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 01F90B94

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseValue$CreateQuery
String ID:
API String ID: 1259008579-0
Opcode ID: 85a184cb3fbbcf72b875e0db3f72afdcecbd18462e5f57835c861d8f7a204abc
Instruction ID: 31f2c1d11c86cdebf22cf314d4c54cccad29108cfe501cee07b6883aece62cb0
Opcode Fuzzy Hash: 85a184cb3fbbcf72b875e0db3f72afdcecbd18462e5f57835c861d8f7a204abc
Instruction Fuzzy Hash: CF212F71B4020ABBFF21AEAD8C41FAEBBBDEB40744F144465F604EB251DA76DD408B54

Function 004016CF Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401714
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401732
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401751
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 0040178C
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,?,?,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00401794

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CloseValue$CreateQuery
String ID:
API String ID: 1259008579-0
Opcode ID: 7768b3c341911f3df32eacb2cd281c2466913b327779d88379c2aedd13139201
Instruction ID: 2526327ca8a497ff1f397d489966f378bc4f03016c463e3b205b2be09f3d5001
Opcode Fuzzy Hash: 7768b3c341911f3df32eacb2cd281c2466913b327779d88379c2aedd13139201
Instruction Fuzzy Hash: 30213074B40205BBEB219AAA9C82FAF77A9EB40784F104477F505FB2F1D7789D408758

Function 01F99F20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,01F9648A,01F9649A,01F956DA,?,01F90AB2,00000000), ref: 01F9A009

Strings

47A, xrefs: 01F99FC8
0PA, xrefs: 01F99F36
t0A, xrefs: 01F99FAB

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ExitProcess
String ID: 0PA$47A$t0A
API String ID: 621844428-3436806125
Opcode ID: 35134e7b00927fcbf88c56a4135db35b3841cb01b06faf96d7b2583a838b5153
Instruction ID: f67181848f250ce4a055cfb54819ba7f790079bb12c88c8bd5b361ac72180edf
Opcode Fuzzy Hash: 35134e7b00927fcbf88c56a4135db35b3841cb01b06faf96d7b2583a838b5153
Instruction Fuzzy Hash: DB116A707140069FFF10FB58EC447D9BAA2BBD438CF26C038E5068B228DBA798428749

Function 0040AB20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,0040708A,0040709A,004062DA,?,004016B2,00000000), ref: 0040AC09

Strings

47A, xrefs: 0040ABC8
0PA, xrefs: 0040AB36
t0A, xrefs: 0040ABAB

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ExitProcess
String ID: 0PA$47A$t0A
API String ID: 621844428-3436806125
Opcode ID: 2afbc147f6ff4bcebb1603dc6f8f69ee3771419cf6d8d27b84d764585a76a55f
Instruction ID: 7df8ff39b4e0162027718901dfd5ddbbde8923651b7e6164a533e1097f8e71d2
Opcode Fuzzy Hash: 2afbc147f6ff4bcebb1603dc6f8f69ee3771419cf6d8d27b84d764585a76a55f
Instruction Fuzzy Hash: C81147746082058FD710EF69E84179A36B3BB90348F24C13AE6016B3A9DB7CAD52874F

Function 004F5120 Relevance: 6.7, Strings: 5, Instructions: 421COMMON

Download Yara Rule

Strings

write, xrefs: 004F5231, 004F537C
p@, xrefs: 004F520A, 004F5355, 004F5436, 004F558C, 004F5646
iter class, xrefs: 004F5617
File "%s" does not exist, xrefs: 004F5271, 004F53BC
exists, xrefs: 004F555D

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: File "%s" does not exist$exists$iter class$p@$write
API String ID: 0-2607739891
Opcode ID: 57a8cf81e16b440aa999ca1fb1da432de821fd1ade88c4564b231050283d094e
Instruction ID: fa3794d84cdc4a09f18c77f69c2e777c0067077841b516cbbe89a7713199b8da
Opcode Fuzzy Hash: 57a8cf81e16b440aa999ca1fb1da432de821fd1ade88c4564b231050283d094e
Instruction Fuzzy Hash: B712C134E00208DFDB10DFA9C585A9EBBF1FF48304F6081AAE915AB355D778AE458F85

Function 0040F1E0 Relevance: 6.3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

$A, xrefs: 0040F23D
$A, xrefs: 0040F228
$A, xrefs: 0040F30A
$A, xrefs: 0040F220
$A, xrefs: 0040F300

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A
API String ID: 0-829398541
Opcode ID: a61d2ed9fd4a549a16a343a1b1a63df943c3cbc42c2163bcbd6144867c5e726a
Instruction ID: 6aaac6c44f0f72b5249ae851caf74af5a3d30edae998ea37dbb8c49a91fe17aa
Opcode Fuzzy Hash: a61d2ed9fd4a549a16a343a1b1a63df943c3cbc42c2163bcbd6144867c5e726a
Instruction Fuzzy Hash: 65311E3090010CEBDB01EBD6D991BCEBBB9EF44308F20407AF501B7292D779AA59CB95

Function 01F9E5E0 Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

$A, xrefs: 01F9E628
$A, xrefs: 01F9E620
$A, xrefs: 01F9E70A
$A, xrefs: 01F9E63D
$A, xrefs: 01F9E700

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $A$ $A$ $A$ $A$ $A
API String ID: 0-829398541
Opcode ID: 0c2b73941235871d3ea911fd5a8620b270e8ac5899910170dae00070292fe1b2
Instruction ID: faf047bb94d098b1fd43b4922170db9868c1858690b00d3627bcbc46e38d76ae
Opcode Fuzzy Hash: 0c2b73941235871d3ea911fd5a8620b270e8ac5899910170dae00070292fe1b2
Instruction Fuzzy Hash: AC31103090110EABEF01FFD5DD90BCEBBB9AF54344F504022E500A7365D776AA569B91

Function 004061C0 Relevance: 6.3, Strings: 5, Instructions: 75COMMON

Download Yara Rule

Strings

DCA, xrefs: 004061DF
$CA, xrefs: 0040624D
4CA, xrefs: 00406270
DCA, xrefs: 0040622F
DCA, xrefs: 00406206

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $CA$4CA$DCA$DCA$DCA
API String ID: 0-632339749
Opcode ID: 5ed7db0a50857e69bae277f51265bc428c83fe4079d019bd0c5aada238381d61
Instruction ID: 02913e5beaa1fa59717fccbd0d1023f757ebe6e8ed99dc11b6a158d79a90530a
Opcode Fuzzy Hash: 5ed7db0a50857e69bae277f51265bc428c83fe4079d019bd0c5aada238381d61
Instruction Fuzzy Hash: D421ED707041058FD714EB59E880B9673B6BBD5340B2AC0BAE812AB3B5DB79DC12CB5D

Function 01F97950 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

TAA, xrefs: 01F97998
tAA, xrefs: 01F979DF
tAA, xrefs: 01F979BE
dAA, xrefs: 01F979FB
d0A, xrefs: 01F97A1D

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$d0A$dAA$tAA$tAA
API String ID: 0-832756125
Opcode ID: 447405897af0aa2f06e3d7638467cd543f7d50c62273e58aee5ea8159a1222d6
Instruction ID: 067762425ce786b8a7c26f3dfe7840673a9a66ec1ba66b31229be536fa539837
Opcode Fuzzy Hash: 447405897af0aa2f06e3d7638467cd543f7d50c62273e58aee5ea8159a1222d6
Instruction Fuzzy Hash: DC11BA70724302DFFB50FF69EC886993A62BBE5301725C63591428B338E7769841CF58

Function 00408550 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

TAA, xrefs: 00408598
tAA, xrefs: 004085BE
dAA, xrefs: 004085FB
d0A, xrefs: 0040861D
tAA, xrefs: 004085DF

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$d0A$dAA$tAA$tAA
API String ID: 0-832756125
Opcode ID: 447405897af0aa2f06e3d7638467cd543f7d50c62273e58aee5ea8159a1222d6
Instruction ID: 322c511306d272571a832be4a7610073f72e3fbaaa876a8b0cb6830d4d3ded73
Opcode Fuzzy Hash: 447405897af0aa2f06e3d7638467cd543f7d50c62273e58aee5ea8159a1222d6
Instruction Fuzzy Hash: EE11F970704201AFC740EF69ED8869636A1BBE9305725C43AA141AB3A9DF79CC42CB5D

Function 00429C30 Relevance: 6.3, Strings: 5, Instructions: 48COMMON

Download Yara Rule

Strings

p'A, xrefs: 00429C7E
`%A, xrefs: 00429C92
`&A, xrefs: 00429CA6
`%A, xrefs: 00429C6A
%A, xrefs: 00429C9C

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: `%A$`%A$`&A$p'A$%A
API String ID: 0-2029066775
Opcode ID: dfa6dd7848eb23a55b61529bf380ad1011d28b58bdb845fe59dd72e02c734572
Instruction ID: 78fa922e4a358171580d27fe7aadca8edc5346198a3e385e2798f85a022b7b80
Opcode Fuzzy Hash: dfa6dd7848eb23a55b61529bf380ad1011d28b58bdb845fe59dd72e02c734572
Instruction Fuzzy Hash: 0B11FE79A002108BC350DF2DE9842867BF1FB66344B40812BD516D7760E3789C99EB99

Function 01FB2E30 Relevance: 6.3, Strings: 5, Instructions: 47COMMON

Download Yara Rule

Strings

%A, xrefs: 01FB2E9C
p'A, xrefs: 01FB2E7E
`%A, xrefs: 01FB2E92
`%A, xrefs: 01FB2E6A
`&A, xrefs: 01FB2EA6

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: `%A$`%A$`&A$p'A$%A
API String ID: 0-2029066775
Opcode ID: 3acc88694ff80eff0ff3a352232f246a6e419a1682ad4ebdb0d1ae4888cfd905
Instruction ID: f1473381088832e918a9bb042776f4cd8200ee36a8b22e4e8676ca0068f029de
Opcode Fuzzy Hash: 3acc88694ff80eff0ff3a352232f246a6e419a1682ad4ebdb0d1ae4888cfd905
Instruction Fuzzy Hash: BD110C7AA00201CBC351DF2DEE843867BF1FB6A304B00812AD516C7770E375A899EB99

Function 01F97C20 Relevance: 6.3, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C25
TlsGetValue.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C44
LocalAlloc.KERNEL32(00000040), ref: 01F97C57
TlsSetValue.KERNEL32(00000000,00000040), ref: 01F97C72
SetLastError.KERNEL32(00000000), ref: 01F97C78

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: ec3e637c03f6bc23e8b06f94060b79e23039758f34d06e98c892f4ff3d7b7ef5
Instruction ID: 1ad79b83db5868784ef129882f9195e2c7918f51b5c1116fc532124b7aa90784
Opcode Fuzzy Hash: ec3e637c03f6bc23e8b06f94060b79e23039758f34d06e98c892f4ff3d7b7ef5
Instruction Fuzzy Hash: 0FE06531960B3767EF2337B96C4199E354C9B907F4F105230E651672A2EE13980156EC

Function 01F97C1F Relevance: 6.3, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C25
TlsGetValue.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C44
LocalAlloc.KERNEL32(00000040), ref: 01F97C57
TlsSetValue.KERNEL32(00000000,00000040), ref: 01F97C72
SetLastError.KERNEL32(00000000), ref: 01F97C78

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: bb20245ef22a7d6f40216144569e6972df66727ff42a53c437d2256ee92b8ad9
Instruction ID: 478f96034756d82c57abc8df1e87acacc3c0ced310bb21086b5d5a9c86f347ed
Opcode Fuzzy Hash: bb20245ef22a7d6f40216144569e6972df66727ff42a53c437d2256ee92b8ad9
Instruction Fuzzy Hash: 9EF06535960A3757EF3337B86C4099E35486F907B4F105334E651772B2EE1388019B98

Function 01F91510 Relevance: 6.2, APIs: 4, Instructions: 152fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 01F9159C
CopyFileA.KERNEL32(00000000,00000000,000000FF), ref: 01F91619
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 01F916C1
TerminateProcess.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 01F916C7

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: FileProcess$CopyCurrentMoveTerminate
String ID:
API String ID: 1606378885-0
Opcode ID: 3ebebf1af7d38a6ed21ed9c8ad2763cbdbccb344e3ae9cf0436b91bcdb2efe79
Instruction ID: de5e916ac60d79ae96318943d878fc654391d0c66921d59035dfc3237b22c835
Opcode Fuzzy Hash: 3ebebf1af7d38a6ed21ed9c8ad2763cbdbccb344e3ae9cf0436b91bcdb2efe79
Instruction Fuzzy Hash: EB51C870A1110BABEF51FFA4ED80BCEB7B9AF60354F604135E014E7250EB76EA458B94

Function 01F98360 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,01F99229,?,?,00000000,?,01F992AB), ref: 01F98376
GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,01F99229,?,?,00000000,?,01F992AB), ref: 01F9837F
GetConsoleMode.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,01F99229,?,?,00000000,?,01F992AB), ref: 01F98397
GetConsoleOutputCP.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,-00000018,01F99229,?,?,00000000,?,01F992AB), ref: 01F983A2

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Console$ErrorFileLastModeOutputWrite
String ID:
API String ID: 1666348767-0
Opcode ID: 7e1423d0293c3c8450814a5c97954341b7d247c2fd516e911c28d118bd2fb17a
Instruction ID: 32db3000f60dd71a98c54a1457cac21e33c4e9224170fe06399009205b968f2a
Opcode Fuzzy Hash: 7e1423d0293c3c8450814a5c97954341b7d247c2fd516e911c28d118bd2fb17a
Instruction Fuzzy Hash: 5501867292021EEAFF11B6FCCE44DAE7A9EDB121D0F141461EA11D2160F7F7DE048295

Function 01F98510 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01F98330: CloseHandle.KERNEL32(?,00000000,?,01F98558,?,00000001,?,?,01F990BA,00000000,?,00000000,?,01F9C14A,?), ref: 01F98340
Part of subcall function 01F98330: GetLastError.KERNEL32(?,00000000,?,01F98558,?,00000001,?,?,01F990BA,00000000,?,00000000,?,01F9C14A,?), ref: 01F98349

CreateFileW.KERNEL32(00000000,?,00411350,0000000C,00000003,00000080,00000000,?,00000001,?,?,01F990BA,00000000,?,00000000,?), ref: 01F98703
GetLastError.KERNEL32(00000000,?,00411350,0000000C,00000003,00000080,00000000,?,00000001,?,?,01F990BA,00000000,?,00000000,?), ref: 01F9874C

Part of subcall function 01F98490: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,01F98731,00000000,?,00411350,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 01F984A7
Part of subcall function 01F98490: GetLastError.KERNEL32(?,00000000,00000000,00000002,?,01F98731,00000000,?,00411350,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 01F984B4
Part of subcall function 01F98490: GetLastError.KERNEL32(?,00000000,00000000,00000002,?,01F98731,00000000,?,00411350,0000000C,00000003,00000080,00000000,?,00000001,?), ref: 01F984BD

Strings

TAA, xrefs: 01F9856F

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateHandlePointer
String ID: TAA
API String ID: 3997052936-2085441596
Opcode ID: 6db5dc6e73ee0594e1beadda6863456c1d883b4926029fd2ad7e9a9bafc5fe0c
Instruction ID: 001ce4bf0e5063423178ae694eac77e3f57838f60778e04120a01bd0b80e31d1
Opcode Fuzzy Hash: 6db5dc6e73ee0594e1beadda6863456c1d883b4926029fd2ad7e9a9bafc5fe0c
Instruction Fuzzy Hash: 15615FB5E0410ECBFF11EF58C9446AEBBB2FB96390F248121D504AB368D3369D45CBA5

Function 0040A1E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040A216
GetCommandLineA.KERNEL32(00000000,?,00000104), ref: 0040A256

Strings

PBA, xrefs: 0040A39B

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: CommandFileLineModuleName
String ID: PBA
API String ID: 2151003578-1349102371
Opcode ID: 6f56a806e4ac7feb7590663b001053bb06a6925b336661b1eae582c02bc71eb5
Instruction ID: c01dd440daa73386bf30b4bb7223a67f7704861ccc5b13a1fc4bff4d504b352f
Opcode Fuzzy Hash: 6f56a806e4ac7feb7590663b001053bb06a6925b336661b1eae582c02bc71eb5
Instruction Fuzzy Hash: 1751E371C083988BDB358F2488457D9BBA0AB52304F1845FAC8D577392C3B95DD58F5B

Function 01F995E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 01F99616
GetCommandLineA.KERNEL32(00000000,?,00000104), ref: 01F99656

Strings

PBA, xrefs: 01F9979B

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: CommandFileLineModuleName
String ID: PBA
API String ID: 2151003578-1349102371
Opcode ID: fdc28c1fad10a1cfd4009d0dfb19af802536b96daa4f7dfb17c413c7b77fe5e2
Instruction ID: 13173e058c833485a8c07f79abfb4f3818ab1933a877bf868c20f9459fe00f58
Opcode Fuzzy Hash: fdc28c1fad10a1cfd4009d0dfb19af802536b96daa4f7dfb17c413c7b77fe5e2
Instruction Fuzzy Hash: 9351BFB5C082988BFF36AF2888447D8BBA1BB52308F0945CDC5D95B251C6F65AC5CF92

Function 01F98AC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,00413DF4,01F98BB3,00413DF4,01F999BC,?,01F99A2C,?,01F97985), ref: 01F98B34

Strings

TAA, xrefs: 01F98B64
TAA, xrefs: 01F98AFF

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA
API String ID: 0-1195183021
Opcode ID: ead93c5d8cc7c4cdf99e2af3c27b1418081fb850bc23898e23c81d9b5a887dd7
Instruction ID: 2059d33ac19bce2949f24f43f90c68e2ed1191ceffc0aaf917c66d26237820b6
Opcode Fuzzy Hash: ead93c5d8cc7c4cdf99e2af3c27b1418081fb850bc23898e23c81d9b5a887dd7
Instruction Fuzzy Hash: EB1170B6610249DAFF14BF2CD8882A23B65FB97390F0CC066D8058F369D77AC940C754

Function 004096C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,00413DF4,004097B3,00413DF4,0040A5BC,?,0040A62C,?,00408585), ref: 00409734

Strings

TAA, xrefs: 004096FF
TAA, xrefs: 00409764

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: TAA$TAA
API String ID: 0-1195183021
Opcode ID: ead93c5d8cc7c4cdf99e2af3c27b1418081fb850bc23898e23c81d9b5a887dd7
Instruction ID: 84c2cb7eea715656d657b082394d2a76faad7ed860493c23d21e8f6d26e5e3e1
Opcode Fuzzy Hash: ead93c5d8cc7c4cdf99e2af3c27b1418081fb850bc23898e23c81d9b5a887dd7
Instruction Fuzzy Hash: 5611797A224241CBCB14AF68D8886A62765FB95300F18C477E805AF3EBE33DCD41C769

Function 01F99890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00415050,Error,00000000), ref: 01F9990F

Strings

Error, xrefs: 01F99901, 01F99906
PPA, xrefs: 01F99907

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Message
String ID: Error$PPA
API String ID: 2030045667-1706176930
Opcode ID: f1fbffac40d2f5b9a22a27e05626f995e90a8031b9c195ccb1d099a7aa5650ce
Instruction ID: 619c8841e9367414ccc3063f62ec0a3f9599038514cbf646943067471fcbb0a5
Opcode Fuzzy Hash: f1fbffac40d2f5b9a22a27e05626f995e90a8031b9c195ccb1d099a7aa5650ce
Instruction Fuzzy Hash: A4019E71A0070ADFFB10EF18D880BD637A8F78931DF484569DA059B262C3B5D8908BD8

Function 0040A490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00415050,Error,00000000), ref: 0040A50F

Strings

PPA, xrefs: 0040A507
Error, xrefs: 0040A501, 0040A506

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Message
String ID: Error$PPA
API String ID: 2030045667-1706176930
Opcode ID: f1fbffac40d2f5b9a22a27e05626f995e90a8031b9c195ccb1d099a7aa5650ce
Instruction ID: 59db18f171209e0c1d41417ac73f181ac3968abd38ad40fc188e8691419b9c4d
Opcode Fuzzy Hash: f1fbffac40d2f5b9a22a27e05626f995e90a8031b9c195ccb1d099a7aa5650ce
Instruction Fuzzy Hash: E2018070200719DBD700CF18D884BD237A4B78935DF484672E904AB396C3B8DCA58BDD

Function 01F9992F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00415050,Error,00000000), ref: 01F9994C

Strings

PPA, xrefs: 01F99944
Error, xrefs: 01F9993E, 01F99943

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: Message
String ID: Error$PPA
API String ID: 2030045667-1706176930
Opcode ID: 86ea49f4e57eeb26ad5e7264ad24a00fdba1bfc1a654e8c1eae815d4f7d6a87e
Instruction ID: 1409f1114c2dd8ddb3d90db4a04368ef3ef6c5044ce27f8992e46ae82bd6ea83
Opcode Fuzzy Hash: 86ea49f4e57eeb26ad5e7264ad24a00fdba1bfc1a654e8c1eae815d4f7d6a87e
Instruction Fuzzy Hash: 60D0A770248648DAE710D7505C617CA6FA8978130DF44412EE508EA1D1C3B98494CF9E

Function 0040A52F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00415050,Error,00000000), ref: 0040A54C

Strings

Error, xrefs: 0040A53E, 0040A543
PPA, xrefs: 0040A544

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: Message
String ID: Error$PPA
API String ID: 2030045667-1706176930
Opcode ID: 86ea49f4e57eeb26ad5e7264ad24a00fdba1bfc1a654e8c1eae815d4f7d6a87e
Instruction ID: c248e9d6fdd21f7526041fb32f9ed1ec2c6e35b8471d6156cebba6790eaa0f0d
Opcode Fuzzy Hash: 86ea49f4e57eeb26ad5e7264ad24a00fdba1bfc1a654e8c1eae815d4f7d6a87e
Instruction Fuzzy Hash: B6D0A770148648DAD310C7505C627DA6FA8978130DF44412FF508E61E2C3BC8494CB9E

Function 01FA7E70 Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

9, xrefs: 01FA8004
5, xrefs: 01FA7FCA
0, xrefs: 01FA7FF3
gfff, xrefs: 01FA80B4

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0$5$9$gfff
API String ID: 0-3360872114
Opcode ID: 4b76fe6ac91e8a6e9f0ecfaee3e44a874122265a6cda743822ac787b69aa1c73
Instruction ID: 89fa3226ace399c32de9211d40d5a619595ab562bad247d58ad2153882dc0d40
Opcode Fuzzy Hash: 4b76fe6ac91e8a6e9f0ecfaee3e44a874122265a6cda743822ac787b69aa1c73
Instruction Fuzzy Hash: 8FA1C0B1D0025ACFDB11CE68C884BEEBBF5BB49351F648269D504A7341D3BB9A45CBA0

Function 0041EC70 Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

9, xrefs: 0041EE04
gfff, xrefs: 0041EEB4
5, xrefs: 0041EDCA
0, xrefs: 0041EDF3

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0$5$9$gfff
API String ID: 0-3360872114
Opcode ID: e7f5bb9b81cef4ffb4ad9844f78d3432ff2e671a925aca702dc4158b9f5023be
Instruction ID: 7536387e810de60f76321832a575b2987067e80d475626a6ba3c6ffe9660e5fc
Opcode Fuzzy Hash: e7f5bb9b81cef4ffb4ad9844f78d3432ff2e671a925aca702dc4158b9f5023be
Instruction Fuzzy Hash: F4A10439E0025A8FDF11CE69D884BEEBBF2FF59314F24416AD804A7341D3399985CB99

Function 01FBC2D0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

DKV, xrefs: 01FBC47E
nvalid memory pool code %d "Unsupported JPEG data precision %d 6Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d 6Invalid progressiv, xrefs: 01FBC41D, 01FBC422
hKV, xrefs: 01FBC4A9
4JV, xrefs: 01FBC414

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 4JV$DKV$hKV$nvalid memory pool code %d "Unsupported JPEG data precision %d 6Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d 6Invalid progressiv
API String ID: 0-2046388181
Opcode ID: bbd5c69d95575d0cb446802bc1574f854733fe4128b4be71e05d333ef3fe2572
Instruction ID: b0b5672d3655f683609c22666479ba092f8c2ef764a81e3b33a7eff503329636
Opcode Fuzzy Hash: bbd5c69d95575d0cb446802bc1574f854733fe4128b4be71e05d333ef3fe2572
Instruction Fuzzy Hash: D5811774A4010EDFDB00EB94D994BDEBBBABF44304F5481A1E444AB264DB76AE46DF40

Function 01FA7F6A Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

9, xrefs: 01FA8004
5, xrefs: 01FA7FCA
0, xrefs: 01FA7FF3
gfff, xrefs: 01FA80B4

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0$5$9$gfff
API String ID: 0-3360872114
Opcode ID: 3ad47d036e430c3facd308b33e69a432b1fb6dade9a42aa29328fad8452c0230
Instruction ID: d4f7964d20a89224c8e14a11c3f04cd0e4795f3f26a98e3ec1f1d7307e88cf2d
Opcode Fuzzy Hash: 3ad47d036e430c3facd308b33e69a432b1fb6dade9a42aa29328fad8452c0230
Instruction Fuzzy Hash: 7B5104B1E04259CFCF11CE68C484BEDBBE2BB55345F64416AC404A7341D3BB9A49CB61

Function 0041ED6A Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

9, xrefs: 0041EE04
gfff, xrefs: 0041EEB4
5, xrefs: 0041EDCA
0, xrefs: 0041EDF3

Memory Dump Source

Source File: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0$5$9$gfff
API String ID: 0-3360872114
Opcode ID: 34a189bb39a0a6bc15899857cac48a7b609f3e700d107807870b0de50febeee1
Instruction ID: 2aa4f61d8b38760beb694458177817fdd55e1cc5ec27c476b640cce714fd9e87
Opcode Fuzzy Hash: 34a189bb39a0a6bc15899857cac48a7b609f3e700d107807870b0de50febeee1
Instruction Fuzzy Hash: 7051E239E0425A8FDF15CEAAD4847EDBBE2AB59304F24016BDC01A7341D37A99C9CB19

Function 02094240 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

0=O, xrefs: 020943B8
hwX, xrefs: 020942BF
DwX, xrefs: 0209433A
DwX, xrefs: 02094295

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: 0=O$DwX$DwX$hwX
API String ID: 0-2189047185
Opcode ID: bd4049ff42f68e3d2612325f9a7efb41de3d1a678c5725c4f6b928a99e786365
Instruction ID: adf7e59cf35f5744acd172731c16eb28302742867799e60a8c6db6a41a76e594
Opcode Fuzzy Hash: bd4049ff42f68e3d2612325f9a7efb41de3d1a678c5725c4f6b928a99e786365
Instruction Fuzzy Hash: 1F51B374A5120D9BDB00EFA8D890ACEBBF5FF14300F508525E405AB354EB75AA46EF80

Function 02006400 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

L7W, xrefs: 02006464
<7W, xrefs: 02006449
l7W, xrefs: 0200649C
\7W, xrefs: 02006480

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: <7W$L7W$\7W$l7W
API String ID: 0-3196759857
Opcode ID: 1ee66b2b76892536d1b1df35a50acf22416ff3b60a7fb6e201d9011e4c014070
Instruction ID: 30d319f80d830c23e09635f60d524ad8dd0417fb184c9c640eaa0306f780595a
Opcode Fuzzy Hash: 1ee66b2b76892536d1b1df35a50acf22416ff3b60a7fb6e201d9011e4c014070
Instruction Fuzzy Hash: E4317DB4E0020E9FDB00EFE8D990A8DBBF6FF14704F548425E419EB358E775AA099B51

Function 01F955F9 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

DCA, xrefs: 01F9562F
$CA, xrefs: 01F9564D
4CA, xrefs: 01F95670
DCA, xrefs: 01F95606

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID:
String ID: $CA$4CA$DCA$DCA
API String ID: 0-337835432
Opcode ID: 53cde01fc08bfff6a18b0c98131430ed1e105dbf6542df39a15a767b3dda0f50
Instruction ID: 3d152aa55002a46b2516e860ca92b0f22d6ba42c72498d41e773bf7cd32022ee
Opcode Fuzzy Hash: 53cde01fc08bfff6a18b0c98131430ed1e105dbf6542df39a15a767b3dda0f50
Instruction Fuzzy Hash: 7C11C5B57001058FEF02EB19F890A9A77B2BBE4344B68C076E9118B274DB36DC01CB98

Function 01F97CC0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01F97CC8
TlsGetValue.KERNEL32 ref: 01F97CD5
SetLastError.KERNEL32(00000000), ref: 01F97CFD

Part of subcall function 01F97C20: GetLastError.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C25
Part of subcall function 01F97C20: TlsGetValue.KERNEL32(00000000,?,?,01F97CE5), ref: 01F97C44
Part of subcall function 01F97C20: LocalAlloc.KERNEL32(00000040), ref: 01F97C57
Part of subcall function 01F97C20: TlsSetValue.KERNEL32(00000000,00000040), ref: 01F97C72
Part of subcall function 01F97C20: SetLastError.KERNEL32(00000000), ref: 01F97C78

TlsGetValue.KERNEL32 ref: 01F97CEB

Memory Dump Source

Source File: 00000000.00000002.1458269265.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: true

Associated: 00000000.00000002.1458409808.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f90000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: 10c2c58ee1f1c2cc6298a0af3ada34d2c49aae0b1d15a0902be342164778f74c
Instruction ID: 26a3ad0d3d8422415d1e4f1b7c29b4817116031f673e75f36aab0b551157bcd6
Opcode Fuzzy Hash: 10c2c58ee1f1c2cc6298a0af3ada34d2c49aae0b1d15a0902be342164778f74c
Instruction Fuzzy Hash: B5E08C322306176BEF5273BD9C40A9AB69DEFE12E8B400532F644D3220EE63DC0046A4

Function 004088C1 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004088C8
TlsGetValue.KERNEL32 ref: 004088D5
SetLastError.KERNEL32(00000000), ref: 004088FD

Part of subcall function 00408820: GetLastError.KERNEL32(00000000,?,?,004088E5), ref: 00408825
Part of subcall function 00408820: TlsGetValue.KERNEL32(00000000,?,?,004088E5), ref: 00408844
Part of subcall function 00408820: LocalAlloc.KERNEL32(00000040), ref: 00408857
Part of subcall function 00408820: TlsSetValue.KERNEL32(00000000,00000040), ref: 00408872
Part of subcall function 00408820: SetLastError.KERNEL32(00000000), ref: 00408878

TlsGetValue.KERNEL32 ref: 004088EB

Memory Dump Source

Source File: 00000000.00000002.1457013894.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1456991809.0000000000400000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457041171.0000000000411000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457211049.0000000000412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457260737.0000000000414000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1457374380.0000000000417000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1iC0WTxgUf.jbxd

Similarity

API ID: ErrorLastValue$AllocLocal
String ID:
API String ID: 1904213510-0
Opcode ID: 76411162de9fdefad6ab875f26ce2d046e0d0cdbec429a2848d1d2bcf9871f8d
Instruction ID: a4c879f3bc6ff282489d911efc85a0eca7394b05a79172680eb126068def775c
Opcode Fuzzy Hash: 76411162de9fdefad6ab875f26ce2d046e0d0cdbec429a2848d1d2bcf9871f8d
Instruction Fuzzy Hash: 7AE04F3221051027D60277AA9C4269A6699DB893E8780053BF280B71B2EE3DCC0042AD

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1iC0WTxgUf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\1iC0WTxgUf.exe

C:\Users\user\Desktop\1iC0WTxgUf.exe:Zone.Identifier

C:\Users\user\Desktop\old_1iC0WTxgUf.exe (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Windows Analysis Report
1iC0WTxgUf.exe

Function 00402189 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
fileCOMMON

Function 00408820 Relevance: 6.3, APIs: 5, Instructions: 32
memoryCOMMON

Function 0040881F Relevance: 6.3, APIs: 5, Instructions: 31
memoryCOMMON

Function 00408F60 Relevance: 6.1, APIs: 4, Instructions: 51
fileCOMMON

Function 00409110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
fileCOMMON

Function 00401F10 Relevance: 4.5, APIs: 3, Instructions: 43
processCOMMON

Function 0040900F Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Function 00409010 Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Function 00409090 Relevance: 4.5, APIs: 3, Instructions: 22
COMMON

Function 0040904F Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 00409050 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 00409D90 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Function 00409EC0 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Function 00409C10 Relevance: 3.8, Strings: 3, Instructions: 59
COMMON

Function 00409CD0 Relevance: 3.8, Strings: 3, Instructions: 59
COMMON